WO2023220854A1 - Access control method, terminal, chip, readable storage medium, and computer program product - Google Patents

Access control method, terminal, chip, readable storage medium, and computer program product Download PDF

Info

Publication number
WO2023220854A1
WO2023220854A1 PCT/CN2022/092978 CN2022092978W WO2023220854A1 WO 2023220854 A1 WO2023220854 A1 WO 2023220854A1 CN 2022092978 W CN2022092978 W CN 2022092978W WO 2023220854 A1 WO2023220854 A1 WO 2023220854A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
car
access control
location information
information
Prior art date
Application number
PCT/CN2022/092978
Other languages
French (fr)
Chinese (zh)
Inventor
茹昭
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2022/092978 priority Critical patent/WO2023220854A1/en
Publication of WO2023220854A1 publication Critical patent/WO2023220854A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]

Definitions

  • the present application relates to the field of communication technology, and more specifically, to an access control method, terminal, chip, readable storage medium and computer program product.
  • Communication can take place between the first terminal and the second terminal.
  • the first terminal can perform access control, that is, allow or deny the access.
  • Related technologies can implement access control based on terminal identification, secure channel verification type and other information.
  • This application provides an access control method, terminal, chip, readable storage medium and computer program product.
  • an access control method including: the first terminal determines the authority of the second terminal to the first terminal according to the first location information and access control information of the second terminal; wherein, The first location information is used to indicate the location relationship of the user equipment relative to the vehicle equipment.
  • an access control method including: based on the authority of the second terminal to the first terminal, the second terminal accesses the first terminal; wherein the authority is based on the authority of the second terminal.
  • the first location information and access control information of the terminal are determined, and the first location information is used to indicate the location relationship of the user equipment relative to the vehicle equipment.
  • a terminal is provided, where the terminal is a first terminal, and the terminal includes: a determining unit configured to determine, according to the first location information and access control information of the second terminal, whether the second terminal is The authority of the first terminal; wherein the first location information is used to indicate the location relationship of the user equipment relative to the vehicle equipment.
  • a terminal is provided, where the terminal is a second terminal, and the terminal includes: an access unit configured to access the first terminal based on the authority of the second terminal to the first terminal; wherein, The permission is determined based on the first location information and access control information of the second terminal, and the first location information is used to indicate the location relationship of the user equipment relative to the vehicle equipment.
  • a terminal device including a processor, a memory, and a communication interface.
  • the memory is used to store one or more computer programs.
  • the processor is used to call the computer program in the memory so that the terminal device Perform the method described in the first aspect and/or the second aspect.
  • a communication system which system includes the above-mentioned first terminal and/or second terminal.
  • the system may also include other devices that interact with the first terminal and/or the second terminal in the solution provided by the embodiments of the present application.
  • embodiments of the present application provide a computer-readable storage medium that stores a computer program.
  • the computer program causes a terminal device to execute the method of the first aspect and/or the second aspect. some or all of the steps.
  • embodiments of the present application provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause the terminal to execute the above-mentioned first step. Some or all of the steps in the method of the first aspect and/or the second aspect.
  • the computer program product can be a software installation package.
  • embodiments of the present application provide a chip, which includes a memory and a processor.
  • the processor can call and run a computer program from the memory to implement the method of the first and/or second aspect. Describe some or all of the steps.
  • a computer program product including a program that causes a computer to execute the method described in the first aspect and/or the second aspect.
  • An eleventh aspect provides a computer program, the computer program causing a computer to execute the first aspect and/or the method described.
  • the first terminal may determine the permissions of the second terminal to the first terminal according to the relative position of the second terminal (ie, the indication of the first position information). Based on the authority, the first terminal executes the corresponding access control policy, so that differentiated access control of the second terminal to the first terminal under different relative positions can be achieved.
  • Figure 1 is an example diagram of an application scenario according to the embodiment of the present application.
  • Figure 2 is a schematic flow chart of an access control method provided by an embodiment of the present application.
  • Figure 3 is a schematic flow chart of another access control method provided by an embodiment of the present application.
  • Figure 4 is a schematic flow chart of yet another access control method provided by an embodiment of the present application.
  • Figure 5 is a schematic flow chart of yet another access control method provided by an embodiment of the present application.
  • Figure 6 is a schematic structural diagram of a terminal provided by an embodiment of the present application.
  • Figure 7 is a schematic structural diagram of another terminal provided by an embodiment of the present application.
  • Figure 8 is a schematic structural diagram of a device provided by an embodiment of the present application.
  • Figure 1 is an example diagram of an application scenario according to the embodiment of the present application.
  • the terminal 110 may be a device that communicates with the terminal 120.
  • the terminal in the embodiment of this application may also be called a node, user equipment (UE), access terminal, user unit, user station, mobile station, mobile station (MS), mobile terminal, MT), remote station, remote terminal, mobile device, user terminal, terminal equipment, wireless communications equipment, user agent or user device.
  • the terminal device in the embodiment of the present application may be a device that provides voice and/or data connectivity to users, and may be used to connect people, things, and machines.
  • the terminal can be a handheld device, a vehicle-mounted device, etc. with wireless connection function.
  • the terminal may be a car, home appliance, home system, etc. with wireless connection function.
  • the terminal device in the embodiment of the present application can be a mobile phone (mobile phone), a tablet computer (Pad), a notebook computer, a handheld computer, a mobile internet device (mobile internet device, MID), a wearable device, a virtual reality (virtual reality, VR) equipment, augmented reality (AR) equipment, wireless terminals in industrial control (industrial control), wireless terminals in Internet of Things equipment, wireless terminals in self-driving (self driving), remote surgery (remote medical) Wireless terminals in surgery, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, and wireless terminals in smart home wait.
  • the terminal can be used to act as a base station.
  • a terminal may act as a scheduling entity that provides sidelink signals between terminals in V2X or D2D, etc.
  • a scheduling entity that provides sidelink signals between terminals in V2X or D2D, etc.
  • cell phones and cars use sidelink signals to communicate with each other.
  • Cell phones and smart home devices communicate between each other without having to relay communication signals through base stations.
  • Terminals can be deployed on land, indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water; they can also be deployed on aircraft, balloons and satellites in the air. In the embodiments of this application, the scenario in which the terminal is located is not limited.
  • the terminal 110 can access the resources of the terminal 120.
  • the terminal 110 can be a mobile phone, and the terminal 120 can be a car. Users can operate on their mobile phones to control car resources.
  • the terminal 110 can implement a digital car key function to replace the traditional car key.
  • the digital car key can implement a sensorless unlocking function, that is, a keyless entry and start system (passive entry passive start, PEPS).
  • a sensorless unlocking function that is, a keyless entry and start system (passive entry passive start, PEPS).
  • PEPS passive entry passive start
  • the car 120 can identify the location of the terminal 110 and the user authorized by the car 120. If the identification is passed, the car 120 can automatically open the door. Alternatively, when the user carries the terminal 110 and leaves a certain range of the car, the car 120 can recognize the location of the terminal 110 and can control the door locks and/or window locks of the car 120 to automatically lock and/or enter the anti-theft state.
  • PEPS can be implemented based on Bluetooth low energy (BLE) wireless communication and/or ultra wide band (UWB) technology.
  • BLE Bluetooth low energy
  • UWB ultra wide band
  • the car 120 and the terminal 110 can perform broadcast discovery through BLE wireless communication.
  • the terminal 110 can discover the car 120, and the terminal 110 can launch the car company's application (APP) background unlocking service to verify the user information and/or the validity of the digital key of the terminal 110.
  • the terminal 110 can establish a BLE connection with the car 120 .
  • the car 120 can determine the distance between the terminal 110 and the car 120 based on the BLE connection (for example, through UWB).
  • the car 120 can determine whether the terminal 110 is in a keyless entry (PE) area. If the terminal 110 is in the PE area, the car 120 can enter the unlocking allowed state. At this time, the user can open the door of the car 120.
  • PE keyless entry
  • the car unlocking method based on the digital car key may include steps S110 to S150.
  • the method can be performed by the terminal 110 and the car 120 .
  • step S110 the car 120 and/or the terminal 110 perform broadcast discovery through BLE wireless communication.
  • step S120 the car 120 and the terminal 110 perform two-way authentication.
  • Step S130 the car 120 and the terminal 110 negotiate to start the UWB ranging channel on the BLE channel.
  • step S140 the car 120 and/or the terminal 110 measure the distance between the car 120 and the terminal 110 through UWB.
  • step S150 the car 120 determines whether the terminal 110 is in the PE area based on the distance between the car 120 and the terminal 110. If in the PE area, the car 120 can enter the unlocking allowed state.
  • the user does not need to operate on the mobile phone, and the car can automatically access the car lock (unlock or lock) based on the location of the mobile phone.
  • the digital car key can achieve senseless access to the resource of the car lock based on location information.
  • the terminal 110's access to resources of the terminal 120 may be controlled by the terminal 120.
  • the terminal 120 may allow the access of the terminal 110 or may deny the access of the terminal 110 .
  • the mobile phone's access to the car lock resource can be controlled by the car, that is, the car can control whether to allow the mobile phone to lock or unlock the car lock.
  • Access control can be implemented based on access control list (ACL).
  • An ACL can include one or more access control entries (ACEs).
  • ACE can define permissions for one or some resources for one or some specific nodes (or accounts).
  • ACE can include one or more pieces of information.
  • an ACE may include one or more pieces of information related to permissions, identities, functional units, etc.
  • Various information can be carried in fields in ACE. That is, an ACE can include one or more fields.
  • ACE can include one or more fields such as permission level, authentication type, source principal, target, and extension. Different protocols or standards may have different settings for fields of the same or similar information. This application does not limit this, and the following is only an exemplary description. The fields that can be included in ACE are introduced in detail below.
  • the Targets field can be used to describe the target resources to which this ACE entry applies.
  • the target resource may include, for example, one or more target functional units.
  • the value type of the target field can be a list type.
  • the target field may include a structure (struct) of one or more target functional units.
  • the EndPoints field may also be used to describe the target resource to which the ACE entry applies.
  • the Privilege field can be used to describe the level of privileges that can be granted by this ACE entry.
  • the value type of the permission level field can be an enumeration (enum) type.
  • the value of the permission level field can include: view permission, proxy view permission, operate permission, manage permission, administrator permission, etc.
  • View permissions can include permissions to read and observe all resources except access-controlled resources and non-proxy resources.
  • Agent permissions can include permissions to read and observe all agent resources.
  • Delegate viewing rights can implicitly include viewing rights.
  • Operation permissions can include view permissions and permissions to perform the primary functions of the target resource.
  • the main functions may be other than those of the access control unit.
  • Operation permissions may implicitly include viewing permissions.
  • Administrative permissions can include operating permissions and modifying the persistent configuration of the node (in addition to the access control functional unit). Administrative permissions may implicitly include operation permissions and/or viewing permissions.
  • Administrator rights can include administrative rights and observing and modifying access control functional units. Administrator permissions may implicitly include one or more of management permissions, operation permissions, delegate viewing permissions, and viewing permissions.
  • the Source Subjects field can be used to describe one or more subjects.
  • a principal can be the origin of an operation described using a given authentication method provided by the secure channel architecture.
  • the value type of the source body field can be a list type.
  • the source subject field may include identification (eg, ID) of one or more subjects.
  • the subject can be one of the following three situations.
  • Case 1 An initiator node that interacts through a configuration channel (PASE) session during the debugging phase.
  • the node can be implicitly identified by the fact that both peers in the PASE session authenticate to each other locally.
  • Case 2 Initiator node that interacts through the operation channel (CASE) session during the operation phase.
  • the node can be identified using a distinguished name (such as a node ID) in the operational certificate (NOC) shared during session establishment.
  • NOC operational certificate
  • Case 3 Initiator nodes interacting through message groups.
  • the node can be identified by the group ID.
  • the node can be authenticated by the operation group key.
  • the Authentication Type (AuthMode) field can be used to describe the type of secure channel authentication method applied to the subject of this ACE entry (or the authentication type or connection type known as the secure channel).
  • the value type of the authentication type field can be an enumeration type.
  • the value of the authentication type field can include CASE, PASE or group as mentioned above.
  • the Extension field can be an optional extension payload. Extension fields can be used for things like cryptographic signatures, vendor-specific ACL content, or other metadata.
  • the fields included in ACE can be as shown in Table 1.
  • the first terminal can implement access control based on information such as the ID of the second terminal, the authentication type of the secure channel between the first terminal and the second terminal, and the target resource. It is understandable that related technologies are difficult to implement access control based on location information.
  • Figure 2 shows an access control method provided by an embodiment of the present application to solve the above problems.
  • the method shown in Figure 2 can be executed by the first terminal and the second terminal.
  • This application does not limit the types of the first terminal and the second terminal.
  • they may be any terminal mentioned above.
  • the first terminal may be a car
  • the second terminal may be a mobile phone used by the user.
  • the method shown in Figure 2 may include step S210 and step S220.
  • Step S210 The first terminal determines the authority of the second terminal to the first terminal based on the first location information and access control information of the second terminal.
  • the first location information may be used to indicate the location relationship of the second terminal relative to the first terminal. It can be understood that the first position information may be relative position information. For example, the first location information may be determined based on the location of the first terminal, the location of the second terminal, the distance and/or angle between the first terminal and the second terminal.
  • the first location information can be used to indicate the location relationship of the second terminal relative to the car.
  • the first location information may include one or more of the following information: inside the car, outside the car, main driver's seat, passenger seat, passenger seat, car left front door, car right front door, car left rear door, car right rear door , the rear of the car.
  • the car may not include a driver's seat (main driver's seat and/or co-pilot's seat).
  • the representation of the first position information may be related to the accuracy of the positioning mechanism. If a lower-precision positioning mechanism is used, the first location information may include inside the car and/or outside the car, etc. If a higher-precision positioning mechanism is adopted, the representation of the first position information can be refined.
  • the first location information may be one or more of the following: car left front door, car right front door, car left rear door, car right rear door, car rear, passenger seat, back seat, etc.
  • the first location information can be obtained based on short-range positioning.
  • the first location information can be obtained through one or more of the following positioning methods: UWB positioning, Bluetooth positioning, and 5G positioning.
  • UWB positioning UWB positioning
  • Bluetooth positioning 3rd Generation
  • 5G positioning 5th Generation
  • the first terminal and the second terminal can negotiate a UWB positioning channel and perform UWB positioning.
  • the first terminal and the second terminal may negotiate on the BLE channel to start UWB ranging.
  • the first location information can be obtained through the first terminal or through the second terminal.
  • the second terminal may send the first location information to the first terminal.
  • the authority of the second terminal to the first terminal may include authority to the target resource of the first terminal.
  • Target resources can be represented by functional units.
  • the target resource can be one or more functional units.
  • the target resources may include resources belonging to the first terminal.
  • the target resources may include resources associated with the first terminal.
  • the target resources may include resources of the car.
  • the target resource may be a resource of a car associated with the vehicle-mounted terminal.
  • the resources of a car may include, for example, one or more of the resources of a car light (such as a turn signal, a headlight, etc.), a car door, a car window, a display screen, etc. This application does not limit the specific content of the permissions of the second terminal to the first terminal.
  • permissions may include one or more of the following: no permissions, view permissions, proxy view permissions, operate permissions, manage permissions, and administrator Permissions etc.
  • the first terminal may deny access to the second terminal.
  • the second terminal's access to the first terminal matches the authority, the first terminal can perform an action corresponding to the second terminal's access.
  • the access control information can be used to control the access of the first terminal to the second terminal, that is, the access control information can be used to indicate the authority of the second terminal to the first terminal.
  • the access control information may be related to the positional relationship of the second terminal relative to the first terminal.
  • the access control information can be used to record the permissions of the second terminal on the first terminal when the second terminal is in different locations.
  • the second terminal may have the operate authority for the first terminal when it is in the first location, but the second terminal may not have any authority for the first terminal when it is in the second location.
  • the first terminal may allow the second terminal to access the first terminal and allow the second terminal to perform operations related to the operate authority.
  • the first terminal may deny the second terminal access to the first terminal.
  • the access control information may also record the permissions of other terminals on the first terminal.
  • the other terminal may be a different terminal than the second terminal.
  • the other terminal may be a terminal whose logged-in user is different from the logged-in user of the second terminal.
  • the content of access control information can be flexibly modified according to needs. For example, after obtaining the permission to modify the access control information, the user can modify the access control information through one or more of the first terminal, the second terminal, and other terminals.
  • an operation interface can be provided for users to modify access control information.
  • the access control information can be recorded in the first terminal or in a remote server (such as a cloud platform).
  • the access control information can be obtained from the corresponding storage location.
  • Access control information may be included in the first entry for access control.
  • the first entry could be an ACE.
  • One or more ACEs can form an ACL. That is to say, access control information can be recorded in the ACL, and the ACL can include one or more ACEs.
  • the first entry may include one or more pieces of information related to permissions, identities, functional units, etc. Various information can be carried in fields in the first entry. That is, the first entry may include one or more fields.
  • the first entry may include a first field.
  • the first field may be used to specifically carry location information corresponding to the access control item.
  • the first field may be called a position field, for example.
  • the permission corresponding to the first entry is valid.
  • the first field is empty or has a wildcard character (such as *)
  • the type of the first field may be an enumeration type, for example.
  • the first field may include one or more of the following information: inside the car, outside the car, and driving position.
  • the inside of the car may be a position where the second terminal is in the car and the second terminal is not in the driving position. Outside the car may mean that the second terminal is outside the car and within a certain distance near the car.
  • the first field can be refined into one or more of the following information: car left front door, car right front door, car left rear door, car right rear door, car rear, passenger seat, back seat, etc.
  • the first entry may include a second field.
  • the second field may be used to carry the connection type of the secure channel established between the first terminal and the second terminal, and one or more of the connection types of the secure channel are consistent with the access control item.
  • the corresponding location information is associated.
  • the second field may be an extension of the authentication type (AuthMode) field.
  • the extended authentication type field may be represented as a connection type field (ConnMode), for example.
  • the second field can be of enumeration type. Taking the first terminal as a car as an example, the enumeration value may include one or more of the following: configuration channel, external vehicle operation channel, in-vehicle operation channel, driver's seat operation channel, and cloud connection channel.
  • the configuration channel may indicate that the first terminal and the second terminal establish a connection for configuring the first terminal.
  • the outside-vehicle operation channel may represent the operation connection established between the second terminal and the car outside the car.
  • the in-vehicle operation channel may represent an operation connection established between the second terminal and the car in the car (for example, in a non-driving position).
  • the driving position operation channel may represent the operation connection established between the second terminal and the car at the driving position.
  • the cloud connection channel can represent the remote connection established by the second terminal with the car through the cloud platform.
  • the value of the first location information may correspond to the content recorded in the first field or the second field.
  • the value of the first field is one or more of inside the car, outside the car, and driving position.
  • the value of the first location information may also be one or more of inside the car, outside the car, and the driving position.
  • the value of the second field is one or more of the configuration channel, external vehicle operation channel, in-vehicle operation channel, driver's seat operation channel, and cloud connection channel
  • the value of the first location information is also One or more of the configuration channel, external vehicle operation channel, in-car operation channel, driver's seat operation channel, and cloud connection channel. Therefore, the corresponding first entry can be matched according to the first location information, thereby performing access control on the second terminal according to the authority recorded in the first entry.
  • an authenticated secure connection may be established between the first terminal and/or the second terminal.
  • the first terminal may establish an authenticated secure connection with the second terminal.
  • the first terminal and the second terminal may establish a two-way authentication secure connection.
  • the method shown in Figure 2 may also include step S205.
  • Step S205 The second terminal may send a control instruction to the first terminal.
  • the control instruction can correspond to the target resource.
  • the second terminal wishes to access the target resource of the first terminal at a certain location, it can send a control instruction to the first terminal to apply for access to the target resource.
  • the second terminal can send control instructions multiple times. For example, the second terminal can send control instructions multiple times at multiple different locations.
  • control instructions can be transmitted through the established secure channel.
  • the first terminal and/or the second terminal may establish an authenticated secure connection.
