WO2023230979A1 - Method and apparatus for establishing interoperability channel, and chip and storage medium - Google Patents

Method and apparatus for establishing interoperability channel, and chip and storage medium Download PDF

Info

Publication number
WO2023230979A1
WO2023230979A1 PCT/CN2022/096796 CN2022096796W WO2023230979A1 WO 2023230979 A1 WO2023230979 A1 WO 2023230979A1 CN 2022096796 W CN2022096796 W CN 2022096796W WO 2023230979 A1 WO2023230979 A1 WO 2023230979A1
Authority
WO
WIPO (PCT)
Prior art keywords
noc
negotiation
identification code
key
message
Prior art date
Application number
PCT/CN2022/096796
Other languages
French (fr)
Chinese (zh)
Inventor
包永明
吕小强
茹昭
张军
杨宁
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2022/096796 priority Critical patent/WO2023230979A1/en
Publication of WO2023230979A1 publication Critical patent/WO2023230979A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]

Abstract

Provided are a method and apparatus for establishing an interoperability channel, and a chip and a storage medium. The method comprises: a first device negotiates with a second device for a shared key according to a first node interoperability certificate of the first device; the first device and the second device establish a shared key-based interoperability channel; and the first device sends a control instruction to the second device by means of the interoperability channel so as to control the second device, wherein the first device is a terminal device, and the second device is a vehicle device. In embodiments of the present application, the first device and the second device can negotiate, on the basis of the node interoperability certificate, the shared key corresponding to the interoperability channel, so that the security and reliability of communication of the interoperability channel are ensured, and the security control of the first device on the second device is achieved. By negotiating the shared key on the basis of the node interoperability certificate, the risk of the disclosure of the shared key is facilitated to be reduced.

Description

建立互操作通道的方法、装置、芯片和存储介质Methods, devices, chips and storage media for establishing interoperability channels 技术领域Technical field
本申请涉及通信技术领域,并且更为具体地,涉及一种建立互操作通道的方法、装置、芯片和存储介质。The present application relates to the field of communication technology, and more specifically, to a method, device, chip and storage medium for establishing an interoperability channel.
背景技术Background technique
随着通信技术的快速发展,不同设备可以通过建立互操作通道实现设备之间的互操作,例如,对设备进行控制。With the rapid development of communication technology, different devices can achieve interoperability between devices by establishing interoperability channels, for example, to control devices.
相关技术中,为了保证互操作通道的通信的安全性和可靠性,可以基于共享密钥进行互操作通道的加密通信。但是,设备之间如何协商互操作通道对应的共享密钥,是亟待解决的问题。In the related technology, in order to ensure the security and reliability of the communication of the interoperability channel, encrypted communication of the interoperability channel can be performed based on the shared key. However, how to negotiate the shared key corresponding to the interoperability channel between devices is an issue that needs to be solved urgently.
发明内容Contents of the invention
本申请提供一种建立互操作通道的方法、装置、芯片和存储介质。下面对本申请涉及的各个方面进行介绍。This application provides a method, device, chip and storage medium for establishing an interoperability channel. Each aspect involved in this application is introduced below.
第一方面,提供了一种建立互操作通道的方法,包括:第一设备根据所述第一设备的第一节点互操作证书NOC与第二设备协商共享密钥;所述第一设备与所述第二设备建立基于所述共享密钥的互操作通道;所述第一设备通过所述互操作通道向所述第二设备发送控制指令,以对所述第二设备进行控制,其中,所述第一设备为终端设备,所述第二设备为车设备。In a first aspect, a method for establishing an interoperability channel is provided, including: a first device negotiates a shared key with a second device based on a first node interoperability certificate NOC of the first device; the first device and the first device negotiate a shared key. The second device establishes an interoperability channel based on the shared key; the first device sends a control instruction to the second device through the interoperability channel to control the second device, wherein: The first device is a terminal device, and the second device is a vehicle device.