  • the first terminal and the second terminal can establish a bidirectional authentication secure connection.
  • the acquisition of the first location information may be triggered based on a message received by the first terminal. For example, after receiving the control instruction, the first terminal can trigger positioning to obtain the first location information of the second terminal. Alternatively, the acquisition of the first location information may also be triggered based on the establishment of a secure connection. That is to say, after establishing a secure connection, positioning can be triggered to obtain the first location information.
  • the first location information may be updated according to the positioning situation. That is to say, at least one positioning can be performed, and the first position information can be the position information obtained from the positioning whose measurement time is closest to the time when the first terminal receives the control instruction in at least one positioning.
  • the location of the second terminal can be measured in real time, and the real-time location of the second terminal can be continuously updated.
  • the first location information is obtained according to the real-time location of the second terminal at the current time.
  • continuous positioning can be achieved, and therefore, continuous positioning can be achieved to continuously update the first location information.
  • continuous positioning cannot be achieved. Therefore, positioning can be triggered by a control command to obtain the first position information.
  • An appropriate method can be selected to obtain the first location information according to the positioning mechanism that is achievable by the terminal's capabilities.
  • the first terminal can determine whether the access permission of the second terminal to the first terminal is established by searching for the access control information. For example, the first terminal may search for a matching first entry based on the first location of the second terminal. In one case, if the access permission of the second terminal to the first terminal is established, the first terminal can perform the corresponding action. Taking the first entry as an ACE as an example, if the first terminal finds the matching ACE and obtains the matching permission, the first terminal can perform the action corresponding to the permission. In another case, if the access permission of the second terminal to the first terminal is not established, the first terminal may deny the access of the second terminal. For example, if the first terminal does not find a matching ACE, the first terminal may deny the access of the second terminal.
  • the first terminal After obtaining the first location information, the first terminal can determine the corresponding channel connection type information.
  • the first terminal may determine the authority of the second terminal to the first terminal according to the corresponding channel connection type information and access control information. Taking the ACE including the second field as an example, the first terminal can compare the channel connection type information with the ACL to check whether there is an ACE matching the second field. If there is a matching ACE, the first terminal can perform the action corresponding to the ACE. If there is no matching ACE, the first terminal may deny access to the second terminal.
  • the first terminal may return a response to the second terminal.
  • This response can be used to inform the second terminal whether the access permission is established.
  • Step S220 Based on the authority of the second terminal to the first terminal, the second terminal accesses the first terminal. When the access authority of the second terminal to the first terminal is established, the second terminal can access the first terminal. When the access authority of the second terminal to the first terminal is not established, the second terminal cannot access the first terminal.
  • the second terminal can access the resources of the first terminal through the client.
  • the permission status recorded in the access control information may be related to the location of the second terminal.
  • the second terminal may have corresponding permissions in different locations.
  • the permissions corresponding to different locations can be different. Therefore, based on the access control information, the first terminal can execute different access control policies on the first terminal when the second terminal is in different locations, thereby satisfying the differentiated execution capabilities of the second terminal on the first terminal in different scenarios.
  • the first entry is ACE.
  • the first field is represented as Position.
  • the fields included in ACE can be shown in Table 2.
  • the position field can be an enumeration type.
  • Enumeration values may include: OutsideCar, InsidCar, and DrivingSeat. Among them, the position in the car other than the driving position in the car can be indicated.
  • ACL configuration measurement for a car could be:
  • the Position field included in ACE4 is empty, which means that the permissions corresponding to ACE4 are valid when the terminal is in any position.
  • the functional unit included in the player may include, for example, a switch of the display screen.
  • Endpoint No. 3 may be a turn signal, for example.
  • Figure 3 is a schematic flow chart of the access control method provided in Embodiment 1.
  • the method shown in Figure 3 may include steps S310 to S390.
  • Step S310 may include step S311 and/or step S312.
  • Step S311 The car and the mobile phone establish an authenticated secure connection.
  • Step S312 The mobile phone and the car establish an authenticated secure connection. It can be understood that when step S310 includes step S311 and step S312, a two-way authentication secure connection can be established between the mobile phone and the car.
  • Step S320 The mobile phone sends control instructions to the vehicle through the established safe channel.
  • the control instructions may include instructions to call (turn on or off, etc.) a display screen in the vehicle.
  • the control instruction may be an instruction to turn on the turn signal.
  • Step S330 After receiving the control command, the car triggers UWB positioning.
  • Step S340 may include step S341 and/or step S342.
  • Step S341 The car and the mobile phone negotiate the UWB positioning channel.
  • Step S342 The mobile phone and the car negotiate the UWB positioning channel. It can be understood that, in the case where step S340 includes step S341 and step S342, the UWB positioning channel can be negotiated interactively between the mobile phone and the car.
  • Step S351 The car performs UWB positioning on the mobile phone.
  • Step S352 The car obtains the first location information of the mobile phone.
  • the first location information may be, for example, inside the car, outside the car, driving position, etc.
  • Step S360 The car searches for a matching ACE based on the first location information of the mobile phone. Take the car configured with the ACL information mentioned above as an example for explanation. Taking the control instruction as an instruction to call the display screen as an example, if the display screen belongs to the functional unit of the player (DeviceType is 0x0000_0023), and the first location information is in the car, searching for the ACE provided in Embodiment 1 can be obtained, ACE2 The value of the location field is inside the car, so the matching ACE is ACE2. According to ACE2, the matching permissions that can be obtained are operation permissions. Taking the control instruction to turn on the turn signal as an example, when the first location information is inside the car (not the driving position), the ACL provided in Embodiment 1 is searched, but no matching ACE is found.
  • Step S370 The car determines whether the access permission is established. Whether the access permission is established can be determined based on whether a matching ACE is found. When the matching ACE is found and the matching permission is obtained, it can be judged that the access permission is established. Taking the above-mentioned control instruction including calling the in-car display screen as an example, it can be determined that the access permission of the control instruction is established. If no matching ACE is found, it can be determined that the access permission is not established. Taking the above-mentioned control instruction including calling the turn signal as an example, it can be judged that the access permission is not established. If the access rights are not established, the car can reject the control command.
  • Step S380 When the access rights are established, the car can execute the control instructions. Continuing to take the control instruction including calling the display screen in the car as an example, as mentioned above, if the access permission is established, the car can perform the operation on the display screen indicated by the control instruction.
  • Step S390 the car returns a response.
  • the car can return a response.
  • the car can return a response in the event the car rejects the command.
  • the first entry may be ACE.
  • the car can be configured with the ACL illustrated in Embodiment 1.
  • Figure 4 is a schematic flow chart of the access control method provided in Embodiment 2.
  • the method shown in Figure 4 may include steps S410 to S490.
  • Step S410 may include step S411 and/or step S412.
  • Step S411 The car and the mobile phone establish an authenticated secure connection.
  • Step S412 The mobile phone and the car establish an authenticated secure connection. It can be understood that in the case where step S410 includes step S411 and step S412, a two-way authentication secure connection can be established between the mobile phone and the car.
  • Step S420 The car triggers UWB positioning.
  • Step S430 may include step S431 and/or step S432.
  • Step S431 The car and the mobile phone negotiate the UWB positioning channel.
  • Step S432 The mobile phone and the car negotiate the UWB positioning channel. It can be understood that, in the case where step S430 includes step S431 and step S432, the UWB positioning channel can be negotiated interactively between the mobile phone and the car.
  • Step S441 The car performs UWB positioning on the mobile phone.
  • Step S442 The car continues to obtain the positioning information of the mobile phone and updates the real-time location information of the mobile phone. That is to say, the car can obtain the location information of the mobile phone multiple times and update the recently obtained location information to the real-time location of the mobile phone.
  • Step S450 The mobile phone sends control instructions to the car through the established safe channel.
  • the control instruction may be an instruction to turn on the turn signal. It can be understood that the mobile phone can perform step S450 multiple times, thereby sending control instructions at different locations.
  • Step S443 After receiving the control command, the car obtains the location information of the mobile phone at the current time and obtains the first location information of the mobile phone.
  • Step S460 The car searches for a matching ACE based on the first location information of the mobile phone.
  • the user can bring the mobile phone into the passenger seat, and the first location information is inside the car (not the driver's seat).
  • the car searched for the ACL provided in Embodiment 1 and found no matching ACE. Users can move around with their mobile phones. In the case where the user enters the car and sits in the driving seat, the first location information may be the driving seat.
  • the mobile phone can again send control instructions to the car to turn on the turn signal.
  • the car searches for the ACL and can match ACE3, and the matching permission is the operate permission.
  • Step S470 The car determines whether the access permission is established. When the matching ACE is found and the matching permission is obtained, it can be judged that the access permission is established. When no matching ACE is found, it can be determined that the access permission is not established. Taking the control instruction including calling the turn signal in step S460 as an example, when the user is in the passenger seat, it can be determined that the access permission is not established, and when the user is in the driving seat, it can be determined that the access permission is established.
  • Step S480 When the access authority is established, execute the control instruction. Continuing to take the control instruction including calling the turn signal as an example, as mentioned above, when the user is in the driving position and the access permission is established, the car can perform the turn signal operation indicated by the control instruction.
  • Step S490 the car returns a response.
  • the car can return a response.
  • the car can return a response in the event the car rejects the command.
  • the first entry is ACE.
  • the AuthMode field of ACE is extended to the connection type (ConnMode) field.
  • the connection type field can be associated with the location information of the mobile phone.
  • the fields included in ACE can be shown in Table 3.
  • connection type field can be an enumeration type.
  • the enumeration value can include: configuration channel (PASE), outside car operation channel (CASE_OutsideCar), in-car operation channel (CASE_InsideCar), driving seat operation channel (CASE_DrivingSeat), and cloud connection channel.
  • the operation channel outside the vehicle means that the client is outside the vehicle and within a certain distance near the vehicle. If a higher-precision positioning mechanism is used, it can be further refined into different positions such as the left front door, the right front door, the left rear door, the right rear door, and the rear of the car.
  • the above enumeration values have been introduced in detail in the previous article and will not be repeated here.
  • ACL configuration measurement for a car could be:
  • Figure 5 is a schematic flow chart of the access control method provided in Embodiment 3.
  • the method shown in Figure 5 may include steps S510 to S592.
  • Step S510 may include step S511 and/or step S512.
  • Step S511 The car and the mobile phone establish an authenticated secure connection.
  • Step S512 The mobile phone and the car establish an authenticated secure connection. It can be understood that in the case where step S510 includes step S511 and step S512, a two-way authentication secure connection can be established between the mobile phone and the car.
  • Step S520 The car determines whether the connection type is an operational connection. Optionally, when the connection type is an operational connection, steps after step S520 may be performed.
  • Step S530 The car triggers UWB positioning.
  • Step S540 may include step S541 and/or step S542.
  • Step S541 The car and the mobile phone negotiate the UWB positioning channel.
  • Step S542 The mobile phone and the car negotiate the UWB positioning channel. It can be understood that, in the case where step S540 includes step S541 and step S542, the UWB positioning channel can be negotiated interactively between the mobile phone and the car.
  • Step S551 The car performs UWB positioning on the mobile phone.
  • Step S552 The car continues to obtain the positioning information of the mobile phone and updates the channel connection type information based on the positioning information. For example, when the mobile phone is outside the car, the channel type is CASE_OutsideCar. When the user brings the mobile phone into the back seat of the car, the channel type is updated to CASE_InsideCar.
  • Step S560 The mobile phone sends control instructions to the car through the established safe channel.
  • the control instruction may be an instruction to call the display screen.
  • Step S570 The car searches for a matching ACE based on the first location information of the mobile phone.
  • the channel connection type information of the mobile phone is CASE_InsideCar and the control instruction is to call the display screen
  • the car searches for the matching ACE according to the ACL in Embodiment 3, and finds that the matching ACE is ACE2 and the matching permission is operate.
  • Step S580 The car determines whether the access permission is established. When the matching ACE is found and the matching permission is obtained, it can be judged that the access permission is established. When no matching ACE is found, it can be determined that the access permission is not established. Taking the control instruction including calling the display screen in step S570 as an example, if the permission matched to ACE2 and equipped is the operation permission, it can be determined that the access permission is established.
  • Step S590 When the access rights are established, the car can execute the control instructions. If the access rights are not established, the car can reject the control command.
  • Step S592 the car returns a response.
  • the car can return a response.
  • the car can return a response in the event the car rejects the command.
  • FIG. 6 is a schematic structural diagram of a terminal 600 provided by an embodiment of the present application.
  • Terminal 600 may be a first terminal.
  • the terminal 600 may include a determining unit 610.
  • the determining unit 610 may be used to determine the authority of the second terminal to the first terminal according to the first location information and access control information of the second terminal; wherein the first location information is used to indicate that the second terminal The positional relationship of the terminal relative to the first terminal.
  • the access control information is used to indicate the permissions of the second terminal on the first terminal when the second terminal is in different locations.
  • the first location information includes one or more of the following information: inside the car, outside the car, main driver's seat, passenger seat, passenger seat, car left front door, car right front door, car left rear door, The right rear door and rear of the car.
  • the first location information is obtained by positioning the second terminal, and the positioning is triggered by a control instruction sent by the second terminal to the first terminal.
  • the first location information is obtained by positioning the second terminal, and the positioning is triggered by the establishment of a secure channel between the first terminal and the second terminal.
  • the first location information is real-time location information of the second terminal, and the acquisition of the real-time location information is triggered by a control instruction sent by the second terminal to the first terminal.
  • the access control information is recorded in an access control list, and the access control list includes one or more access control items.
  • the access control item includes a first field, and the first field is used to specifically carry location information corresponding to the access control item.
  • the first field includes one or more of the following information: inside the car, outside the car, and driving position.
  • the access control item includes a second field, the second field is used to carry the connection type of the secure channel established between the first terminal and the second terminal, and the connection of the secure channel
  • One or more connection types in the type are associated with location information corresponding to the access control item.
  • the determining unit is specifically configured to: determine channel connection type information based on the first location information; determine whether the second terminal has access to the third channel connection type information based on the channel connection type information and the access control information. Permissions for a terminal.
  • the second field includes one or more of the following information: configuration channel, off-vehicle operation channel, in-vehicle operation channel, driving position operation channel, and cloud connection channel.
  • the first terminal is a car.
  • the first location information is obtained through one or more of the following positioning methods: ultra-wideband UWB positioning, Bluetooth positioning, and 5G positioning.
  • Figure 7 is a schematic structural diagram of another terminal 700 provided by an embodiment of the present application.
  • Terminal 700 may be a second terminal.
  • the terminal 700 may include an access unit 710.
  • the access unit 710 may be used to access the first terminal based on the authority of the second terminal to the first terminal; wherein the authority is determined based on the first location information and access control information of the second terminal, and the The first location information is used to indicate the location relationship of the second terminal relative to the first terminal.
  • the access control information is used to record the permissions of the second terminal on the first terminal when the second terminal is in different locations.
  • the first location information includes one or more of the following information: inside the car, outside the car, main driver's seat, passenger seat, passenger seat, car left front door, car right front door, car left rear door, The right rear door and rear of the car.
  • the first location information is obtained by positioning the second terminal, and the positioning is triggered by a control instruction sent by the second terminal to the first terminal.
  • the first location information is obtained by positioning the second terminal, and the positioning is triggered by the establishment of a secure channel between the first terminal and the second terminal.
  • the first location information is real-time location information of the second terminal, and the acquisition of the real-time location information is triggered by a control instruction sent by the second terminal to the first terminal.
  • the access control information is recorded in an access control list, and the access control list includes one or more access control items.
  • the access control item includes a first field, and the first field is used to specifically carry location information corresponding to the access control item.
  • the first field includes one or more of the following information: inside the car, outside the car, and driving position.
  • the access control item includes a second field, the second field is used to carry the connection type of the secure channel established between the first terminal and the second terminal, and the connection of the secure channel
  • One or more connection types in the type are associated with location information corresponding to the access control item.
  • the permission is determined based on the first location information and access control information of the second terminal, including: the permission is determined based on channel connection type information and the access control information, and the channel connection type information is based on the access control information.
  • the first location information is determined.
  • the second field includes one or more of the following information: configuration channel, off-vehicle operation channel, in-vehicle operation channel, driving position operation channel, and cloud connection channel.
  • the first terminal is a car.
  • the first location information is obtained through one or more of the following positioning methods: ultra-wideband UWB positioning, Bluetooth positioning, and 5G positioning.
  • Figure 8 is a schematic structural diagram of a communication device according to an embodiment of the present application.
  • the dashed line in Figure 8 indicates that the unit or module is optional.
  • the device 800 can be used to implement the method described in the above method embodiment.
  • Device 800 may be a chip or a terminal.
  • Apparatus 800 may include one or more processors 810.
  • the processor 810 can support the device 800 to implement the method described in the foregoing method embodiments.
  • the processor 810 may be a general-purpose processor or a special-purpose processor.
  • the processor may be a central processing unit (CPU).
  • the processor can also be another general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or an off-the-shelf programmable gate array (FPGA) Or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA off-the-shelf programmable gate array
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.
  • the determining unit 610 shown in FIG. 6 can be executed by the processor 810 shown in FIG. 8 .
  • the access unit 710 shown in FIG. 7 may be executed by the processor 810 shown in FIG. 8 .
  • Apparatus 800 may also include one or more memories 820.
  • the memory 820 stores a program, which can be executed by the processor 810, so that the processor 810 executes the method described in the foregoing method embodiment.
  • the memory 820 may be independent of the processor 810 or integrated in the processor 810 .
  • Apparatus 800 may also include a transceiver 830.
  • Processor 810 may communicate with other devices or chips through transceiver 830.
  • the processor 810 can transmit and receive data with other devices or chips through the transceiver 830 .
  • An embodiment of the present application also provides a computer-readable storage medium for storing a program.
  • the computer-readable storage medium can be applied in the terminal or network device provided by the embodiments of the present application, and the program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
  • An embodiment of the present application also provides a computer program product.
  • the computer program product includes a program.
  • the computer program product can be applied in the terminal or network device provided by the embodiments of the present application, and the program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
  • An embodiment of the present application also provides a computer program.
  • the computer program can be applied to the terminal or network device provided by the embodiments of the present application, and the computer program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
  • the "instruction" mentioned may be a direct instruction, an indirect instruction, or an association relationship.
  • a indicates B which can mean that A directly indicates B, for example, B can be obtained through A; it can also mean that A indirectly indicates B, for example, A indicates C, and B can be obtained through C; it can also mean that there is an association between A and B. relation.
  • B corresponding to A means that B is associated with A, and B can be determined based on A.
  • determining B based on A does not mean determining B only based on A.
  • B can also be determined based on A and/or other information.
  • the term "correspondence” can mean that there is a direct correspondence or indirect correspondence between the two, or it can also mean that there is an association between the two, or it can also mean indicating and being instructed, configuring and being configured, etc. relation.
  • predefinition or “preconfiguration” can be achieved by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in devices (for example, including terminal devices and network devices).
  • devices for example, including terminal devices and network devices.
  • predefined can refer to what is defined in the protocol.
  • the "protocol” may refer to a standard protocol in the communication field, which may include, for example, LTE protocol, NR protocol, and related protocols applied in future communication systems. This application does not limit this.
  • the size of the sequence numbers of the above-mentioned processes does not mean the order of execution.
  • the execution order of each process should be determined by its functions and internal logic, and should not be determined by the implementation process of the embodiments of the present application. constitute any limitation.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium may be any available medium that can be read by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., digital video discs (DVD)) or semiconductor media (e.g., solid state disks (SSD) )wait.
  • magnetic media e.g., floppy disks, hard disks, magnetic tapes
  • optical media e.g., digital video discs (DVD)
  • semiconductor media e.g., solid state disks (SSD)

Abstract

Provided are an access control method, a terminal, a chip, a readable storage medium, and a computer program product. The method comprises: a first terminal determines the permission of a second terminal to the first terminal according to first position information of the second terminal and access control information, wherein the first position information is used for indicating a positional relationship of a user equipment relative to a vehicle device. On the basis of the access control information, the first terminal can determine the permission of the second terminal to the first terminal according to the relative position of the second terminal. On the basis of the permission, the first terminal executes a corresponding access control policy, such that differential access control of the first terminal by the second terminal at different relative positions can be implemented.

Description

访问控制的方法、终端、芯片、可读存储介质以及计算机程序产品Access control methods, terminals, chips, readable storage media and computer program products 技术领域Technical field
本申请涉及通信技术领域,并且更为具体地,涉及一种访问控制的方法、终端、芯片、可读存储介质以及计算机程序产品。The present application relates to the field of communication technology, and more specifically, to an access control method, terminal, chip, readable storage medium and computer program product.
背景技术Background technique
第一终端和第二终端之间可以进行通信。在第二终端对第一终端进行访问时,第一终端可以进行访问控制,即允许或拒绝该访问。相关技术可以根据终端标识、安全通道验证类型等信息实现访问控制。Communication can take place between the first terminal and the second terminal. When the second terminal accesses the first terminal, the first terminal can perform access control, that is, allow or deny the access. Related technologies can implement access control based on terminal identification, secure channel verification type and other information.
发明内容Contents of the invention
本申请提供一种访问控制的方法、终端、芯片、可读存储介质以及计算机程序产品。This application provides an access control method, terminal, chip, readable storage medium and computer program product.
第一方面,提供了一种访问控制的方法,包括:第一终端根据第二终端的第一位置信息以及访问控制信息,确定所述第二终端对所述第一终端的权限;其中,所述第一位置信息用于指示所述用户设备相对于所述车设备的位置关系。In a first aspect, an access control method is provided, including: the first terminal determines the authority of the second terminal to the first terminal according to the first location information and access control information of the second terminal; wherein, The first location information is used to indicate the location relationship of the user equipment relative to the vehicle equipment.
第二方面,提供了一种访问控制的方法,包括:基于第二终端对第一终端的权限,所述第二终端对所述第一终端进行访问;其中,所述权限基于所述第二终端的第一位置信息以及访问控制信息确定,所述第一位置信息用于指示所述用户设备相对于所述车设备的位置关系。In a second aspect, an access control method is provided, including: based on the authority of the second terminal to the first terminal, the second terminal accesses the first terminal; wherein the authority is based on the authority of the second terminal. The first location information and access control information of the terminal are determined, and the first location information is used to indicate the location relationship of the user equipment relative to the vehicle equipment.
第三方面,提供了一种终端,所述终端为第一终端,所述终端包括:确定单元,用于根据第二终端的第一位置信息以及访问控制信息,确定所述第二终端对所述第一终端的权限;其中,所述第一位置信息用于指示所述用户设备相对于所述车设备的位置关系。In a third aspect, a terminal is provided, where the terminal is a first terminal, and the terminal includes: a determining unit configured to determine, according to the first location information and access control information of the second terminal, whether the second terminal is The authority of the first terminal; wherein the first location information is used to indicate the location relationship of the user equipment relative to the vehicle equipment.
第四方面,提供了一种终端,所述终端为第二终端,所述终端包括:访问单元,用于基于第二终端对第一终端的权限,对所述第一终端进行访问;其中,所述权限基于所述第二终端的第一位置信息以及访问控制信息确定,所述第一位置信息用于指示所述用户设备相对于所述车设备的位置关系。In a fourth aspect, a terminal is provided, where the terminal is a second terminal, and the terminal includes: an access unit configured to access the first terminal based on the authority of the second terminal to the first terminal; wherein, The permission is determined based on the first location information and access control information of the second terminal, and the first location information is used to indicate the location relationship of the user equipment relative to the vehicle equipment.
第五方面,提供一种终端设备,包括处理器、存储器、通信接口,所述存储器用于存储一个或多个计算机程序,所述处理器用于调用所述存储器中的计算机程序使得所述终端设备执行第一方面和/或第二方面所述的方法。In a fifth aspect, a terminal device is provided, including a processor, a memory, and a communication interface. The memory is used to store one or more computer programs. The processor is used to call the computer program in the memory so that the terminal device Perform the method described in the first aspect and/or the second aspect.
第六方面,提供了一种通信系统,该系统包括上述的第一终端和/或第二终端。在另一种可能的设计中,该系统还可以包括本申请实施例提供的方案中与第一终端和/或第二终端进行交互的其他设备。In a sixth aspect, a communication system is provided, which system includes the above-mentioned first terminal and/or second terminal. In another possible design, the system may also include other devices that interact with the first terminal and/or the second terminal in the solution provided by the embodiments of the present application.
第七方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序使得终端设备执行上述第一方面和/或第二方面的方法中的部分或全部步骤。In a seventh aspect, embodiments of the present application provide a computer-readable storage medium that stores a computer program. The computer program causes a terminal device to execute the method of the first aspect and/or the second aspect. some or all of the steps.
第八方面,本申请实施例提供了一种计算机程序产品,其中,所述计算机程序产品包括存储了计算机程序的非瞬时性计算机可读存储介质,所述计算机程序可操作来使终端执行上述第一方面和/或第二方面的方法中的部分或全部步骤。在一些实现方式中,该计算机程序产品可以为一个软件安装包。In an eighth aspect, embodiments of the present application provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause the terminal to execute the above-mentioned first step. Some or all of the steps in the method of the first aspect and/or the second aspect. In some implementations, the computer program product can be a software installation package.
第九方面,本申请实施例提供了一种芯片,该芯片包括存储器和处理器,处理器可以从存储器中调用并运行计算机程序,以实现上述第一方面和/或第二方面的方法中所描述的部分或全部步骤。In a ninth aspect, embodiments of the present application provide a chip, which includes a memory and a processor. The processor can call and run a computer program from the memory to implement the method of the first and/or second aspect. Describe some or all of the steps.
第十方面,提供一种计算机程序产品,包括程序,所述程序使得计算机执行第一方面和/或第二方面所述的方法。In a tenth aspect, a computer program product is provided, including a program that causes a computer to execute the method described in the first aspect and/or the second aspect.
第十一方面,提供一种计算机程序,所述计算机程序使得计算机执行第一方面和/或所述的方法。An eleventh aspect provides a computer program, the computer program causing a computer to execute the first aspect and/or the method described.
基于访问控制信息,第一终端可以根据第二终端的相对位置(即第一位置信息的指示)确定第二终端对于第一终端的权限。基于该权限,第一终端执行对应的访问控制策略,从而可以实现第二终端在不同相对位置下对第一终端的差异化访问控制。Based on the access control information, the first terminal may determine the permissions of the second terminal to the first terminal according to the relative position of the second terminal (ie, the indication of the first position information). Based on the authority, the first terminal executes the corresponding access control policy, so that differentiated access control of the second terminal to the first terminal under different relative positions can be achieved.
附图说明Description of the drawings
图1是本申请实施例应用的场景示例图。Figure 1 is an example diagram of an application scenario according to the embodiment of the present application.
图2是本申请实施例提供的一种访问控制方法的示意性流程图。Figure 2 is a schematic flow chart of an access control method provided by an embodiment of the present application.
图3是本申请实施例提供的另一种访问控制方法的示意性流程图。Figure 3 is a schematic flow chart of another access control method provided by an embodiment of the present application.
图4是本申请实施例提供的又一种访问控制方法的示意性流程图。Figure 4 is a schematic flow chart of yet another access control method provided by an embodiment of the present application.
图5是本申请实施例提供的再一种访问控制方法的示意性流程图。Figure 5 is a schematic flow chart of yet another access control method provided by an embodiment of the present application.
图6是本申请实施例提供的一种终端的示意性结构图。Figure 6 is a schematic structural diagram of a terminal provided by an embodiment of the present application.
图7是本申请实施例提供的另一种终端的示意性结构图。Figure 7 is a schematic structural diagram of another terminal provided by an embodiment of the present application.
图8是本申请实施例提供的一种装置的示意性结构图。Figure 8 is a schematic structural diagram of a device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合附图,对本申请中的技术方案进行描述。The technical solutions in this application will be described below with reference to the accompanying drawings.
图1是本申请实施例应用的场景示例图。其中,终端110可以是与终端120进行通信的设备。Figure 1 is an example diagram of an application scenario according to the embodiment of the present application. The terminal 110 may be a device that communicates with the terminal 120.
本申请实施例中的终端也可以称为节点、用户设备(user equipment,UE)、接入终端、用户单元、用户站、移动站、移动台(mobile station,MS)、移动终端(mobile terminal,MT)、远方站、远程终端、移动设备、用户终端、终端设备、无线通信设备、用户代理或用户装置。本申请实施例中的终端设备可以是指向用户提供语音和/或数据连通性的设备,可以用于连接人、物和机。例如终端可以是具有无线连接功能的手持式设备、车载设备等。或者,终端可以是具有无线连接功能的汽车、家电、家居系统等。本申请的实施例中的终端设备可以是手机(mobile phone)、平板电脑(Pad)、笔记本电脑、掌上电脑、移动互联网设备(mobile internet device,MID)、可穿戴设备,虚拟现实(virtual reality,VR)设备、增强现实(augmented reality,AR)设备、工业控制(industrial control)中的无线终端、物联网设备中的无线终端、无人驾驶(self driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。可选地,终端可以用于充当基站。例如,终端可以充当调度实体,其在V2X或D2D等中的终端之间提供侧行链路信号。比如,蜂窝电话和汽车利用侧行链路信号彼此通信。蜂窝电话和智能家居设备之间通信,而无需通过基站中继通信信号。The terminal in the embodiment of this application may also be called a node, user equipment (UE), access terminal, user unit, user station, mobile station, mobile station (MS), mobile terminal, MT), remote station, remote terminal, mobile device, user terminal, terminal equipment, wireless communications equipment, user agent or user device. The terminal device in the embodiment of the present application may be a device that provides voice and/or data connectivity to users, and may be used to connect people, things, and machines. For example, the terminal can be a handheld device, a vehicle-mounted device, etc. with wireless connection function. Alternatively, the terminal may be a car, home appliance, home system, etc. with wireless connection function. The terminal device in the embodiment of the present application can be a mobile phone (mobile phone), a tablet computer (Pad), a notebook computer, a handheld computer, a mobile internet device (mobile internet device, MID), a wearable device, a virtual reality (virtual reality, VR) equipment, augmented reality (AR) equipment, wireless terminals in industrial control (industrial control), wireless terminals in Internet of Things equipment, wireless terminals in self-driving (self driving), remote surgery (remote medical) Wireless terminals in surgery, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, and wireless terminals in smart home wait. Optionally, the terminal can be used to act as a base station. For example, a terminal may act as a scheduling entity that provides sidelink signals between terminals in V2X or D2D, etc. For example, cell phones and cars use sidelink signals to communicate with each other. Cell phones and smart home devices communicate between each other without having to relay communication signals through base stations.
终端可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上;还可以部署在空中的飞机、气球和卫星上。本申请实施例中对终端所处的场景不做限定。Terminals can be deployed on land, indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water; they can also be deployed on aircraft, balloons and satellites in the air. In the embodiments of this application, the scenario in which the terminal is located is not limited.
应理解,本申请中的通信设备的全部或部分功能也可以通过在硬件上运行的软件功能来实现,或者通过平台(例如云平台)上实例化的虚拟化功能来实现。It should be understood that all or part of the functions of the communication device in this application can also be implemented through software functions running on hardware, or through virtualization functions instantiated on a platform (such as a cloud platform).
应理解,本申请实施例的技术方案可以应用于各种通信系统,例如:第五代(5th generation,5G)系统或新无线(new radio,NR)、长期演进(long term evolution,LTE)系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)、蜂窝物联网、WIFI通信系统、蓝牙通信系统等。本申请提供的技术方案还可以应用于未来的通信系统,如第六代移动通信系统等等。It should be understood that the technical solutions of the embodiments of the present application can be applied to various communication systems, such as: fifth generation (5th generation, 5G) systems or new radio (NR), long term evolution (long term evolution, LTE) systems , LTE frequency division duplex (FDD) system, LTE time division duplex (TDD), cellular Internet of Things, WIFI communication system, Bluetooth communication system, etc. The technical solution provided by this application can also be applied to future communication systems, such as the sixth generation mobile communication system and so on.
终端110可以对终端120的资源进行访问,作为一种实现方式,终端110可以为手机,终端120可以为汽车。用户可以在手机上进行操作,实现对汽车资源的控制。例如,终端110可以实现数字车钥匙功能,以替代传统车钥匙。The terminal 110 can access the resources of the terminal 120. As an implementation manner, the terminal 110 can be a mobile phone, and the terminal 120 can be a car. Users can operate on their mobile phones to control car resources. For example, the terminal 110 can implement a digital car key function to replace the traditional car key.
在一些实施例中,数字车钥匙可以实现无感解锁功能,即无钥匙进入和启动系统(passive entry passive start,PEPS)。为便于说明数字车钥匙功能,图1中的终端120在下文称为汽车120。In some embodiments, the digital car key can implement a sensorless unlocking function, that is, a keyless entry and start system (passive entry passive start, PEPS). To facilitate the description of the digital car key function, the terminal 120 in FIG. 1 is referred to as the car 120 below.
PEPS技术中,用户携带终端110进入汽车120周围的一定范围时,汽车120可以识别出终端110的位置以及汽车120授权的用户,若识别通过则可以自动开门。或者,用户携带终端110离开汽车的一定范围时,汽车120可以识别出终端110的位置,并可以控制汽车120的门锁和/或窗锁自动锁上和/或进入防盗状态。In PEPS technology, when the user brings the terminal 110 into a certain range around the car 120, the car 120 can identify the location of the terminal 110 and the user authorized by the car 120. If the identification is passed, the car 120 can automatically open the door. Alternatively, when the user carries the terminal 110 and leaves a certain range of the car, the car 120 can recognize the location of the terminal 110 and can control the door locks and/or window locks of the car 120 to automatically lock and/or enter the anti-theft state.
PEPS可以基于蓝牙低功耗(bluetooth low energy,BLE)无线通信和/或超宽带(ultra wide band,UWB)技术实现。例如,汽车120和终端110可以通过BLE无线通讯进行广播发现。当终端110进入发现区域时,终端110可以发现汽车120,终端110可以拉起车企应用(application,APP)后台解锁服务验证终端110的用户信息和/或数字钥匙有效性。进一步地,终端110可以与汽车120建立BLE连接。汽车120可以基于BLE连接判断终端110和汽车120距离(例如通过UWB实现)。当用户携带终端110进一步靠近车时,汽车120可以判断终端110是否处于无钥匙进入(passive entry,PE)区域。如果终端110处于PE区域,汽车120可以进入允许解锁状态。此时,用户可以打开汽车120的车门。PEPS can be implemented based on Bluetooth low energy (BLE) wireless communication and/or ultra wide band (UWB) technology. For example, the car 120 and the terminal 110 can perform broadcast discovery through BLE wireless communication. When the terminal 110 enters the discovery area, the terminal 110 can discover the car 120, and the terminal 110 can launch the car company's application (APP) background unlocking service to verify the user information and/or the validity of the digital key of the terminal 110. Further, the terminal 110 can establish a BLE connection with the car 120 . The car 120 can determine the distance between the terminal 110 and the car 120 based on the BLE connection (for example, through UWB). When the user brings the terminal 110 closer to the car, the car 120 can determine whether the terminal 110 is in a keyless entry (PE) area. If the terminal 110 is in the PE area, the car 120 can enter the unlocking allowed state. At this time, the user can open the door of the car 120.
下文将详细介绍基于BLE和UWB技术的数字车钥匙技术。基于数字车钥匙的汽车解锁方法可以包括步骤S110~步骤S150。该方法可以由终端110和汽车120执行。The following will introduce in detail the digital car key technology based on BLE and UWB technology. The car unlocking method based on the digital car key may include steps S110 to S150. The method can be performed by the terminal 110 and the car 120 .
步骤S110,汽车120和/或终端110通过BLE无线通信进行广播发现。In step S110, the car 120 and/or the terminal 110 perform broadcast discovery through BLE wireless communication.
步骤S120,汽车120和终端110进行双向认证。In step S120, the car 120 and the terminal 110 perform two-way authentication.
步骤S130,汽车120和终端110在BLE通道协商启动UWB测距信道。Step S130, the car 120 and the terminal 110 negotiate to start the UWB ranging channel on the BLE channel.
步骤S140,汽车120和/或终端110通过UWB测量汽车120和终端110之间的距离。In step S140, the car 120 and/or the terminal 110 measure the distance between the car 120 and the terminal 110 through UWB.
步骤S150,汽车120根据与终端110之间的距离,判断终端110是否处于PE区域。如果处于PE区域,则汽车120可以进入允许解锁状态。In step S150, the car 120 determines whether the terminal 110 is in the PE area based on the distance between the car 120 and the terminal 110. If in the PE area, the car 120 can enter the unlocking allowed state.
可以理解的是,上文所述的PEPS数字车钥匙,用户可以不需要在手机上进行操作,汽车即可根据手机的位置自动实现对汽车锁的访问(开锁或上锁)。也就是说,数字车钥匙可以基于位置信息实现汽车车锁这一资源的无感访问。It can be understood that with the PEPS digital car key mentioned above, the user does not need to operate on the mobile phone, and the car can automatically access the car lock (unlock or lock) based on the location of the mobile phone. In other words, the digital car key can achieve senseless access to the resource of the car lock based on location information.
在一种实现方式下,终端110对终端120的资源的访问可以由终端120控制。终端120可以允许终端110的访问也可以拒绝终端110的访问。例如,手机对汽车锁这一资源的访问可以由汽车进行控制,即汽车可以控制是否允许手机对车锁进行上锁或开锁。访问控制可以基于访问控制列表(access control list,ACL)实现。In one implementation, the terminal 110's access to resources of the terminal 120 may be controlled by the terminal 120. The terminal 120 may allow the access of the terminal 110 or may deny the access of the terminal 110 . For example, the mobile phone's access to the car lock resource can be controlled by the car, that is, the car can control whether to allow the mobile phone to lock or unlock the car lock. Access control can be implemented based on access control list (ACL).
ACL可以包括一个或多个访问控制项(access control entry,ACE)。ACE可以为某个或某些特定节点(或账户)定义针对某个或某些资源的权限。ACE可以包括一项或多项信息。例如,ACE可以包括与权限、身份、功能单元等相关的一项或多项信息。各项信息可以承载于ACE中的字段中。也就是说,ACE可以包括一个或多个字段。An ACL can include one or more access control entries (ACEs). ACE can define permissions for one or some resources for one or some specific nodes (or accounts). ACE can include one or more pieces of information. For example, an ACE may include one or more pieces of information related to permissions, identities, functional units, etc. Various information can be carried in fields in ACE. That is, an ACE can include one or more fields.
作为一种实现方式,ACE可以包括权限级别、身份验证类型、源主体、目标以及扩展等字段中的一项或多项。不同协议或标准对于相同或类似的信息的字段的设置可能存在差异,本申请对此不做限制,下文仅做示例性说明。下面详细介绍ACE中可以包含的字段。As an implementation method, ACE can include one or more fields such as permission level, authentication type, source principal, target, and extension. Different protocols or standards may have different settings for fields of the same or similar information. This application does not limit this, and the following is only an exemplary description. The fields that can be included in ACE are introduced in detail below.
目标(Targets)字段可以用于描述应用该ACE条目的目标资源。目标资源例如可以包括一个或多个目标功能单元。目标字段的值类型可以为列表类型。目标字段可以包括一个或多个目标功能单元的结构体(struct)。在一些实施例中,端点(EndPoints)字段也可以用于描述应用该ACE条目的目标资源。The Targets field can be used to describe the target resources to which this ACE entry applies. The target resource may include, for example, one or more target functional units. The value type of the target field can be a list type. The target field may include a structure (struct) of one or more target functional units. In some embodiments, the EndPoints field may also be used to describe the target resource to which the ACE entry applies.
权限级别(Privilege)字段可以用于描述该ACE条目可以授予的权限级别。权限级别字段的值类型可以为枚举(enum)类型。权限级别字段的值可以包括:查看(view)权限、代理人查看(proxy view)权限、操作(operate)权限、管理(manage)权限、管理员(administrator)权限等。The Privilege field can be used to describe the level of privileges that can be granted by this ACE entry. The value type of the permission level field can be an enumeration (enum) type. The value of the permission level field can include: view permission, proxy view permission, operate permission, manage permission, administrator permission, etc.
查看权限可以包括可以读和观察所有除访问控制资源和非代理人(proxy)资源之外的资源的权限。View permissions can include permissions to read and observe all resources except access-controlled resources and non-proxy resources.
代理人权限可以包括可以读和观察所有代理人资源的权限。代理人查看权限可以隐含包括查看权限。Agent permissions can include permissions to read and observe all agent resources. Delegate viewing rights can implicitly include viewing rights.