第二方面,提供了一种建立互操作通道的方法,包括:第二设备根据所述第二设备的第二节点互操作证书NOC与第一设备协商共享密钥;所述第二设备与所述第一设备建立基于所述共享密钥的互操作通道;所述第二设备通过所述互操作通道接收所述第一设备的控制指令,其中,所述第一设备为终端设备,所述第二设备为车设备。In a second aspect, a method for establishing an interoperability channel is provided, including: the second device negotiates a shared key with the first device based on the second node interoperability certificate NOC of the second device; the second device and the first device negotiate a shared key; The first device establishes an interoperability channel based on the shared key; the second device receives the control instruction of the first device through the interoperability channel, wherein the first device is a terminal device, and the The second device is the vehicle device.
第三方面,提供了一种建立互操作通道的装置,所述装置配置于第一设备,所述装置包括:第一协商模块,用于根据所述第一设备的第一节点互操作证书NOC与第二设备协商共享密钥;建立模块,用于与所述第二设备建立基于所述共享密钥的互操作通道;控制模块,用于通过所述互操作通道向所述第二设备发送控制指令,以对所述第二设备进行控制,其中,所述第一设备为终端设备,所述第二设备为车设备。In a third aspect, a device for establishing an interoperability channel is provided. The device is configured on a first device. The device includes: a first negotiation module configured to establish an interoperability channel based on the first node interoperability certificate NOC of the first device. Negotiate a shared key with the second device; an establishment module, configured to establish an interoperability channel based on the shared key with the second device; and a control module, configured to send a message to the second device through the interoperability channel. Control instructions to control the second device, wherein the first device is a terminal device and the second device is a vehicle device.
第四方面,提供了一种建立互操作通道的装置,所述装置配置于第二设备,所述装置包括:第一协商模块,用于根据所述第二设备的第二节点互操作证书NOC与第一设备协商共享密钥;建立模块,用于与所述第一设备建立基于所述共享密钥的互操作通道;第一接收模块,用于通过所述互操作通道接收所述第一设备的控制指令,其中,所述第一设备为终端设备,所述第二设备为车设备。In a fourth aspect, a device for establishing an interoperability channel is provided. The device is configured on a second device. The device includes: a first negotiation module configured to establish a second node interoperability certificate NOC based on the second device. Negotiate a shared key with the first device; an establishment module configured to establish an interoperability channel based on the shared key with the first device; a first receiving module configured to receive the first interoperability channel through the interoperability channel Control instructions for equipment, wherein the first equipment is a terminal equipment and the second equipment is a vehicle equipment.
第五方面,提供一种通信装置,所述通信装置配置于第一设备,所述装置包括处理器、存储器以及通信接口,所述存储器用于存储一个或多个计算机程序,所述处理器用于调用所述存储器中的计算机程序使得所述第一设备执行第一方面的方法中的部分或全部步骤。In a fifth aspect, a communication device is provided. The communication device is configured in a first device. The device includes a processor, a memory and a communication interface. The memory is used to store one or more computer programs, and the processor is used to store one or more computer programs. Calling the computer program in the memory causes the first device to perform some or all of the steps in the method of the first aspect.
第六方面,提供一种通信装置,所述通信装置配置于第二设备,所述装置包括处理器、存储器以及通信接口,所述存储器用于存储一个或多个计算机程序,所述处理器用于调用所述存储器中的计算机程序使得所述第二设备执行第二方面的方法中的部分或全部步骤。In a sixth aspect, a communication device is provided. The communication device is configured in a second device. The device includes a processor, a memory and a communication interface. The memory is used to store one or more computer programs, and the processor is used to store one or more computer programs. Calling the computer program in the memory causes the second device to perform some or all of the steps in the method of the second aspect.
第七方面,本申请实施例提供了一种通信系统,该系统包括上述的通信装置。在另一种可能的设计中,该系统还可以包括本申请实施例提供的方案中与该通信装置进行交互的其他设备。In a seventh aspect, embodiments of the present application provide a communication system, which includes the above communication device. In another possible design, the system may also include other devices that interact with the communication device in the solution provided by the embodiments of the present application.
第八方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序使得通信装置执行上述各个方面的方法中的部分或全部步骤。In an eighth aspect, embodiments of the present application provide a computer-readable storage medium that stores a computer program, and the computer program causes the communication device to perform some or all of the steps in the methods of the above aspects.