操作权限可以包括查看权限和可以执行目标资源的主要功能的权限。主要功能可以除了访问控制单元以外的功能。操作权限可以隐含包括查看权限。Operation permissions can include view permissions and permissions to perform the primary functions of the target resource. The main functions may be other than those of the access control unit. Operation permissions may implicitly include viewing permissions.
管理权限可以包括操作权限以及修改节点的持久配置(除访问控制功能单元外)。管理权限可以隐含包括操作权限和/或查看权限。Administrative permissions can include operating permissions and modifying the persistent configuration of the node (in addition to the access control functional unit). Administrative permissions may implicitly include operation permissions and/or viewing permissions.
管理员权限可以包括管理权限以及观察、修改访问控制功能单元。管理员权限可以隐含包括管理权限、操作权限、代理人查看权限以及查看权限中的一项或多项。Administrator rights can include administrative rights and observing and modifying access control functional units. Administrator permissions may implicitly include one or more of management permissions, operation permissions, delegate viewing permissions, and viewing permissions.
源主体(Subjects)字段可以用于描述一个或多个主体。主体可以是使用安全通道体系结构提供的给定认证方法来描述操作的来源。源主体字段的值类型可以为列表(list)类型。源主体字段可以包括一个或多个主体的标识(例如ID)。主体可以为以下三种情况中的一项。The Source Subjects field can be used to describe one or more subjects. A principal can be the origin of an operation described using a given authentication method provided by the secure channel architecture. The value type of the source body field can be a list type. The source subject field may include identification (eg, ID) of one or more subjects. The subject can be one of the following three situations.
情况一:在调试阶段通过配置通道(PASE)会话进行交互的一种发起方节点。该节点可以通过PASE会话中的两个对等方彼此在本地进行身份验证这一事实隐式地标识。Case 1: An initiator node that interacts through a configuration channel (PASE) session during the debugging phase. The node can be implicitly identified by the fact that both peers in the PASE session authenticate to each other locally.
情况二:在操作阶段通过操作通道(CASE)会话进行交互的发起方节点。该节点可以使用会话建立期间共享的操作证书(NOC)中的一个可分辨名称(例如节点ID)来标识。Case 2: Initiator node that interacts through the operation channel (CASE) session during the operation phase. The node can be identified using a distinguished name (such as a node ID) in the operational certificate (NOC) shared during session establishment.
情况三:通过消息组进行交互的发起程序节点。该节点可以由组ID标识。该节点可以由操作组密钥验证。Case 3: Initiator nodes interacting through message groups. The node can be identified by the group ID. The node can be authenticated by the operation group key.
身份验证类型(AuthMode)字段可以用于描述该ACE条目的主体所应用的安全通道身份验证方法的类型(或称为安全通道的认证类型或连接类型)。身份验证类型字段的值类型可以为枚举类型。身份验证类型字段的取值可以包括上文所述的CASE、PASE或组等。The Authentication Type (AuthMode) field can be used to describe the type of secure channel authentication method applied to the subject of this ACE entry (or the authentication type or connection type known as the secure channel). The value type of the authentication type field can be an enumeration type. The value of the authentication type field can include CASE, PASE or group as mentioned above.
扩展(Extension)字段可以为一种可选的扩展负载。扩展字段可以用于加密签名、特定于供应商的ACL内容或其他元数据等。The Extension field can be an optional extension payload. Extension fields can be used for things like cryptographic signatures, vendor-specific ACL content, or other metadata.
作为一种实现方式,ACE包括的字段可以如表1所示。As an implementation method, the fields included in ACE can be as shown in Table 1.
表1Table 1
Figure PCTCN2022092978-appb-000001
Figure PCTCN2022092978-appb-000001
Figure PCTCN2022092978-appb-000002
Figure PCTCN2022092978-appb-000002
由此可知,第一终端可以根据第二终端的ID、第一终端和第二终端之间的安全通道认证类型、目标资源等信息实现访问控制。可以理解的是,相关技术难以根据位置信息实现访问控制。It can be seen that the first terminal can implement access control based on information such as the ID of the second terminal, the authentication type of the secure channel between the first terminal and the second terminal, and the target resource. It is understandable that related technologies are difficult to implement access control based on location information.
图2为本申请实施例提供的一种访问控制的方法,以解决上述问题。图2所示的方法可以由第一终端和第二终端执行。本申请不限制第一终端和第二终端的类型,例如可以为上文所述的任意终端。例如,第一终端可以为汽车,第二终端可以为用户使用的手机。Figure 2 shows an access control method provided by an embodiment of the present application to solve the above problems. The method shown in Figure 2 can be executed by the first terminal and the second terminal. This application does not limit the types of the first terminal and the second terminal. For example, they may be any terminal mentioned above. For example, the first terminal may be a car, and the second terminal may be a mobile phone used by the user.
图2所示的方法可以包括步骤S210和步骤S220。The method shown in Figure 2 may include step S210 and step S220.
步骤S210,第一终端根据第二终端的第一位置信息以及访问控制信息,确定第二终端对第一终端的权限。Step S210: The first terminal determines the authority of the second terminal to the first terminal based on the first location information and access control information of the second terminal.
第一位置信息可以用于指示所述第二终端相对于第一终端的位置关系。可以理解的是,第一位置信息可以为相对位置信息。例如,第一位置信息可以根据第一终端的位置、第二终端的位置、第一终端和第二终端之间的距离和/或角度确定。The first location information may be used to indicate the location relationship of the second terminal relative to the first terminal. It can be understood that the first position information may be relative position information. For example, the first location information may be determined based on the location of the first terminal, the location of the second terminal, the distance and/or angle between the first terminal and the second terminal.
以第一终端为汽车为例,第一位置信息可以用于指示第二终端相对于汽车的位置关系。例如,第一位置信息可以包括以下信息中的一种或多种:汽车内、汽车外、主驾驶位、副驾驶位、乘客位、车左前门、车右前门、车左后门、车右后门、车尾。其中,汽车内可以不包括驾驶位(主驾驶位和/或副驾驶位)。Taking the first terminal as a car as an example, the first location information can be used to indicate the location relationship of the second terminal relative to the car. For example, the first location information may include one or more of the following information: inside the car, outside the car, main driver's seat, passenger seat, passenger seat, car left front door, car right front door, car left rear door, car right rear door , the rear of the car. The car may not include a driver's seat (main driver's seat and/or co-pilot's seat).
可以理解的是,第一位置信息的表示可以与定位机制的精度相关。如果采用较低精度的定位机制,第一位置信息可以包括汽车内和/或汽车外等。如果采用较高精度的定位机制,可以将第一位置信息的表示细化。例如,第一位置信息可以为以下中的一种或多种:车左前门、车右前门、车左后门、车右后门、车尾、副驾驶位、后座等。It can be understood that the representation of the first position information may be related to the accuracy of the positioning mechanism. If a lower-precision positioning mechanism is used, the first location information may include inside the car and/or outside the car, etc. If a higher-precision positioning mechanism is adopted, the representation of the first position information can be refined. For example, the first location information may be one or more of the following: car left front door, car right front door, car left rear door, car right rear door, car rear, passenger seat, back seat, etc.
本申请不限制获取第一位置信息的定位机制。作为一种实现方式,可以基于近距离定位方式获取第一位置信息。例如,第一位置信息可以通过以下定位方式中的一种或多种获取:UWB定位、蓝牙定位、5G定位。作为一种实时方式,第一终端和第二终端可以协商UWB定位信道并进行UWB定位。作为另一种实现方式,第一终端和第二终端可以在BLE通道协商启动UWB测距。This application does not limit the positioning mechanism for obtaining the first location information. As an implementation method, the first location information can be obtained based on short-range positioning. For example, the first location information can be obtained through one or more of the following positioning methods: UWB positioning, Bluetooth positioning, and 5G positioning. As a real-time method, the first terminal and the second terminal can negotiate a UWB positioning channel and perform UWB positioning. As another implementation manner, the first terminal and the second terminal may negotiate on the BLE channel to start UWB ranging.
本申请不限制获取第一位置信息的设备。例如,第一位置信息可以通过第一终端获取,也可以通过第二终端获取。第二终端获取第一位置信息后,可以将第一位置信息发送给第一终端。This application does not limit the device that obtains the first location information. For example, the first location information can be obtained through the first terminal or through the second terminal. After obtaining the first location information, the second terminal may send the first location information to the first terminal.
第二终端对第一终端的权限可以包括对第一终端的目标资源的权限。目标资源可以通过功能单元表示。例如,目标资源可以为一个或多个功能单元。The authority of the second terminal to the first terminal may include authority to the target resource of the first terminal. Target resources can be represented by functional units. For example, the target resource can be one or more functional units.
目标资源可以包括属于第一终端的资源。或者,目标资源可以包括与第一终端关联的资源。以第一终端为汽车为例,目标资源可以包括该汽车的资源。以第一终端为车载终端为例,目标资源可以为车载终端关联的汽车的资源。汽车的资源例如可以包括:车灯(例如转向灯、照明灯等)、车门、车窗、显示屏等资源中的一项或多项。本申请对第二终端对第一终端的权限的具体内容不做限制。例如,权限可以包括一下内容中的一项或多项:无权限、查看(view)权限、代理人查看(proxy view)权限、操作(operate)权限、管理(manage)权限、管理员(administrator)权限等。在第二终端对第一终端的权限为无权限时,第一终端可以拒绝所述第二终端的访问。在第二终端对第一终端的访问与权限匹配时,第一终端可以执行第二终端的访问对应的动作。The target resources may include resources belonging to the first terminal. Alternatively, the target resources may include resources associated with the first terminal. Taking the first terminal as a car as an example, the target resources may include resources of the car. Taking the first terminal as a vehicle-mounted terminal as an example, the target resource may be a resource of a car associated with the vehicle-mounted terminal. The resources of a car may include, for example, one or more of the resources of a car light (such as a turn signal, a headlight, etc.), a car door, a car window, a display screen, etc. This application does not limit the specific content of the permissions of the second terminal to the first terminal. For example, permissions may include one or more of the following: no permissions, view permissions, proxy view permissions, operate permissions, manage permissions, and administrator Permissions etc. When the second terminal has no authority over the first terminal, the first terminal may deny access to the second terminal. When the second terminal's access to the first terminal matches the authority, the first terminal can perform an action corresponding to the second terminal's access.
访问控制信息可以用于第一终端对第二终端的访问进行控制,即访问控制信息可以用于指示第二终端对第一终端的权限。访问控制信息可以与第二终端相对于第一终端的位置关系相关。在一种实现方式下,访问控制信息可以用于记录第二终端在不同位置时对第一终端的权限。例如,第二终端在第一位置时可以对第一终端有operate权限,第二终端在第二位置时可以对第一终端没有任何权限。在这种情况下,在第二终端移动到第一位置时,第一终端才可能允许第二终端对第一终端的访问,并允许第二终端进行operate权限相关的操作。或者,在第二终端移动到第二位置时,第一终端可以拒绝第二终端对第一终端的访问。The access control information can be used to control the access of the first terminal to the second terminal, that is, the access control information can be used to indicate the authority of the second terminal to the first terminal. The access control information may be related to the positional relationship of the second terminal relative to the first terminal. In one implementation, the access control information can be used to record the permissions of the second terminal on the first terminal when the second terminal is in different locations. For example, the second terminal may have the operate authority for the first terminal when it is in the first location, but the second terminal may not have any authority for the first terminal when it is in the second location. In this case, when the second terminal moves to the first position, the first terminal may allow the second terminal to access the first terminal and allow the second terminal to perform operations related to the operate authority. Alternatively, when the second terminal moves to the second location, the first terminal may deny the second terminal access to the first terminal.
可以理解的是,访问控制信息也可以记录其他终端对第一终端的权限。其他终端可以为与第二终端 不同的终端。或者,其他终端可以为登录用户与第二终端的登录用户不同的终端。It can be understood that the access control information may also record the permissions of other terminals on the first terminal. The other terminal may be a different terminal than the second terminal. Alternatively, the other terminal may be a terminal whose logged-in user is different from the logged-in user of the second terminal.
访问控制信息的内容可以根据需求灵活修改。例如,在获取到修改访问控制信息权限的情况下,用户可以通过第一终端、第二终端以及其他终端中的一项或多项可以对访问控制信息进行修改。作为一种实现方式,可以为用户提供操作接口,以便用户对访问控制信息进行修改。The content of access control information can be flexibly modified according to needs. For example, after obtaining the permission to modify the access control information, the user can modify the access control information through one or more of the first terminal, the second terminal, and other terminals. As an implementation method, an operation interface can be provided for users to modify access control information.
可以理解的是,通过对访问控制信息的修改,可以实现用户定制化的访问控制,从而提高用户的体验感。It is understandable that by modifying the access control information, user-customized access control can be achieved, thereby improving the user experience.
本申请不限制访问控制信息的存储方式。例如,访问控制信息可以记录在第一终端,也可以记录在远端服务器(例如云平台)中。在第一终端需要根据访问控制信息控制第二终端的访问时,可以在相应的存储位置获取该访问控制信息。This application does not limit the storage method of access control information. For example, the access control information can be recorded in the first terminal or in a remote server (such as a cloud platform). When the first terminal needs to control the access of the second terminal based on the access control information, the access control information can be obtained from the corresponding storage location.
访问控制信息可以包含在用于访问控制的第一条目中。作为一种实现方式,第一条目可以为ACE。一个或多个ACE可以组成ACL。也就是说,访问控制信息可以记录在ACL中,ACL可以包括一个或多个ACE。Access control information may be included in the first entry for access control. As an implementation, the first entry could be an ACE. One or more ACEs can form an ACL. That is to say, access control information can be recorded in the ACL, and the ACL can include one or more ACEs.
第一条目可以包括与权限、身份、功能单元等相关的一项或多项信息。各项信息可以承载于第一条目中的字段中。也就是说,第一条目可以包括一个或多个字段。The first entry may include one or more pieces of information related to permissions, identities, functional units, etc. Various information can be carried in fields in the first entry. That is, the first entry may include one or more fields.
作为一种实现方式,第一条目可以包括第一字段。第一字段可以用于专门承载所述访问控制项对应的位置信息。第一字段例如可以称为位置(Position)字段。As an implementation manner, the first entry may include a first field. The first field may be used to specifically carry location information corresponding to the access control item. The first field may be called a position field, for example.
可以理解的是,当第二终端的第一位置信息与第一字段记录的内容匹配的情况下,该第一条目对应的权限有效。在第一字段为空或通配符(例如*)的情况下,可以表示第二终端处于任意位置时该第一条目对应的权限均有效。也就是说,第一字段为空的情况下,第一条目对应的权限可以与位置无关。例如,如果第一条目的第一字段的值为汽车内,在第二终端处于汽车内部的时候,该第一条目对应的权限有效。相应地,在第二终端处于汽车外部的时候,该第一条目对应的权限无效。It can be understood that when the first location information of the second terminal matches the content recorded in the first field, the permission corresponding to the first entry is valid. When the first field is empty or has a wildcard character (such as *), it may indicate that the permission corresponding to the first entry is valid when the second terminal is in any position. That is to say, when the first field is empty, the permission corresponding to the first entry may be independent of location. For example, if the value of the first field of the first entry is inside the car, when the second terminal is inside the car, the permission corresponding to the first entry is valid. Correspondingly, when the second terminal is outside the car, the permission corresponding to the first entry is invalid.
第一字段的类型例如可以为枚举类型。以第一终端为汽车为例,第一字段可以包括以下信息中的一项或多项:汽车内、汽车外、驾驶位。其中,汽车内可以为第二终端在汽车内,且第二终端不在驾驶位的位置。汽车外可以为第二终端在汽车外部且在该汽车附近一定距离内。或者,第一字段可以细化为以下信息中的一项或多项:车左前门、车右前门、车左后门、车右后门、车尾、副驾驶位、后座等。The type of the first field may be an enumeration type, for example. Taking the first terminal as a car as an example, the first field may include one or more of the following information: inside the car, outside the car, and driving position. Wherein, the inside of the car may be a position where the second terminal is in the car and the second terminal is not in the driving position. Outside the car may mean that the second terminal is outside the car and within a certain distance near the car. Alternatively, the first field can be refined into one or more of the following information: car left front door, car right front door, car left rear door, car right rear door, car rear, passenger seat, back seat, etc.
作为另一种实现方式,第一条目可以包括第二字段。第二字段可以用于承载所述第一终端和所述第二终端之间建立的安全通道的连接类型,且所述安全通道的连接类型中的一个或多个连接类型与所述访问控制项对应的位置信息关联。在一个实施例中,第二字段可以为身份验证类型(AuthMode)字段的扩展。扩展后的身份验证类型字段例如可以表示为连接类型字段(ConnMode)。第二字段可以为枚举类型。以第一终端为汽车为例,枚举值可以包括以下中的一项或多项:配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道。其中,配置通道可以表示第一终端和第二终端建立的是用于配置第一终端的连接。车外操作通道可以表示第二终端在汽车外与汽车建立的操作连接。车内操作通道可以表示第二终端在车内(例如可以为非驾驶位)与汽车建立的操作连接。驾驶位操作通道可以表示第二终端在驾驶位与汽车建立的操作连接。云连接通道可以表示第二终端通过云平台与汽车建立的远程连接。As another implementation, the first entry may include a second field. The second field may be used to carry the connection type of the secure channel established between the first terminal and the second terminal, and one or more of the connection types of the secure channel are consistent with the access control item. The corresponding location information is associated. In one embodiment, the second field may be an extension of the authentication type (AuthMode) field. The extended authentication type field may be represented as a connection type field (ConnMode), for example. The second field can be of enumeration type. Taking the first terminal as a car as an example, the enumeration value may include one or more of the following: configuration channel, external vehicle operation channel, in-vehicle operation channel, driver's seat operation channel, and cloud connection channel. The configuration channel may indicate that the first terminal and the second terminal establish a connection for configuring the first terminal. The outside-vehicle operation channel may represent the operation connection established between the second terminal and the car outside the car. The in-vehicle operation channel may represent an operation connection established between the second terminal and the car in the car (for example, in a non-driving position). The driving position operation channel may represent the operation connection established between the second terminal and the car at the driving position. The cloud connection channel can represent the remote connection established by the second terminal with the car through the cloud platform.
可以理解的是,第一位置信息的取值可以与第一字段或第二字段记录的内容相对应。例如,第一字段的取值为汽车内,汽车外以及驾驶位中的一种或多种的情况下。第一位置信息的值也可以为汽车内,汽车外以及驾驶位中的一种或多种。或者,第二字段的取值为配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道中的一项或多项的情况下,第一位置信息的取值也为配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道中的一项或多项。因此,可以根据第一位置信息匹配对应的第一条目,从而根据该第一条目中记录的权限对第二终端进行访问控制。It can be understood that the value of the first location information may correspond to the content recorded in the first field or the second field. For example, the value of the first field is one or more of inside the car, outside the car, and driving position. The value of the first location information may also be one or more of inside the car, outside the car, and the driving position. Or, when the value of the second field is one or more of the configuration channel, external vehicle operation channel, in-vehicle operation channel, driver's seat operation channel, and cloud connection channel, the value of the first location information is also One or more of the configuration channel, external vehicle operation channel, in-car operation channel, driver's seat operation channel, and cloud connection channel. Therefore, the corresponding first entry can be matched according to the first location information, thereby performing access control on the second terminal according to the authority recorded in the first entry.
可选地,第一终端和/或第二终端之间可以建立认证安全连接。例如,第一终端可以建立与第二终端的认证安全连接。或者,第一终端和第二终端可以建立双向认证安全连接。Optionally, an authenticated secure connection may be established between the first terminal and/or the second terminal. For example, the first terminal may establish an authenticated secure connection with the second terminal. Alternatively, the first terminal and the second terminal may establish a two-way authentication secure connection.
图2所示的方法还可以包括步骤S205。步骤S205,第二终端可以向第一终端发送控制指令。其中,控制指令可以与目标资源对应。在第二终端希望在某个位置对第一终端的目标资源进行访问时,可以向第一终端发送控制指令,以申请访问目标资源。第二终端可以多次发送控制指令。例如,第二终端可以在多个不同的位置,多次发送控制指令。The method shown in Figure 2 may also include step S205. Step S205: The second terminal may send a control instruction to the first terminal. Among them, the control instruction can correspond to the target resource. When the second terminal wishes to access the target resource of the first terminal at a certain location, it can send a control instruction to the first terminal to apply for access to the target resource. The second terminal can send control instructions multiple times. For example, the second terminal can send control instructions multiple times at multiple different locations.
可以理解的是,控制指令可以通过建立的安全通道进行传输。在传输控制指令前,第一终端和/或第二终端可以建立认证安全连接。例如,第一终端和第二终端可以建立双向认证安全连接。It is understood that control instructions can be transmitted through the established secure channel. Before transmitting the control instruction, the first terminal and/or the second terminal may establish an authenticated secure connection. For example, the first terminal and the second terminal can establish a bidirectional authentication secure connection.
第一位置信息的获取可以基于第一终端接收到的消息触发。例如,第一终端收到控制指令后,可以触发定位,以获取第二终端的第一位置信息。或者,第一位置信息的获取也可以基于安全连接的建立触发。也就是说,在建立安全连接后,可以触发定位,以获取第一位置信息。The acquisition of the first location information may be triggered based on a message received by the first terminal. For example, after receiving the control instruction, the first terminal can trigger positioning to obtain the first location information of the second terminal. Alternatively, the acquisition of the first location information may also be triggered based on the establishment of a secure connection. That is to say, after establishing a secure connection, positioning can be triggered to obtain the first location information.
在建立安全连接触发定位的情况下,可以根据定位的情况更新第一位置信息。也就是说,可以进行至少一次定位,第一位置信息可以为至少一个定位中测量时间距离第一终端接收到控制指令时间最近的定位得到的位置信息。例如,可以对第二终端的位置进行实时测量,并不断更新第二终端的实时位置。在第一终端接收到控制指令后,根据当前时间第二终端所处的实时位置获取第一位置信息。When establishing a secure connection triggers positioning, the first location information may be updated according to the positioning situation. That is to say, at least one positioning can be performed, and the first position information can be the position information obtained from the positioning whose measurement time is closest to the time when the first terminal receives the control instruction in at least one positioning. For example, the location of the second terminal can be measured in real time, and the real-time location of the second terminal can be continuously updated. After the first terminal receives the control instruction, the first location information is obtained according to the real-time location of the second terminal at the current time.
可以理解的是,对于一些定位机制,可以实现持续的定位,因此,可以实现持续性的定位以不断更新第一位置信息。对于另一些定位机制,无法实现持续的定位,因此,可以由控制指令触发定位,以获取第一位置信息。可以根据终端的能力可实现的定位机制,选择合适的方法以获取第一位置信息。It is understood that for some positioning mechanisms, continuous positioning can be achieved, and therefore, continuous positioning can be achieved to continuously update the first location information. For other positioning mechanisms, continuous positioning cannot be achieved. Therefore, positioning can be triggered by a control command to obtain the first position information. An appropriate method can be selected to obtain the first location information according to the positioning mechanism that is achievable by the terminal's capabilities.
第一终端获取到第一位置信息后,可以通过查找访问控制信息,判断第二终端对第一终端的访问权限是否成立。例如,第一终端可以根据第二终端的第一位置查找匹配的第一条目。在一种情况下,如果第二终端对第一终端的访问权限成立,则第一终端可以执行对应的动作。以第一条目为ACE为例,第一终端查找到匹配的ACE并获得匹配的权限,则第一终端可以执行该权限对应的动作。在另一种情况下,如果第二终端对第一终端的访问权限不成立,则第一终端可以拒绝第二终端的访问。例如,第一终端未查找到匹配的ACE,则第一终端可以拒绝第二终端的访问。After obtaining the first location information, the first terminal can determine whether the access permission of the second terminal to the first terminal is established by searching for the access control information. For example, the first terminal may search for a matching first entry based on the first location of the second terminal. In one case, if the access permission of the second terminal to the first terminal is established, the first terminal can perform the corresponding action. Taking the first entry as an ACE as an example, if the first terminal finds the matching ACE and obtains the matching permission, the first terminal can perform the action corresponding to the permission. In another case, if the access permission of the second terminal to the first terminal is not established, the first terminal may deny the access of the second terminal. For example, if the first terminal does not find a matching ACE, the first terminal may deny the access of the second terminal.
第一终端获取到第一位置信息后,可以确定对应的通道连接类型信息。第一终端可以根据对应的通道连接类型信息以及访问控制信息确定第二终端对第一终端的权限。以ACE包括第二字段为例,第一终端可以将通道连接类型信息与ACL进行比对,查看是否有与第二字段匹配的ACE。如果有匹配的ACE,则第一终端可以执行该ACE对应的动作。如果没有匹配的ACE,则第一终端可以拒绝第二终端的访问。After obtaining the first location information, the first terminal can determine the corresponding channel connection type information. The first terminal may determine the authority of the second terminal to the first terminal according to the corresponding channel connection type information and access control information. Taking the ACE including the second field as an example, the first terminal can compare the channel connection type information with the ACL to check whether there is an ACE matching the second field. If there is a matching ACE, the first terminal can perform the action corresponding to the ACE. If there is no matching ACE, the first terminal may deny access to the second terminal.
可选地,第一终端可以向第二终端返回响应。该响应可以用于告知第二终端访问权限是否成立。Optionally, the first terminal may return a response to the second terminal. This response can be used to inform the second terminal whether the access permission is established.
步骤S220,基于第二终端对第一终端的权限,第二终端对第一终端进行访问。在第二终端对第一终端的访问权限成立的情况下,第二终端可以对第一终端进行访问。在第二终端对第一终端的访问权限不成立的情况下,第二终端无法对第一终端进行访问。Step S220: Based on the authority of the second terminal to the first terminal, the second terminal accesses the first terminal. When the access authority of the second terminal to the first terminal is established, the second terminal can access the first terminal. When the access authority of the second terminal to the first terminal is not established, the second terminal cannot access the first terminal.
可选地,第二终端可以通过客户端对第一终端的资源进行访问。Optionally, the second terminal can access the resources of the first terminal through the client.
访问控制信息中记录的权限情况可以与第二终端的位置相关。根据访问控制信息,第二终端在不同位置可以具有对应的权限。不同位置对应的权限可以不同。因此,基于访问控制信息,第一终端可以在第二终端处于不同位置时对第一终端执行不同的访问控制策略,从而满足第二终端对第一终端在不同场景下的差异化执行能力。The permission status recorded in the access control information may be related to the location of the second terminal. According to the access control information, the second terminal may have corresponding permissions in different locations. The permissions corresponding to different locations can be different. Therefore, based on the access control information, the first terminal can execute different access control policies on the first terminal when the second terminal is in different locations, thereby satisfying the differentiated execution capabilities of the second terminal on the first terminal in different scenarios.
下面以第一终端为汽车,第二终端为手机为例,详细说明本申请提供的三个实施例的实施方式。Taking the first terminal as a car and the second terminal as a mobile phone as an example, the implementation of the three embodiments provided in this application will be described in detail below.
实施例一Embodiment 1
在实施例一中,第一条目为ACE。在ACE中增加第一字段。第一字段表示为Position。ACE包括的字段可以如表2所示。In Embodiment 1, the first entry is ACE. Add the first field to ACE. The first field is represented as Position. The fields included in ACE can be shown in Table 2.
表2Table 2
Figure PCTCN2022092978-appb-000003
Figure PCTCN2022092978-appb-000003
position字段可以为枚举类型。枚举值可以包括:汽车外(OutsideCar)、汽车内(InsidCar)、驾驶位(DrivingSeat)。其中,汽车内可以指示汽车内非驾驶位的位置。The position field can be an enumeration type. Enumeration values may include: OutsideCar, InsidCar, and DrivingSeat. Among them, the position in the car other than the driving position in the car can be indicated.
汽车的一种可能的ACL配置测量可以为:One possible ACL configuration measurement for a car could be:
Figure PCTCN2022092978-appb-000004
Figure PCTCN2022092978-appb-000004
Figure PCTCN2022092978-appb-000005
Figure PCTCN2022092978-appb-000005
ACE2包含Position=InsideCar,表示当检测到手机位于车内时ACE2对应的权限有效。ACE3包含Position=DrivingSeat,表示当检测到手机位于驾驶位时ACE对应的权限有效。ACE4包含的Position字段为空,表示终端处于任意位置时ACE4对应的权限有效。ACE2 contains Position=InsideCar, which means that the corresponding permissions of ACE2 are valid when it is detected that the mobile phone is inside the car. ACE3 contains Position=DrivingSeat, which means that the permission corresponding to ACE is valid when the mobile phone is detected to be in the driving seat. The Position field included in ACE4 is empty, which means that the permissions corresponding to ACE4 are valid when the terminal is in any position.
其中,目标资源DeviceType=0x0000_0023表示设备类型为播放器(video player)的端点包含的全部功能单元。播放器包含的功能单元例如可以包括显示屏的开关。目标资源Endpoint=3且Cluster=0x0000_0006可以表示3号端点上的开关(on/off)功能单元。3号端点例如可以为转向灯。Among them, the target resource DeviceType=0x0000_0023 indicates that the device type is all functional units included in the endpoint of the player (video player). The functional unit included in the player may include, for example, a switch of the display screen. The target resource Endpoint=3 and Cluster=0x0000_0006 can represent the switch (on/off) functional unit on endpoint 3. Endpoint No. 3 may be a turn signal, for example.
图3为实施例一提供的访问控制方法的示意性流程图。图3所示的方法可以包括步骤S310~步骤S390。Figure 3 is a schematic flow chart of the access control method provided in Embodiment 1. The method shown in Figure 3 may include steps S310 to S390.
步骤S310可以包括步骤S311和/或步骤S312。步骤S311,汽车和手机建立认证安全连接。步骤S312,手机和汽车建立认证安全连接。可以理解的是,在步骤S310包括步骤S311和步骤S312的情况下,手机和汽车之间可以建立双向认证安全连接。Step S310 may include step S311 and/or step S312. Step S311: The car and the mobile phone establish an authenticated secure connection. Step S312: The mobile phone and the car establish an authenticated secure connection. It can be understood that when step S310 includes step S311 and step S312, a two-way authentication secure connection can be established between the mobile phone and the car.
步骤S320,手机通过建立的安全通道向车辆发送控制指令。例如,控制指令可以包括调用(开启或关闭等)车内的显示屏的指令。或者,控制指令可以为开启转向灯的指令。Step S320: The mobile phone sends control instructions to the vehicle through the established safe channel. For example, the control instructions may include instructions to call (turn on or off, etc.) a display screen in the vehicle. Alternatively, the control instruction may be an instruction to turn on the turn signal.
步骤S330,汽车收到控制指令后,触发开启UWB定位。Step S330: After receiving the control command, the car triggers UWB positioning.
步骤S340可以包括步骤S341和/或步骤S342。步骤S341,汽车和手机协商UWB定位信道。步骤S342,手机和汽车协商UWB定位信道。可以理解的是,在步骤S340包括步骤S341和步骤S342的情况下,手机和汽车之间可以以交互的方式协商UWB定位信道。Step S340 may include step S341 and/or step S342. Step S341: The car and the mobile phone negotiate the UWB positioning channel. Step S342: The mobile phone and the car negotiate the UWB positioning channel. It can be understood that, in the case where step S340 includes step S341 and step S342, the UWB positioning channel can be negotiated interactively between the mobile phone and the car.
步骤S351,汽车对手机做UWB定位。Step S351: The car performs UWB positioning on the mobile phone.
步骤S352,汽车得到手机的第一位置信息。第一位置信息例如可以为汽车内、汽车外、驾驶位等。Step S352: The car obtains the first location information of the mobile phone. The first location information may be, for example, inside the car, outside the car, driving position, etc.
步骤S360,汽车根据手机的第一位置信息查找匹配的ACE。以汽车配置了上文所述的ACL信息为例进行说明。以控制指令为调用显示屏的指令为例,如果显示屏属于播放器(DeviceType为0x0000_0023)的功能单元,在第一位置信息为汽车内的情况下,查找实施例一提供的ACE可以得到,ACE2的位置字段的取值为汽车内,因此匹配的ACE为ACE2。根据ACE2,可以得到匹配的权限为操作(operate)权限。以控制指令为开启转向灯为例,在第一位置信息为汽车内(非驾驶位)的情况下,查找实施例一提供的ACL,未找到匹配的ACE。Step S360: The car searches for a matching ACE based on the first location information of the mobile phone. Take the car configured with the ACL information mentioned above as an example for explanation. Taking the control instruction as an instruction to call the display screen as an example, if the display screen belongs to the functional unit of the player (DeviceType is 0x0000_0023), and the first location information is in the car, searching for the ACE provided in Embodiment 1 can be obtained, ACE2 The value of the location field is inside the car, so the matching ACE is ACE2. According to ACE2, the matching permissions that can be obtained are operation permissions. Taking the control instruction to turn on the turn signal as an example, when the first location information is inside the car (not the driving position), the ACL provided in Embodiment 1 is searched, but no matching ACE is found.
步骤S370,汽车判断访问权限是否成立。可以根据是否找到匹配的ACE确定访问权限是否成立。在找到匹配的ACE并且得到匹配的权限时,可以判断访问权限成立。以上文所述的包括调用车内显示屏的控制指令为例,可以判断该控制指令的访问权限成立。在未找到匹配的ACE的情况下,可以判断访问权限不成立。以上文所述的包括调用转向灯的控制指令为例,可以判断访问权限不成立。在访问权限不成立的情况下,汽车可以拒绝该控制指令。Step S370: The car determines whether the access permission is established. Whether the access permission is established can be determined based on whether a matching ACE is found. When the matching ACE is found and the matching permission is obtained, it can be judged that the access permission is established. Taking the above-mentioned control instruction including calling the in-car display screen as an example, it can be determined that the access permission of the control instruction is established. If no matching ACE is found, it can be determined that the access permission is not established. Taking the above-mentioned control instruction including calling the turn signal as an example, it can be judged that the access permission is not established. If the access rights are not established, the car can reject the control command.
步骤S380,在访问权限成立的情况下,汽车可以执行控制指令。继续以控制指令包括调用车内的显示屏为例,如上文所述,访问权限成立,则汽车可以执行控制指令指示的针对显示屏的操作。Step S380: When the access rights are established, the car can execute the control instructions. Continuing to take the control instruction including calling the display screen in the car as an example, as mentioned above, if the access permission is established, the car can perform the operation on the display screen indicated by the control instruction.
步骤S390,汽车返回响应。在汽车执行指令的情况下,汽车可以返回响应。或者,在汽车拒绝该 指令的情况下,汽车可以返回响应。Step S390, the car returns a response. In the case where the car executes the command, the car can return a response. Alternatively, the car can return a response in the event the car rejects the command.
实施例二Embodiment 2
在实施例二中,第一条目可以为ACE。汽车可以配置实施例一中示例的ACL。In the second embodiment, the first entry may be ACE. The car can be configured with the ACL illustrated in Embodiment 1.
图4为实施例二提供的访问控制方法的示意性流程图。图4所示的方法可以包括步骤S410~步骤S490。Figure 4 is a schematic flow chart of the access control method provided in Embodiment 2. The method shown in Figure 4 may include steps S410 to S490.
步骤S410可以包括步骤S411和/或步骤S412。步骤S411,汽车和手机建立认证安全连接。步骤S412,手机和汽车建立认证安全连接。可以理解的是,在步骤S410包括步骤S411和步骤S412的情况下,手机和汽车之间可以建立双向认证安全连接。Step S410 may include step S411 and/or step S412. Step S411: The car and the mobile phone establish an authenticated secure connection. Step S412: The mobile phone and the car establish an authenticated secure connection. It can be understood that in the case where step S410 includes step S411 and step S412, a two-way authentication secure connection can be established between the mobile phone and the car.
步骤S420,汽车触发开启UWB定位。Step S420: The car triggers UWB positioning.
步骤S430可以包括步骤S431和/或步骤S432。步骤S431,汽车和手机协商UWB定位信道。步骤S432,手机和汽车协商UWB定位信道。可以理解的是,在步骤S430包括步骤S431和步骤S432的情况下,手机和汽车之间可以以交互的方式协商UWB定位信道。Step S430 may include step S431 and/or step S432. Step S431: The car and the mobile phone negotiate the UWB positioning channel. Step S432: The mobile phone and the car negotiate the UWB positioning channel. It can be understood that, in the case where step S430 includes step S431 and step S432, the UWB positioning channel can be negotiated interactively between the mobile phone and the car.
步骤S441,汽车对手机做UWB定位。Step S441: The car performs UWB positioning on the mobile phone.
步骤S442,汽车持续获取手机的定位信息,并更新手机的实时位置信息。也就是说,汽车可以多次获取手机的位置信息,并将最近获取的位置信息更新为手机的实时位置。Step S442: The car continues to obtain the positioning information of the mobile phone and updates the real-time location information of the mobile phone. That is to say, the car can obtain the location information of the mobile phone multiple times and update the recently obtained location information to the real-time location of the mobile phone.
步骤S450,手机通过建立的安全通道向汽车发送控制指令。例如,控制指令可以为开启转向灯的指令。可以理解的是,手机可以多次执行步骤S450,从而可以在不同位置发送控制指令。Step S450: The mobile phone sends control instructions to the car through the established safe channel. For example, the control instruction may be an instruction to turn on the turn signal. It can be understood that the mobile phone can perform step S450 multiple times, thereby sending control instructions at different locations.
步骤S443,汽车收到控制指令后,获取手机在当前时间的位置信息,得到手机的第一位置信息。Step S443: After receiving the control command, the car obtains the location information of the mobile phone at the current time and obtains the first location information of the mobile phone.
步骤S460,汽车根据手机的第一位置信息查找匹配的ACE。Step S460: The car searches for a matching ACE based on the first location information of the mobile phone.
以控制指令为开启转向灯为例,用户可以携带手机进入副驾驶位,则第一位置信息为汽车内(非驾驶位)。汽车查找实施例一提供的ACL,未找到匹配的ACE。用户可以携带手机移动。在用户进入汽车并坐到驾驶位的情况下,第一位置信息可以为驾驶位。手机可以再次向汽车发送开启转向灯的控制指令。汽车查找ACL,可以匹配到ACE3,得到匹配的权限为操作(operate)权限。Taking the control command to turn on the turn signal as an example, the user can bring the mobile phone into the passenger seat, and the first location information is inside the car (not the driver's seat). The car searched for the ACL provided in Embodiment 1 and found no matching ACE. Users can move around with their mobile phones. In the case where the user enters the car and sits in the driving seat, the first location information may be the driving seat. The mobile phone can again send control instructions to the car to turn on the turn signal. The car searches for the ACL and can match ACE3, and the matching permission is the operate permission.
步骤S470,汽车判断访问权限是否成立。在找到匹配的ACE并且得到匹配的权限时,可以判断访问权限成立。在未找到匹配的ACE时,可以判断访问权限不成立。以步骤S460举例的包括调用转向灯的控制指令为例,当用户在副驾驶位时,可以判断访问权限不成立,当用户在驾驶位时,可以判断访问权限成立。Step S470: The car determines whether the access permission is established. When the matching ACE is found and the matching permission is obtained, it can be judged that the access permission is established. When no matching ACE is found, it can be determined that the access permission is not established. Taking the control instruction including calling the turn signal in step S460 as an example, when the user is in the passenger seat, it can be determined that the access permission is not established, and when the user is in the driving seat, it can be determined that the access permission is established.
步骤S480,在访问权限成立的情况下,执行控制指令。继续以控制指令包括调用转向灯为例,如上文所述,当用户在驾驶位时,访问权限成立,则汽车可以执行控制指令指示的针对转向灯的操作。Step S480: When the access authority is established, execute the control instruction. Continuing to take the control instruction including calling the turn signal as an example, as mentioned above, when the user is in the driving position and the access permission is established, the car can perform the turn signal operation indicated by the control instruction.
步骤S490,汽车返回响应。在汽车执行指令的情况下,汽车可以返回响应。或者,在汽车拒绝该指令的情况下,汽车可以返回响应。Step S490, the car returns a response. In the case where the car executes the command, the car can return a response. Alternatively, the car can return a response in the event the car rejects the command.
实施例三Embodiment 3
在实施例三中,第一条目为ACE。ACE的AuthMode字段被扩展为连接类型(ConnMode)字段。连接类型字段可以关联手机的位置信息。ACE包括的字段可以如表3所示。In the third embodiment, the first entry is ACE. The AuthMode field of ACE is extended to the connection type (ConnMode) field. The connection type field can be associated with the location information of the mobile phone. The fields included in ACE can be shown in Table 3.
表3table 3
Figure PCTCN2022092978-appb-000006
Figure PCTCN2022092978-appb-000006
其中,连接类型字段可以为枚举类型。枚举值可以包括:配置通道(PASE)、车外操作通道(CASE_OutsideCar)、车内操作通道(CASE_InsideCar)、驾驶位操作通道(CASE_DrivingSeat)、云连接通道。其中,车外操作通道表示客户端在车外部且在车附近一定距离内。若采用较高精度的定位机制,可以进一步细化为车左前门、车右前门、车左后门、车右后门,车尾等不同的位置。上述枚举值已 在前文进行详细介绍,此处不再赘述。Among them, the connection type field can be an enumeration type. The enumeration value can include: configuration channel (PASE), outside car operation channel (CASE_OutsideCar), in-car operation channel (CASE_InsideCar), driving seat operation channel (CASE_DrivingSeat), and cloud connection channel. Among them, the operation channel outside the vehicle means that the client is outside the vehicle and within a certain distance near the vehicle. If a higher-precision positioning mechanism is used, it can be further refined into different positions such as the left front door, the right front door, the left rear door, the right rear door, and the rear of the car. The above enumeration values have been introduced in detail in the previous article and will not be repeated here.
汽车的一种可能的ACL配置测量可以为:One possible ACL configuration measurement for a car could be:
Figure PCTCN2022092978-appb-000007
Figure PCTCN2022092978-appb-000007
其中,ACE1包含ConnMode=PASE,表示手机与汽车建立的是配置通道,此时,手机可以具有全部资源的管理员权限。ACE2包含ConnMode=CASE_InsideCar,表示手机位于车内非驾驶位并建立操作连接时该权限有效。ACE3包含ConnMode=CASE_DrivingSeat,表示手机位于驾驶位并建立操作连接时该权限有效。Among them, ACE1 contains ConnMode=PASE, which means that the mobile phone and the car establish a configuration channel. At this time, the mobile phone can have administrator rights for all resources. ACE2 contains ConnMode=CASE_InsideCar, which means that this permission is valid when the mobile phone is in the non-driving position of the car and an operating connection is established. ACE3 contains ConnMode=CASE_DrivingSeat, which means that this permission is valid when the mobile phone is in the driving position and an operating connection is established.