第九方面,本申请实施例提供了一种计算机程序产品,其中,所述计算机程序产品包括存储了计算机程序的非瞬时性计算机可读存储介质,所述计算机程序可操作来使通信装置执行上述各个方面的方法中的部分或全部步骤。在一些实现方式中,该计算机程序产品可以为一个软件安装包。In a ninth aspect, embodiments of the present application provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause the communication device to execute the above Some or all of the steps in various aspects of the method. In some implementations, the computer program product can be a software installation package.
第十方面,本申请实施例提供了一种芯片,该芯片包括存储器和处理器,处理器可以从存储器中调用并运行计算机程序,以实现上述各个方面的方法中所描述的部分或全部步骤。In a tenth aspect, embodiments of the present application provide a chip, which includes a memory and a processor. The processor can call and run a computer program from the memory to implement some or all of the steps described in the methods of the above aspects.
本申请实施例中,第一设备和第二设备可以基于节点互操作证书协商互操作通道对应的共享密钥,以保证互操作通道的通信的安全性和可靠性,实现第一设备对第二设备的安全控制。基于节点互操作证书协商共享密钥的方式,有助于降低共享密钥被泄露的风险。In the embodiment of this application, the first device and the second device can negotiate the shared key corresponding to the interoperability channel based on the node interoperability certificate to ensure the security and reliability of the communication of the interoperability channel and realize the first device's communication with the second device. Device security controls. Negotiating shared keys based on node interoperability certificates helps reduce the risk of shared keys being leaked.
附图说明Description of the drawings
图1为可应用于本申请实施例的无线通信系统的架构示例图。FIG. 1 is an architectural example diagram of a wireless communication system applicable to embodiments of the present application.
图2为本申请一实施例提供的建立互操作通道的方法的流程示意图。FIG. 2 is a schematic flowchart of a method for establishing an interoperability channel according to an embodiment of the present application.
图3为图2中步骤S210的一种可能的实现方式的流程示意图。FIG. 3 is a schematic flowchart of a possible implementation of step S210 in FIG. 2 .
图4为本申请一实施例提供的协商第一身份识别码的流程示意图。Figure 4 is a schematic flowchart of negotiating a first identity code according to an embodiment of the present application.
图5为本申请另一实施例提供的协商第一身份识别码的流程示意图。Figure 5 is a schematic flowchart of negotiating a first identity code provided by another embodiment of the present application.
图6为本申请实施例提供的协商共享密钥的协商方式的流程示意图。Figure 6 is a schematic flowchart of a negotiation method for negotiating a shared key provided by an embodiment of the present application.
图7为本申请另一实施例提供的建立互操作通道的方法的流程示意图。Figure 7 is a schematic flowchart of a method for establishing an interoperability channel provided by another embodiment of the present application.
图8为本申请又一实施例提供的建立互操作通道的方法的流程示意图。Figure 8 is a schematic flowchart of a method for establishing an interoperability channel provided by yet another embodiment of the present application.
图9为本申请一实施例提供的建立互操作通道的装置的结构示意图。Figure 9 is a schematic structural diagram of a device for establishing an interoperability channel provided by an embodiment of the present application.
图10为本申请另一实施例提供的建立互操作通道的装置的结构示意图。Figure 10 is a schematic structural diagram of a device for establishing an interoperability channel provided by another embodiment of the present application.
图11为本申请实施例提供的通信装置的结构示意图。Figure 11 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合附图,对本申请中的技术方案进行描述。The technical solutions in this application will be described below with reference to the accompanying drawings.
图1为可应用于本申请实施例的无线通信系统100的架构示例图。如图1所示,该无线通信系统100可以包括第一设备110和第二设备120。第一设备110可以与第二设备120利用互操作通道进行通信,以实现第一设备110与第二设备120之间的互操作。例如,实现第一设备对第二设备的控制。FIG. 1 is an architectural example diagram of a wireless communication system 100 applicable to embodiments of the present application. As shown in FIG. 1 , the wireless communication system 100 may include a first device 110 and a second device 120 . The first device 110 may communicate with the second device 120 using an interoperation channel to implement interoperation between the first device 110 and the second device 120 . For example, a first device controls a second device.