图5为实施例三提供的访问控制方法的示意性流程图。图5所示的方法可以包括步骤S510~S592。Figure 5 is a schematic flow chart of the access control method provided in Embodiment 3. The method shown in Figure 5 may include steps S510 to S592.
步骤S510可以包括步骤S511和/或步骤S512。步骤S511,汽车和手机建立认证安全连接。步骤S512,手机和汽车建立认证安全连接。可以理解的是,在步骤S510包括步骤S511和步骤S512的情况下,手机和汽车之间可以建立双向认证安全连接。Step S510 may include step S511 and/or step S512. Step S511: The car and the mobile phone establish an authenticated secure connection. Step S512: The mobile phone and the car establish an authenticated secure connection. It can be understood that in the case where step S510 includes step S511 and step S512, a two-way authentication secure connection can be established between the mobile phone and the car.
步骤S520,汽车判断连接类型是否为操作连接。可选地,在连接类型为操作连接的情况下,可以进行步骤S520之后的步骤。Step S520: The car determines whether the connection type is an operational connection. Optionally, when the connection type is an operational connection, steps after step S520 may be performed.
步骤S530,汽车触发开启UWB定位。Step S530: The car triggers UWB positioning.
步骤S540可以包括步骤S541和/或步骤S542。步骤S541,汽车和手机协商UWB定位信道。步骤S542,手机和汽车协商UWB定位信道。可以理解的是,在步骤S540包括步骤S541和步骤S542的情况下,手机和汽车之间可以以交互的方式协商UWB定位信道。Step S540 may include step S541 and/or step S542. Step S541: The car and the mobile phone negotiate the UWB positioning channel. Step S542: The mobile phone and the car negotiate the UWB positioning channel. It can be understood that, in the case where step S540 includes step S541 and step S542, the UWB positioning channel can be negotiated interactively between the mobile phone and the car.
步骤S551,汽车对手机做UWB定位。Step S551: The car performs UWB positioning on the mobile phone.
步骤S552,汽车持续获取手机的定位信息,并根据定位信息更新通道连接类型信息。例如手机在车外时通道类型为CASE_OutsideCar,当用户携带手机进入车后排位置时更新通道类型为CASE_InsideCar。Step S552: The car continues to obtain the positioning information of the mobile phone and updates the channel connection type information based on the positioning information. For example, when the mobile phone is outside the car, the channel type is CASE_OutsideCar. When the user brings the mobile phone into the back seat of the car, the channel type is updated to CASE_InsideCar.
步骤S560,手机通过建立的安全通道向汽车发送控制指令。例如,控制指令可以为调用显示屏的指令。Step S560: The mobile phone sends control instructions to the car through the established safe channel. For example, the control instruction may be an instruction to call the display screen.
步骤S570,汽车根据手机的第一位置信息查找匹配的ACE。在手机的通道连接类型信息为CASE_InsideCar,控制指令为调用显示屏的情况下,汽车根据实施例三中的ACL查找匹配的ACE,得到匹配的ACE为ACE2,匹配的权限为operate。Step S570: The car searches for a matching ACE based on the first location information of the mobile phone. When the channel connection type information of the mobile phone is CASE_InsideCar and the control instruction is to call the display screen, the car searches for the matching ACE according to the ACL in Embodiment 3, and finds that the matching ACE is ACE2 and the matching permission is operate.
步骤S580,汽车判断访问权限是否成立。在找到匹配的ACE并且得到匹配的权限时,可以判断访问权限成立。在未找到匹配的ACE时,可以判断访问权限不成立。以步骤S570举例的包括调用显示屏的控制指令为例,匹配到ACE2并汽配的权限为操作(operate)权限,则可以判断访问权限成立。Step S580: The car determines whether the access permission is established. When the matching ACE is found and the matching permission is obtained, it can be judged that the access permission is established. When no matching ACE is found, it can be determined that the access permission is not established. Taking the control instruction including calling the display screen in step S570 as an example, if the permission matched to ACE2 and equipped is the operation permission, it can be determined that the access permission is established.
步骤S590,在访问权限成立的情况下,汽车可以执行控制指令。在访问权限不成立的情况下,汽车可以拒绝该控制指令。Step S590: When the access rights are established, the car can execute the control instructions. If the access rights are not established, the car can reject the control command.
步骤S592,汽车返回响应。在汽车执行指令的情况下,汽车可以返回响应。或者,在汽车拒绝该指令的情况下,汽车可以返回响应。Step S592, the car returns a response. In the case where the car executes the command, the car can return a response. Alternatively, the car can return a response in the event the car rejects the command.
上文结合图2至图5,详细描述了本申请的方法实施例,下面结合图6至图8,详细描述本申请的装置实施例。应理解,方法实施例的描述与装置实施例的描述相互对应,因此,未详细描述的部分可以参见前面方法实施例。The method embodiments of the present application are described in detail above with reference to FIGS. 2 to 5 , and the device embodiments of the present application are described in detail below with reference to FIGS. 6 to 8 . It should be understood that the description of the method embodiments corresponds to the description of the device embodiments. Therefore, the parts not described in detail can be referred to the previous method embodiments.
图6为本申请实施例提供的一种终端600的示意性结构图。终端600可以为第一终端。终端600可以包括确定单元610。FIG. 6 is a schematic structural diagram of a terminal 600 provided by an embodiment of the present application. Terminal 600 may be a first terminal. The terminal 600 may include a determining unit 610.
确定单元610可以用于根据第二终端的第一位置信息以及访问控制信息,确定所述第二终端对所述第一终端的权限;其中,所述第一位置信息用于指示所述第二终端相对于所述第一终端的位置关系。The determining unit 610 may be used to determine the authority of the second terminal to the first terminal according to the first location information and access control information of the second terminal; wherein the first location information is used to indicate that the second terminal The positional relationship of the terminal relative to the first terminal.
可选地,所述访问控制信息用于指示所述第二终端在不同位置时对所述第一终端的权限。Optionally, the access control information is used to indicate the permissions of the second terminal on the first terminal when the second terminal is in different locations.
可选地,所述第一位置信息包括以下信息中的一种或多种:汽车内、汽车外、主驾驶位、副驾驶位、乘客位、车左前门、车右前门、车左后门、车右后门、车尾。Optionally, the first location information includes one or more of the following information: inside the car, outside the car, main driver's seat, passenger seat, passenger seat, car left front door, car right front door, car left rear door, The right rear door and rear of the car.
可选地,所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第二终端向所述第一终端发送的控制指令触发。Optionally, the first location information is obtained by positioning the second terminal, and the positioning is triggered by a control instruction sent by the second terminal to the first terminal.
可选地,所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第一终端和所述第二终端之间的安全通道的建立触发。Optionally, the first location information is obtained by positioning the second terminal, and the positioning is triggered by the establishment of a secure channel between the first terminal and the second terminal.
可选地,所述第一位置信息为所述第二终端的实时位置信息,所述实时位置信息的获取由所述第二终端向所述第一终端发送的控制指令触发。Optionally, the first location information is real-time location information of the second terminal, and the acquisition of the real-time location information is triggered by a control instruction sent by the second terminal to the first terminal.
可选地,所述访问控制信息记录于访问控制列表中,所述访问控制列表包含一个或多个访问控制项。Optionally, the access control information is recorded in an access control list, and the access control list includes one or more access control items.
可选地,所述访问控制项包括第一字段,所述第一字段用于专门承载所述访问控制项对应的位置信息。Optionally, the access control item includes a first field, and the first field is used to specifically carry location information corresponding to the access control item.
可选地,所述第一字段包括以下信息中的一项或多项:汽车内、汽车外、驾驶位。Optionally, the first field includes one or more of the following information: inside the car, outside the car, and driving position.
可选地,所述访问控制项包括第二字段,所述第二字段用于承载所述第一终端和所述第二终端之间建立的安全通道的连接类型,且所述安全通道的连接类型中的一个或多个连接类型与所述访问控制项对应的位置信息关联。Optionally, the access control item includes a second field, the second field is used to carry the connection type of the secure channel established between the first terminal and the second terminal, and the connection of the secure channel One or more connection types in the type are associated with location information corresponding to the access control item.
可选地,所述确定单元具体用于:根据所述第一位置信息,确定通道连接类型信息;根据所述通道连接类型信息以及所述访问控制信息,确定所述第二终端对所述第一终端的权限。Optionally, the determining unit is specifically configured to: determine channel connection type information based on the first location information; determine whether the second terminal has access to the third channel connection type information based on the channel connection type information and the access control information. Permissions for a terminal.
可选地,所述第二字段包括以下信息中的一项或多项:配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道。Optionally, the second field includes one or more of the following information: configuration channel, off-vehicle operation channel, in-vehicle operation channel, driving position operation channel, and cloud connection channel.
可选地,所述第一终端为汽车。Optionally, the first terminal is a car.
可选地,所述第一位置信息通过以下定位方式中的一种或多种获取:超宽带UWB定位、蓝牙定位、5G定位。Optionally, the first location information is obtained through one or more of the following positioning methods: ultra-wideband UWB positioning, Bluetooth positioning, and 5G positioning.
图7为本申请实施例提供的另一种终端700的结构示意图。终端700可以为第二终端。终端700可以包括访问单元710。Figure 7 is a schematic structural diagram of another terminal 700 provided by an embodiment of the present application. Terminal 700 may be a second terminal. The terminal 700 may include an access unit 710.
访问单元710可以用于基于第二终端对第一终端的权限,对所述第一终端进行访问;其中,所述权限基于所述第二终端的第一位置信息以及访问控制信息确定,所述第一位置信息用于指示所述第二终端相对于所述第一终端的位置关系。The access unit 710 may be used to access the first terminal based on the authority of the second terminal to the first terminal; wherein the authority is determined based on the first location information and access control information of the second terminal, and the The first location information is used to indicate the location relationship of the second terminal relative to the first terminal.
可选地,所述访问控制信息用于记录所述第二终端在不同位置时对所述第一终端的权限。Optionally, the access control information is used to record the permissions of the second terminal on the first terminal when the second terminal is in different locations.
可选地,所述第一位置信息包括以下信息中的一种或多种:汽车内、汽车外、主驾驶位、副驾驶位、乘客位、车左前门、车右前门、车左后门、车右后门、车尾。Optionally, the first location information includes one or more of the following information: inside the car, outside the car, main driver's seat, passenger seat, passenger seat, car left front door, car right front door, car left rear door, The right rear door and rear of the car.
可选地,所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第二终端向所述第一终端发送的控制指令触发。Optionally, the first location information is obtained by positioning the second terminal, and the positioning is triggered by a control instruction sent by the second terminal to the first terminal.
可选地,所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第一终端和所述第二终端之间的安全通道的建立触发。Optionally, the first location information is obtained by positioning the second terminal, and the positioning is triggered by the establishment of a secure channel between the first terminal and the second terminal.
可选地,所述第一位置信息为所述第二终端的实时位置信息,所述实时位置信息的获取由所述第二终端向所述第一终端发送的控制指令触发。Optionally, the first location information is real-time location information of the second terminal, and the acquisition of the real-time location information is triggered by a control instruction sent by the second terminal to the first terminal.
可选地,所述访问控制信息记录于访问控制列表中,所述访问控制列表包含一个或多个访问控制项。Optionally, the access control information is recorded in an access control list, and the access control list includes one or more access control items.
可选地,所述访问控制项包括第一字段,所述第一字段用于专门承载所述访问控制项对应的位置信息。Optionally, the access control item includes a first field, and the first field is used to specifically carry location information corresponding to the access control item.
可选地,所述第一字段包括以下信息中的一项或多项:汽车内、汽车外、驾驶位。Optionally, the first field includes one or more of the following information: inside the car, outside the car, and driving position.
可选地,所述访问控制项包括第二字段,所述第二字段用于承载所述第一终端和所述第二终端之间建立的安全通道的连接类型,且所述安全通道的连接类型中的一个或多个连接类型与所述访问控制项对应的位置信息关联。Optionally, the access control item includes a second field, the second field is used to carry the connection type of the secure channel established between the first terminal and the second terminal, and the connection of the secure channel One or more connection types in the type are associated with location information corresponding to the access control item.
可选地,所述权限基于所述第二终端的第一位置信息以及访问控制信息确定,包括:所述权限基于 通道连接类型信息以及所述访问控制信息确定,所述通道连接类型信息基于所述第一位置信息确定。Optionally, the permission is determined based on the first location information and access control information of the second terminal, including: the permission is determined based on channel connection type information and the access control information, and the channel connection type information is based on the access control information. The first location information is determined.
可选地,所述第二字段包括以下信息中的一项或多项:配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道。Optionally, the second field includes one or more of the following information: configuration channel, off-vehicle operation channel, in-vehicle operation channel, driving position operation channel, and cloud connection channel.
可选地,所述第一终端为汽车。Optionally, the first terminal is a car.
可选地,所述第一位置信息通过以下定位方式中的一种或多种获取:超宽带UWB定位、蓝牙定位、5G定位。Optionally, the first location information is obtained through one or more of the following positioning methods: ultra-wideband UWB positioning, Bluetooth positioning, and 5G positioning.
图8是本申请实施例的通信装置的示意性结构图。图8中的虚线表示该单元或模块为可选的。该装置800可用于实现上述方法实施例中描述的方法。装置800可以是芯片或终端。Figure 8 is a schematic structural diagram of a communication device according to an embodiment of the present application. The dashed line in Figure 8 indicates that the unit or module is optional. The device 800 can be used to implement the method described in the above method embodiment. Device 800 may be a chip or a terminal.
装置800可以包括一个或多个处理器810。该处理器810可支持装置800实现前文方法实施例所描述的方法。该处理器810可以是通用处理器或者专用处理器。例如,该处理器可以为中央处理单元(central processing unit,CPU)。或者,该处理器还可以是其他通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。Apparatus 800 may include one or more processors 810. The processor 810 can support the device 800 to implement the method described in the foregoing method embodiments. The processor 810 may be a general-purpose processor or a special-purpose processor. For example, the processor may be a central processing unit (CPU). Alternatively, the processor can also be another general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or an off-the-shelf programmable gate array (FPGA) Or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.
需要说明的是,图6所示的确定单元610可以由图8所示的处理器810执行。图7所示的访问单元710可以由图8所示的处理器810执行。It should be noted that the determining unit 610 shown in FIG. 6 can be executed by the processor 810 shown in FIG. 8 . The access unit 710 shown in FIG. 7 may be executed by the processor 810 shown in FIG. 8 .
装置800还可以包括一个或多个存储器820。存储器820上存储有程序,该程序可以被处理器810执行,使得处理器810执行前文方法实施例所描述的方法。存储器820可以独立于处理器810也可以集成在处理器810中。Apparatus 800 may also include one or more memories 820. The memory 820 stores a program, which can be executed by the processor 810, so that the processor 810 executes the method described in the foregoing method embodiment. The memory 820 may be independent of the processor 810 or integrated in the processor 810 .
装置800还可以包括收发器830。处理器810可以通过收发器830与其他设备或芯片进行通信。例如,处理器810可以通过收发器830与其他设备或芯片进行数据收发。Apparatus 800 may also include a transceiver 830. Processor 810 may communicate with other devices or chips through transceiver 830. For example, the processor 810 can transmit and receive data with other devices or chips through the transceiver 830 .
本申请实施例还提供一种计算机可读存储介质,用于存储程序。该计算机可读存储介质可应用于本申请实施例提供的终端或网络设备中,并且该程序使得计算机执行本申请各个实施例中的由终端或网络设备执行的方法。An embodiment of the present application also provides a computer-readable storage medium for storing a program. The computer-readable storage medium can be applied in the terminal or network device provided by the embodiments of the present application, and the program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
本申请实施例还提供一种计算机程序产品。该计算机程序产品包括程序。该计算机程序产品可应用于本申请实施例提供的终端或网络设备中,并且该程序使得计算机执行本申请各个实施例中的由终端或网络设备执行的方法。An embodiment of the present application also provides a computer program product. The computer program product includes a program. The computer program product can be applied in the terminal or network device provided by the embodiments of the present application, and the program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
本申请实施例还提供一种计算机程序。该计算机程序可应用于本申请实施例提供的终端或网络设备中,并且该计算机程序使得计算机执行本申请各个实施例中的由终端或网络设备执行的方法。An embodiment of the present application also provides a computer program. The computer program can be applied to the terminal or network device provided by the embodiments of the present application, and the computer program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
应理解,本申请中术语“系统”和“网络”可以被可互换使用。另外,本申请使用的术语仅用于对本申请的具体实施例进行解释,而非旨在限定本申请。本申请的说明书和权利要求书及所述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。It should be understood that the terms "system" and "network" may be used interchangeably in this application. In addition, the terms used in this application are only used to explain specific embodiments of the application and are not intended to limit the application. The terms “first”, “second”, “third” and “fourth” in the description, claims and drawings of this application are used to distinguish different objects, rather than to describe a specific sequence. . Furthermore, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusion.
在本申请的实施例中,提到的“指示”可以是直接指示,也可以是间接指示,还可以是表示具有关联关系。举例说明,A指示B,可以表示A直接指示B,例如B可以通过A获取;也可以表示A间接指示B,例如A指示C,B可以通过C获取;还可以表示A和B之间具有关联关系。In the embodiments of this application, the "instruction" mentioned may be a direct instruction, an indirect instruction, or an association relationship. For example, A indicates B, which can mean that A directly indicates B, for example, B can be obtained through A; it can also mean that A indirectly indicates B, for example, A indicates C, and B can be obtained through C; it can also mean that there is an association between A and B. relation.
在本申请实施例中,“与A相应的B”表示B与A相关联,根据A可以确定B。但还应理解,根据A确定B并不意味着仅仅根据A确定B,还可以根据A和/或其它信息确定B。In the embodiment of this application, "B corresponding to A" means that B is associated with A, and B can be determined based on A. However, it should also be understood that determining B based on A does not mean determining B only based on A. B can also be determined based on A and/or other information.
在本申请实施例中,术语“对应”可表示两者之间具有直接对应或间接对应的关系,也可以表示两者之间具有关联关系,也可以是指示与被指示、配置与被配置等关系。In the embodiments of this application, the term "correspondence" can mean that there is a direct correspondence or indirect correspondence between the two, or it can also mean that there is an association between the two, or it can also mean indicating and being instructed, configuring and being configured, etc. relation.
本申请实施例中,“预定义”或“预配置”可以通过在设备(例如,包括终端设备和网络设备)中预先保存相应的代码、表格或其他可用于指示相关信息的方式来实现,本申请对于其具体的实现方式不做限定。比如预定义可以是指协议中定义的。In the embodiment of this application, "predefinition" or "preconfiguration" can be achieved by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in devices (for example, including terminal devices and network devices). The application does not limit its specific implementation method. For example, predefined can refer to what is defined in the protocol.
本申请实施例中,所述“协议”可以指通信领域的标准协议,例如可以包括LTE协议、NR协议以及应用于未来的通信系统中的相关协议,本申请对此不做限定。In the embodiment of this application, the "protocol" may refer to a standard protocol in the communication field, which may include, for example, LTE protocol, NR protocol, and related protocols applied in future communication systems. This application does not limit this.
本申请实施例中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。The term "and/or" in the embodiment of this application is only an association relationship describing associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, and A and B exist simultaneously. , there are three situations of B alone. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship.
在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。In the various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its functions and internal logic, and should not be determined by the implementation process of the embodiments of the present application. constitute any limitation.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能 划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够读取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,数字通用光盘(digital video disc,DVD))或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be read by a computer or a data storage device such as a server or data center integrated with one or more available media. The available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., digital video discs (DVD)) or semiconductor media (e.g., solid state disks (SSD) )wait.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (62)

  1. 一种访问控制的方法,其特征在于,包括:An access control method, characterized by including:
    第一终端根据第二终端的第一位置信息以及访问控制信息,确定所述第二终端对所述第一终端的权限;The first terminal determines the authority of the second terminal to the first terminal according to the first location information and access control information of the second terminal;
    其中,所述第一位置信息用于指示所述第二终端相对于所述第一终端的位置关系。Wherein, the first location information is used to indicate the location relationship of the second terminal relative to the first terminal.
  2. 根据权利要求1所述的方法,其特征在于,所述访问控制信息用于指示所述第二终端在不同位置时对所述第一终端的权限。The method according to claim 1, characterized in that the access control information is used to indicate the permissions of the second terminal on the first terminal when the second terminal is in different locations.
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一位置信息包括以下信息中的一种或多种:汽车内、汽车外、主驾驶位、副驾驶位、乘客位、车左前门、车右前门、车左后门、车右后门、车尾。The method according to claim 1 or 2, characterized in that the first location information includes one or more of the following information: inside the car, outside the car, main driver’s seat, passenger seat, passenger seat, vehicle Left front door, car right front door, car left rear door, car right rear door, car rear.
  4. 根据权利要求1-3中任一项所述的方法,其特征在于,The method according to any one of claims 1-3, characterized in that,
    所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第二终端向所述第一终端发送的控制指令触发。The first location information is obtained by positioning the second terminal, and the positioning is triggered by a control instruction sent by the second terminal to the first terminal.
  5. 根据权利要求1-3中任一项所述的方法,其特征在于,所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第一终端和所述第二终端之间的安全通道的建立触发。The method according to any one of claims 1 to 3, characterized in that the first location information is obtained by positioning the second terminal, and the positioning is performed by the first terminal and the Triggered by the establishment of a secure channel between the second terminal.
  6. 根据权利要求5所述的方法,其特征在于,所述第一位置信息为所述第二终端的实时位置信息,所述实时位置信息的获取由所述第二终端向所述第一终端发送的控制指令触发。The method of claim 5, wherein the first location information is real-time location information of the second terminal, and the real-time location information is obtained by sending the second terminal to the first terminal. The control command is triggered.
  7. 根据权利要求1-6任一项所述的方法,其特征在于,所述访问控制信息记录于访问控制列表中,所述访问控制列表包含一个或多个访问控制项。The method according to any one of claims 1 to 6, characterized in that the access control information is recorded in an access control list, and the access control list contains one or more access control items.
  8. 根据权利要求7所述的方法,其特征在于,所述访问控制项包括第一字段,所述第一字段用于专门承载所述访问控制项对应的位置信息。The method according to claim 7, wherein the access control item includes a first field, and the first field is used to specifically carry location information corresponding to the access control item.
  9. 根据权利要求8所述的方法,其特征在于,所述第一字段包括以下信息中的一项或多项:汽车内、汽车外、驾驶位。The method of claim 8, wherein the first field includes one or more of the following information: inside the car, outside the car, and driving position.
  10. 根据权利要求7所述的方法,其特征在于,所述访问控制项包括第二字段,所述第二字段用于承载所述第一终端和所述第二终端之间建立的安全通道的连接类型,且所述安全通道的连接类型中的一个或多个连接类型与所述访问控制项对应的位置信息关联。The method according to claim 7, characterized in that the access control item includes a second field, the second field is used to carry the connection of the secure channel established between the first terminal and the second terminal. type, and one or more connection types among the connection types of the secure channel are associated with the location information corresponding to the access control item.
  11. 根据权利要求10所述的方法,其特征在于,所述第一终端根据第二终端的第一位置信息以及访问控制信息,确定所述第二终端对所述第一终端的权限,包括:The method of claim 10, wherein the first terminal determines the permissions of the second terminal on the first terminal based on the first location information and access control information of the second terminal, including:
    所述第一终端根据所述第一位置信息,确定通道连接类型信息;The first terminal determines channel connection type information based on the first location information;
    所述第一终端根据所述通道连接类型信息以及所述访问控制信息,确定所述第二终端对所述第一终端的权限。The first terminal determines the authority of the second terminal to the first terminal based on the channel connection type information and the access control information.
  12. 根据权利要求10或11所述的方法,其特征在于,所述第二字段包括以下信息中的一项或多项:配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道。The method according to claim 10 or 11, characterized in that the second field includes one or more of the following information: configuration channel, off-vehicle operation channel, in-vehicle operation channel, driving position operation channel, cloud Connection channel.
  13. 根据权利要求1-12中任一项所述的方法,其特征在于,所述第一终端为汽车。The method according to any one of claims 1-12, characterized in that the first terminal is a car.
  14. 根据权利要求1-13中任一项所述的方法,其特征在于,所述第一位置信息通过以下定位方式中的一种或多种获取:超宽带UWB定位、蓝牙定位、5G定位。The method according to any one of claims 1 to 13, characterized in that the first location information is obtained through one or more of the following positioning methods: ultra-wideband UWB positioning, Bluetooth positioning, and 5G positioning.
  15. 一种访问控制的方法,其特征在于,包括:An access control method, characterized by including:
    基于第二终端对第一终端的权限,所述第二终端对所述第一终端进行访问;Based on the authority of the second terminal to the first terminal, the second terminal accesses the first terminal;
    其中,所述权限基于所述第二终端的第一位置信息以及访问控制信息确定,所述第一位置信息用于指示所述第二终端相对于所述第一终端的位置关系。Wherein, the permission is determined based on the first location information and access control information of the second terminal, and the first location information is used to indicate the location relationship of the second terminal relative to the first terminal.
  16. 根据权利要求15所述的方法,其特征在于,所述访问控制信息用于记录所述第二终端在不同位置时对所述第一终端的权限。The method according to claim 15, characterized in that the access control information is used to record the permissions of the second terminal on the first terminal when the second terminal is in different locations.
  17. 根据权利要求15或16所述的方法,其特征在于,所述第一位置信息包括以下信息中的一种或多种:汽车内、汽车外、主驾驶位、副驾驶位、乘客位、车左前门、车右前门、车左后门、车右后门、车尾。The method according to claim 15 or 16, characterized in that the first location information includes one or more of the following information: inside the car, outside the car, main driver’s seat, passenger seat, passenger seat, vehicle Left front door, car right front door, car left rear door, car right rear door, car rear.
  18. 根据权利要求15-17中任一项所述的方法,其特征在于,The method according to any one of claims 15-17, characterized in that,
    所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第二终端向所述第一终端发送的控制指令触发。The first location information is obtained by positioning the second terminal, and the positioning is triggered by a control instruction sent by the second terminal to the first terminal.
  19. 根据权利要求15-17中任一项所述的方法,其特征在于,所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第一终端和所述第二终端之间的安全通道的建立触发。The method according to any one of claims 15-17, characterized in that the first location information is obtained by positioning the second terminal, and the positioning is performed by the first terminal and the Triggered by the establishment of a secure channel between the second terminal.
  20. 根据权利要求19所述的方法,其特征在于,所述第一位置信息为所述第二终端的实时位置信 息,所述实时位置信息的获取由所述第二终端向所述第一终端发送的控制指令触发。The method of claim 19, wherein the first location information is real-time location information of the second terminal, and the real-time location information is obtained by sending the second terminal to the first terminal. The control command is triggered.
  21. 根据权利要求15-20任一项所述的方法,其特征在于,所述访问控制信息记录于访问控制列表中,所述访问控制列表包含一个或多个访问控制项。The method according to any one of claims 15 to 20, characterized in that the access control information is recorded in an access control list, and the access control list contains one or more access control items.
  22. 根据权利要求21所述的方法,其特征在于,所述访问控制项包括第一字段,所述第一字段用于专门承载所述访问控制项对应的位置信息。The method according to claim 21, characterized in that the access control item includes a first field, and the first field is used to specifically carry the location information corresponding to the access control item.
  23. 根据权利要求22所述的方法,其特征在于,所述第一字段包括以下信息中的一项或多项:汽车内、汽车外、驾驶位。The method of claim 22, wherein the first field includes one or more of the following information: inside the car, outside the car, and driving position.
  24. 根据权利要求21所述的方法,其特征在于,所述访问控制项包括第二字段,所述第二字段用于承载所述第一终端和所述第二终端之间建立的安全通道的连接类型,且所述安全通道的连接类型中的一个或多个连接类型与所述访问控制项对应的位置信息关联。The method according to claim 21, characterized in that the access control item includes a second field, the second field is used to carry the connection of the secure channel established between the first terminal and the second terminal. type, and one or more connection types among the connection types of the secure channel are associated with the location information corresponding to the access control item.
  25. 根据权利要求24所述的方法,其特征在于,所述权限基于所述第二终端的第一位置信息以及访问控制信息确定,包括:所述权限基于通道连接类型信息以及所述访问控制信息确定,所述通道连接类型信息基于所述第一位置信息确定。The method of claim 24, wherein the permission is determined based on the first location information of the second terminal and access control information, including: the permission is determined based on channel connection type information and the access control information. , the channel connection type information is determined based on the first location information.
  26. 根据权利要求24或25所述的方法,其特征在于,所述第二字段包括以下信息中的一项或多项:配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道。The method according to claim 24 or 25, characterized in that the second field includes one or more of the following information: configuration channel, off-vehicle operation channel, in-vehicle operation channel, driving position operation channel, cloud Connection channel.
  27. 根据权利要求15-26中任一项所述的方法,其特征在于,所述第一终端为汽车。The method according to any one of claims 15-26, characterized in that the first terminal is a car.
  28. 根据权利要求15-27中任一项所述的方法,其特征在于,所述第一位置信息通过以下定位方式中的一种或多种获取:超宽带UWB定位、蓝牙定位、5G定位。The method according to any one of claims 15-27, characterized in that the first location information is obtained through one or more of the following positioning methods: ultra-wideband UWB positioning, Bluetooth positioning, and 5G positioning.
  29. 一种访问控制的终端,其特征在于,所述终端为第一终端,所述终端包括:An access control terminal, characterized in that the terminal is a first terminal, and the terminal includes:
    确定单元,用于根据第二终端的第一位置信息以及访问控制信息,确定所述第二终端对所述第一终端的权限;a determining unit configured to determine the authority of the second terminal to the first terminal according to the first location information and access control information of the second terminal;
    其中,所述第一位置信息用于指示所述第二终端相对于所述第一终端的位置关系。Wherein, the first location information is used to indicate the location relationship of the second terminal relative to the first terminal.
  30. 根据权利要求29所述的终端,其特征在于,所述访问控制信息用于指示所述第二终端在不同位置时对所述第一终端的权限。The terminal according to claim 29, wherein the access control information is used to indicate the permissions of the second terminal on the first terminal when the second terminal is in different locations.
  31. 根据权利要求29或30所述的终端,其特征在于,所述第一位置信息包括以下信息中的一种或多种:汽车内、汽车外、主驾驶位、副驾驶位、乘客位、车左前门、车右前门、车左后门、车右后门、车尾。The terminal according to claim 29 or 30, characterized in that the first location information includes one or more of the following information: inside the car, outside the car, main driver’s seat, passenger seat, passenger seat, car Left front door, car right front door, car left rear door, car right rear door, car rear.
  32. 根据权利要求29-31中任一项所述的终端,其特征在于,The terminal according to any one of claims 29-31, characterized in that,
    所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第二终端向所述第一终端发送的控制指令触发。The first location information is obtained by positioning the second terminal, and the positioning is triggered by a control instruction sent by the second terminal to the first terminal.
  33. 根据权利要求29-31中任一项所述的终端,其特征在于,所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第一终端和所述第二终端之间的安全通道的建立触发。The terminal according to any one of claims 29 to 31, characterized in that the first location information is obtained by positioning the second terminal, and the positioning is performed by the first terminal and the Triggered by the establishment of a secure channel between the second terminal.
  34. 根据权利要求33所述的终端,其特征在于,所述第一位置信息为所述第二终端的实时位置信息,所述实时位置信息的获取由所述第二终端向所述第一终端发送的控制指令触发。The terminal according to claim 33, wherein the first location information is real-time location information of the second terminal, and the real-time location information is obtained by sending the second terminal to the first terminal. The control command is triggered.
  35. 根据权利要求29-34任一项所述的终端,其特征在于,所述访问控制信息记录于访问控制列表中,所述访问控制列表包含一个或多个访问控制项。The terminal according to any one of claims 29 to 34, wherein the access control information is recorded in an access control list, and the access control list contains one or more access control items.
  36. 根据权利要求35所述的终端,其特征在于,所述访问控制项包括第一字段,所述第一字段用于专门承载所述访问控制项对应的位置信息。The terminal according to claim 35, wherein the access control item includes a first field, and the first field is used to specifically carry location information corresponding to the access control item.
  37. 根据权利要求36所述的终端,其特征在于,所述第一字段包括以下信息中的一项或多项:汽车内、汽车外、驾驶位。The terminal according to claim 36, characterized in that the first field includes one or more of the following information: inside the car, outside the car, and driving position.
  38. 根据权利要求35所述的终端,其特征在于,所述访问控制项包括第二字段,所述第二字段用于承载所述第一终端和所述第二终端之间建立的安全通道的连接类型,且所述安全通道的连接类型中的一个或多个连接类型与所述访问控制项对应的位置信息关联。The terminal according to claim 35, characterized in that the access control item includes a second field, the second field is used to carry the connection of the secure channel established between the first terminal and the second terminal. type, and one or more connection types among the connection types of the secure channel are associated with the location information corresponding to the access control item.
  39. 根据权利要求38所述的终端,其特征在于,所述确定单元具体用于:The terminal according to claim 38, characterized in that the determining unit is specifically configured to:
    根据所述第一位置信息,确定通道连接类型信息;Determine channel connection type information according to the first location information;
    根据所述通道连接类型信息以及所述访问控制信息,确定所述第二终端对所述第一终端的权限。According to the channel connection type information and the access control information, the authority of the second terminal to the first terminal is determined.
  40. 根据权利要求38或39所述的终端,其特征在于,所述第二字段包括以下信息中的一项或多项:配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道。The terminal according to claim 38 or 39, characterized in that the second field includes one or more of the following information: configuration channel, off-vehicle operation channel, in-vehicle operation channel, driving seat operation channel, cloud Connection channel.
  41. 根据权利要求29-40中任一项所述的终端,其特征在于,所述第一终端为汽车。The terminal according to any one of claims 29-40, characterized in that the first terminal is a car.
  42. 根据权利要求29-41中任一项所述的终端,其特征在于,所述第一位置信息通过以下定位方式中的一种或多种获取:超宽带UWB定位、蓝牙定位、5G定位。The terminal according to any one of claims 29 to 41, characterized in that the first location information is obtained through one or more of the following positioning methods: ultra-wideband UWB positioning, Bluetooth positioning, and 5G positioning.
  43. 一种终端,其特征在于,所述终端为第二终端,所述终端包括:A terminal, characterized in that the terminal is a second terminal, and the terminal includes:
    访问单元,用于基于第二终端对第一终端的权限,对所述第一终端进行访问;An access unit, configured to access the first terminal based on the authority of the second terminal to the first terminal;
    其中,所述权限基于所述第二终端的第一位置信息以及访问控制信息确定,所述第一位置信息用于指示所述第二终端相对于所述第一终端的位置关系。Wherein, the permission is determined based on the first location information and access control information of the second terminal, and the first location information is used to indicate the location relationship of the second terminal relative to the first terminal.
  44. 根据权利要求43所述的终端,其特征在于,所述访问控制信息用于记录所述第二终端在不同位置时对所述第一终端的权限。The terminal according to claim 43, characterized in that the access control information is used to record the permissions of the second terminal on the first terminal when the second terminal is in different locations.
  45. 根据权利要求43或44所述的终端,其特征在于,所述第一位置信息包括以下信息中的一种或多种:汽车内、汽车外、主驾驶位、副驾驶位、乘客位、车左前门、车右前门、车左后门、车右后门、车尾。The terminal according to claim 43 or 44, characterized in that the first location information includes one or more of the following information: inside the car, outside the car, main driver’s seat, passenger seat, passenger seat, car Left front door, car right front door, car left rear door, car right rear door, car rear.
  46. 根据权利要求43-45中任一项所述的终端,其特征在于,The terminal according to any one of claims 43-45, characterized in that,
    所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第二终端向所述第一终端发送的控制指令触发。The first location information is obtained by positioning the second terminal, and the positioning is triggered by a control instruction sent by the second terminal to the first terminal.
  47. 根据权利要求43-45中任一项所述的终端,其特征在于,所述第一位置信息是通过对所述第二终端进行定位得到的,所述定位由所述第一终端和所述第二终端之间的安全通道的建立触发。The terminal according to any one of claims 43-45, characterized in that the first location information is obtained by positioning the second terminal, and the positioning is performed by the first terminal and the Triggered by the establishment of a secure channel between the second terminal.
  48. 根据权利要求47所述的终端,其特征在于,所述第一位置信息为所述第二终端的实时位置信息,所述实时位置信息的获取由所述第二终端向所述第一终端发送的控制指令触发。The terminal according to claim 47, wherein the first location information is real-time location information of the second terminal, and the real-time location information is obtained by sending the second terminal to the first terminal. The control command is triggered.
  49. 根据权利要求43-48任一项所述的终端,其特征在于,所述访问控制信息记录于访问控制列表中,所述访问控制列表包含一个或多个访问控制项。The terminal according to any one of claims 43 to 48, characterized in that the access control information is recorded in an access control list, and the access control list contains one or more access control items.
  50. 根据权利要求49所述的终端,其特征在于,所述访问控制项包括第一字段,所述第一字段用于专门承载所述访问控制项对应的位置信息。The terminal according to claim 49, wherein the access control item includes a first field, and the first field is used to specifically carry location information corresponding to the access control item.
  51. 根据权利要求50所述的终端,其特征在于,所述第一字段包括以下信息中的一项或多项:汽车内、汽车外、驾驶位。The terminal according to claim 50, characterized in that the first field includes one or more of the following information: inside the car, outside the car, and driving position.
  52. 根据权利要求49所述的终端,其特征在于,所述访问控制项包括第二字段,所述第二字段用于承载所述第一终端和所述第二终端之间建立的安全通道的连接类型,且所述安全通道的连接类型中的一个或多个连接类型与所述访问控制项对应的位置信息关联。The terminal according to claim 49, characterized in that the access control item includes a second field, the second field is used to carry the connection of the secure channel established between the first terminal and the second terminal. type, and one or more connection types among the connection types of the secure channel are associated with the location information corresponding to the access control item.
  53. 根据权利要求52所述的终端,其特征在于,所述权限基于所述第二终端的第一位置信息以及访问控制信息确定,包括:所述权限基于通道连接类型信息以及所述访问控制信息确定,所述通道连接类型信息基于所述第一位置信息确定。The terminal according to claim 52, wherein the permission is determined based on the first location information and access control information of the second terminal, including: the permission is determined based on channel connection type information and the access control information. , the channel connection type information is determined based on the first location information.
  54. 根据权利要求52或53所述的终端,其特征在于,所述第二字段包括以下信息中的一项或多项:配置通道、车外操作通道、车内操作通道、驾驶位操作通道、云连接通道。The terminal according to claim 52 or 53, characterized in that the second field includes one or more of the following information: configuration channel, off-vehicle operation channel, in-vehicle operation channel, driving seat operation channel, cloud Connection channel.
  55. 根据权利要求43-54中任一项所述的终端,其特征在于,所述第一终端为汽车。The terminal according to any one of claims 43-54, characterized in that the first terminal is a car.
  56. 根据权利要求43-55中任一项所述的终端,其特征在于,所述第一位置信息通过以下定位方式中的一种或多种获取:超宽带UWB定位、蓝牙定位、5G定位。The terminal according to any one of claims 43-55, characterized in that the first location information is obtained through one or more of the following positioning methods: ultra-wideband UWB positioning, Bluetooth positioning, and 5G positioning.
  57. 一种终端,其特征在于,包括存储器和处理器,所述存储器用于存储程序,所述处理器用于调用所述存储器中的程序,以执行如权利要求1-28中任一项所述的方法。A terminal, characterized in that it includes a memory and a processor, the memory is used to store programs, and the processor is used to call the program in the memory to execute the method as described in any one of claims 1-28. method.
  58. 一种装置,其特征在于,包括处理器,用于从存储器中调用程序,以执行如权利要求1-28中任一项所述的方法。A device, characterized by comprising a processor for calling a program from a memory to execute the method according to any one of claims 1-28.
  59. 一种芯片,其特征在于,包括处理器,用于从存储器调用程序,使得安装有所述芯片的设备执行如权利要求1-28中任一项所述的方法。A chip, characterized in that it includes a processor for calling a program from a memory, so that a device equipped with the chip executes the method according to any one of claims 1-28.
  60. 一种计算机可读存储介质,其特征在于,其上存储有程序,所述程序使得计算机执行如权利要求1-28中任一项所述的方法。A computer-readable storage medium, characterized in that a program is stored thereon, and the program causes the computer to execute the method according to any one of claims 1-28.
  61. 一种计算机程序产品,其特征在于,包括程序,所述程序使得计算机执行如权利要求1-28中任一项所述的方法。A computer program product, characterized by comprising a program that causes a computer to execute the method according to any one of claims 1-28.
  62. 一种计算机程序,其特征在于,所述计算机程序使得计算机执行如权利要求1-28中任一项所述的方法。A computer program, characterized in that the computer program causes the computer to perform the method according to any one of claims 1-28.
PCT/CN2022/092978 2022-05-16 2022-05-16 Access control method, terminal, chip, readable storage medium, and computer program product WO2023220854A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/092978 WO2023220854A1 (en) 2022-05-16 2022-05-16 Access control method, terminal, chip, readable storage medium, and computer program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/092978 WO2023220854A1 (en) 2022-05-16 2022-05-16 Access control method, terminal, chip, readable storage medium, and computer program product