在一些实施例中,第一设备110和第二设备120可以通过有线(例如,USB接口)或者无线网络(例如,蓝牙或移动网络)等方式建立连接以进行通信,实现第一设备110与第二设备120之间的互操作。In some embodiments, the first device 110 and the second device 120 can establish a connection for communication through wired (for example, USB interface) or wireless network (for example, Bluetooth or mobile network), so that the first device 110 and the second device 120 can communicate with each other. Interoperation between two devices 120.
图1示例性地示出了一个第一设备110和一个第二设备120,但本申请实施例对此并不限定。可选地,该无线通信系统100可以包括多个第一设备和/或多个第二设备,例如,第一设备可以控制多个第二设备,或者,一个第二设备可以接收多个第一设备的控制等。Figure 1 exemplarily shows a first device 110 and a second device 120, but the embodiment of the present application is not limited thereto. Optionally, the wireless communication system 100 may include multiple first devices and/or multiple second devices. For example, a first device may control multiple second devices, or a second device may receive multiple first devices. Equipment control, etc.
可选地,该无线通信系统100还可以包括其他设备,例如第三设备,本申请实施例对此不作限定。示例性地,第一设备110可以通过第二设备120实现与第三设备的通信,例如,第一设备110可以通过第二设备120来控制或访问第三设备。可选地,在该场景下,第二设备120可以理解为一种中继设备,或者桥接设备。Optionally, the wireless communication system 100 may also include other devices, such as a third device, which is not limited in this embodiment of the present application. For example, the first device 110 can communicate with the third device through the second device 120. For example, the first device 110 can control or access the third device through the second device 120. Optionally, in this scenario, the second device 120 can be understood as a relay device or a bridge device.
应理解,本申请实施例的技术方案可以应用于各种通信系统,例如:第五代(5th generation,5G)系统或新无线(new radio,NR)、长期演进(long term evolution,LTE)系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)、蓝牙系统、无线保真(wireless fidelity,WiFi)系统等。本申请提供的技术方案还可以应用于未来的通信系统,如第六代移动通信系统,又如卫星通信系统,等等。It should be understood that the technical solutions of the embodiments of the present application can be applied to various communication systems, such as: fifth generation (5th generation, 5G) systems or new radio (NR), long term evolution (long term evolution, LTE) systems , LTE frequency division duplex (FDD) system, LTE time division duplex (TDD), Bluetooth system, wireless fidelity (wireless fidelity, WiFi) system, etc. The technical solution provided by this application can also be applied to future communication systems, such as the sixth generation mobile communication system, satellite communication systems, and so on.
在一些实施例中,本申请实施例中的第一设备和第二设备可以分别称为第一终端设备和第二终端设备。其中,终端设备也可以称为用户设备(user equipment,UE)、接入终端、用户单元、用户站、移动站、移动台(mobile station,MS)、移动终端(mobile terminal,MT)、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。In some embodiments, the first device and the second device in the embodiments of the present application may be referred to as the first terminal device and the second terminal device respectively. Among them, the terminal equipment can also be called user equipment (UE), access terminal, user unit, user station, mobile station, mobile station (MS), mobile terminal (mobile terminal, MT), remote station , remote terminal, mobile device, user terminal, terminal, wireless communications device, user agent or user device.
本申请实施例中的第一设备和第二设备可以是指向用户提供语音和/或数据连通性的设备,可以用于连接人、物和机,例如具有无线连接功能的手持式设备、车载设备等。示例性地,本申请实施例中的第一设备和/或第二设备可以是手机(mobile phone)、平板电脑(Pad)、笔记本电脑、掌上电脑、移动互联网设备(mobile internet device,MID)、可穿戴设备,物联网(internet of things,IoT)设备、虚拟现实(virtual reality,VR)设备、增强现实(augmented reality,AR)设备、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等。The first device and the second device in the embodiment of the present application may be devices that provide voice and/or data connectivity to users, and may be used to connect people, things, and machines, such as handheld devices and vehicle-mounted devices with wireless connection functions. wait. Illustratively, the first device and/or the second device in the embodiment of the present application may be a mobile phone (mobile phone), a tablet computer (Pad), a notebook computer, a handheld computer, a mobile internet device (mobile internet device, MID), Wearable devices, Internet of things (IoT) devices, virtual reality (VR) devices, augmented reality (AR) devices, wireless terminals in industrial control (industrial control), driverless ( Wireless terminals in self driving, wireless terminals in remote medical surgery, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city Wireless terminals, wireless terminals in smart homes, etc.
本申请实施例对IoT设备的类型不作限定。在一些实施例中,IoT设备可以包括车辆、船舶等智能出行工具。在一些实施例中,IoT设备可以包括智能电视、智能空调、智能冰箱、扫地机器人等智能家居设备。在一些实施例中,IoT设备可以包括监控摄像头、温度传感器、声音传感器等智能监控设备,等等。The embodiments of this application do not limit the type of IoT devices. In some embodiments, IoT devices may include smart travel tools such as vehicles and ships. In some embodiments, IoT devices may include smart home devices such as smart TVs, smart air conditioners, smart refrigerators, and sweeping robots. In some embodiments, IoT devices may include smart monitoring devices such as surveillance cameras, temperature sensors, sound sensors, etc.
进一步地,在IoT设备为车辆的情况下,车辆例如可以是家用汽车、出租车、公交车、摩托车等;在IoT设备为智能空调的情况下,智能空调例如可以是立式空调、挂式空调等,本申请对此并不限定。Further, when the IoT device is a vehicle, the vehicle can be, for example, a family car, a taxi, a bus, a motorcycle, etc.; when the IoT device is a smart air conditioner, the smart air conditioner can be, for example, a vertical air conditioner, a hanging air conditioner, or a vertical air conditioner. Air conditioning, etc., this application is not limited to this.
在一些实施例中,第一设备110与第二设备120可以是不同类型的设备,以实现不同类型的设备之 间的互操作。例如,第一设备110可以是手机、平板电脑等手持终端设备,第二设备120可以是IoT设备(比如,车辆、智能空调等),基于此,可以实现手持终端设备对IoT设备(车辆、智能空调等)的控制。In some embodiments, the first device 110 and the second device 120 may be different types of devices to achieve interoperation between different types of devices. For example, the first device 110 can be a handheld terminal device such as a mobile phone or a tablet computer, and the second device 120 can be an IoT device (such as a vehicle, a smart air conditioner, etc.). Based on this, the handheld terminal device can be used to control IoT devices (vehicles, smart air conditioners, etc.). air conditioning, etc.).
在一些实施例中,第一设备110与第二设备120可以是来自不同制造商的设备,以实现不同制造商的设备之间的互操作。例如,第一设备110可以是来自第一制造商的设备,第二设备120可以是来自第二制造商(与第一制造商不同)的设备,基于此,可以实现第一制造商生产的设备对第二制造商生产的设备的控制。In some embodiments, the first device 110 and the second device 120 may be devices from different manufacturers to achieve interoperability between devices of different manufacturers. For example, the first device 110 may be a device from a first manufacturer, and the second device 120 may be a device from a second manufacturer (different from the first manufacturer). Based on this, the device produced by the first manufacturer may be implemented. Control of equipment produced by second manufacturers.
本申请实施例对第一设备和第二设备所处的场景不作限定。示例性地,第一设备和第二设备可以部署在陆地上,包括室内或室外、手持或车载。The embodiments of this application do not limit the scenarios in which the first device and the second device are located. For example, the first device and the second device may be deployed on land, including indoors or outdoors, handheld or vehicle-mounted.
应理解,本申请中的通信设备的全部或部分功能也可以通过在硬件上运行的软件功能来实现,或者通过平台(例如云平台)上实例化的虚拟化功能来实现。It should be understood that all or part of the functions of the communication device in this application can also be implemented through software functions running on hardware, or through virtualization functions instantiated on a platform (such as a cloud platform).
应理解,本申请实施例提及的第一设备与第二设备之间的互操作,或者第一设备对第二设备进行控制,可以是指不同类型的设备之间进行互操作或控制,也可以是指不同制造商的设备之间进行互操作或控制等,本申请实施例对此并不限定,例如,还可以是指相同制造商的设备之间进行互操作或控制等,只要第一设备和第二设备之间能够实现互操作、或实现控制与被控制即可。It should be understood that the interoperation between the first device and the second device mentioned in the embodiments of this application, or the first device controlling the second device, may refer to the interoperation or control between different types of devices, or It may refer to interoperability or control between devices of different manufacturers. The embodiments of this application are not limited to this. For example, it may also refer to interoperation or control between devices of the same manufacturer, as long as the first It only suffices that the device and the second device can interoperate, or control and be controlled.