Publications (1)

Publication Number Publication Date
WO2023220854A1 true WO2023220854A1 (en) 2023-11-23

Family

ID=88834301

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/092978 WO2023220854A1 (en) 2022-05-16 2022-05-16 Access control method, terminal, chip, readable storage medium, and computer program product

Country Status (1)

Country Link
WO (1) WO2023220854A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002269663A (en) * 2001-03-13 2002-09-20 Denso Corp Security system for vehicle
US20110112969A1 (en) * 2009-10-30 2011-05-12 Gettaround, Inc. Vehicle access control services and platform
CN103309315A (en) * 2013-05-24 2013-09-18 成都秦川科技发展有限公司 Internet of things automotive intelligent control instrument and internet of things automotive intelligent management system
US20190375373A1 (en) * 2017-10-11 2019-12-12 Uniquid Inc. Systems and methods for networked device security
CN111066335A (en) * 2017-09-29 2020-04-24 苹果公司 Mobile device for communicating and ranging with access control system for automatic functionality
WO2020151468A1 (en) * 2019-01-22 2020-07-30 岳秀兰 Vehicle remote driving system established by primary and secondary wireless devices by means of internet of things connection
WO2022088990A1 (en) * 2020-10-30 2022-05-05 华为技术有限公司 Method and electronic device for controlling vehicle

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002269663A (en) * 2001-03-13 2002-09-20 Denso Corp Security system for vehicle
US20110112969A1 (en) * 2009-10-30 2011-05-12 Gettaround, Inc. Vehicle access control services and platform
CN103309315A (en) * 2013-05-24 2013-09-18 成都秦川科技发展有限公司 Internet of things automotive intelligent control instrument and internet of things automotive intelligent management system
CN111066335A (en) * 2017-09-29 2020-04-24 苹果公司 Mobile device for communicating and ranging with access control system for automatic functionality
US20190375373A1 (en) * 2017-10-11 2019-12-12 Uniquid Inc. Systems and methods for networked device security
WO2020151468A1 (en) * 2019-01-22 2020-07-30 岳秀兰 Vehicle remote driving system established by primary and secondary wireless devices by means of internet of things connection
WO2022088990A1 (en) * 2020-10-30 2022-05-05 华为技术有限公司 Method and electronic device for controlling vehicle

Similar Documents

Publication Publication Date Title
WO2020253856A1 (en) Smart lock unlocking method and related device
US10202100B1 (en) Accessing a vehicle using portable devices
WO2020143414A1 (en) Wireless network access method, device, equipment and system
JP5944596B2 (en) Authenticate wireless dockees to wireless docking services
KR101833965B1 (en) Distributing biometric authentication between devices in an ad hoc network
KR102048909B1 (en) Permission based resource and service discovery
US10104525B1 (en) NFC-enabled systems, methods and devices for wireless vehicle communication
US10798188B2 (en) Electronic device and method for processing information associated with driving
KR20200130920A (en) Method for performing user authentication and distance measurement at the same time and electonic device therof
WO2006071359A2 (en) Location-based network access
KR20160120197A (en) Method and apparatus for setting smart device management account
US8839366B2 (en) Vehicular communication system, mobile communication terminal, and vehicular apparatus
US20230156424A1 (en) Electronic device for controlling wireless communication connection and operating method thereof
CN105325021B (en) Method and apparatus for remote portable wireless device authentication
US20190141047A1 (en) Vehicle network access control method and infotainment apparatus therefor
CN110557845B (en) Configuring accessory network connections
FI129401B (en) Registration procedure
WO2023220854A1 (en) Access control method, terminal, chip, readable storage medium, and computer program product
WO2019189250A1 (en) Targeted advertising with privacy and anti-replay protection
WO2016061981A1 (en) Wlan sharing method and system, and wlan sharing registration server
JP7445631B2 (en) Switchable communication transport for communication between primary device and vehicle head unit
WO2023230924A1 (en) Authentication method, apparatus, communication device, and storage medium
WO2023184548A1 (en) Information processing method and apparatus, communication device, and storage medium
WO2023000139A1 (en) Credential transmission method and apparatus, communication device, and storage medium
US20240106662A1 (en) User credentials protecting from swapping attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22941906

Country of ref document: EP

Kind code of ref document: A1