应理解,本申请实施例提供的技术方案可以应用于设备之间进行互操作的任意场景,例如终端设备和IoT设备之间进行互操作。下面结合两个具体示例对本申请实施例的应用场景进行介绍,该示例并不用于限定本申请。It should be understood that the technical solutions provided by the embodiments of this application can be applied to any scenario in which devices interoperate, such as interoperability between terminal devices and IoT devices. The application scenarios of the embodiments of the present application are introduced below with two specific examples. These examples are not intended to limit the present application.
作为一个示例,第二设备可以是指车辆、船舶等智能出行工具,第一设备可以是指可以控制该智能出行工具的终端设备,例如,手机、平板电脑、笔记本电脑等。以第一设备为手机、第二设备为车辆为例,手机和车辆可以通过建立互操作通道来实现手机对车辆的控制,例如,手机控制打开车门、打开车窗等。As an example, the second device may refer to a vehicle, a ship, or other smart travel tool, and the first device may refer to a terminal device that can control the smart travel tool, such as a mobile phone, a tablet, a laptop, etc. Taking the first device as a mobile phone and the second device as a vehicle as an example, the mobile phone and the vehicle can realize the control of the vehicle by the mobile phone by establishing an interoperability channel. For example, the mobile phone controls the opening of the car door and the opening of the car window.
作为另一个示例,第二设备可以是指智能空调、智能电视等智能家居设备,第一设备同样可以是指控制该智能家居设备的终端设备,例如,手机、平板电脑等。第一设备与智能家居设备建立互操作通道之后,第一设备可以对智能家居设备进行控制,例如,控制打开空调、打开电视、控制调节空调温度或调节空调模式等。As another example, the second device may refer to a smart home device such as a smart air conditioner or a smart TV, and the first device may also refer to a terminal device that controls the smart home device, such as a mobile phone, a tablet computer, etc. After the first device establishes an interoperability channel with the smart home device, the first device can control the smart home device, for example, control to turn on the air conditioner, turn on the TV, control and adjust the air conditioner temperature or adjust the air conditioner mode, etc.
近年来,随着通信技术的快速发展,不同设备之间的互操作的应用场景愈加频繁。在某些通信系统(例如,NR系统)中,不同设备可以通过建立互操作通道来实现设备之间的互操作,例如,实现第一设备对第二设备的控制。In recent years, with the rapid development of communication technology, interoperability application scenarios between different devices have become more frequent. In some communication systems (for example, NR systems), different devices can achieve interoperability between devices by establishing interoperability channels, for example, to enable a first device to control a second device.
然而,目前关于不同设备之间建立互操作通道的方案并不完善且不统一,作为一种可能的实现方式,为了保证互操作通道的通信的安全性和可靠性,可以基于共享密钥进行互操作通道的加密通信。但是,设备之间如何协商互操作通道对应的共享密钥,是亟待解决的问题。However, the current solution for establishing interoperability channels between different devices is incomplete and inconsistent. As a possible implementation method, in order to ensure the security and reliability of the communication of interoperability channels, mutual interaction can be based on shared keys. Encrypted communication for operational channels. However, how to negotiate the shared key corresponding to the interoperability channel between devices is an issue that needs to be solved urgently.
为了解决上述问题,本申请实施例提供一种建立互操作通道的方法、装置、芯片、存储介质和程序产品,以基于节点互操作证书协商互操作通道对应的共享密钥,有助于降低共享密钥泄露的风险。下面结合附图,对本申请实施例提供的方法实施例进行详细介绍。In order to solve the above problems, embodiments of the present application provide a method, device, chip, storage medium and program product for establishing an interoperability channel to negotiate the shared key corresponding to the interoperability channel based on the node interoperability certificate, which helps to reduce the risk of sharing. Risk of key leakage. The method embodiments provided by the embodiments of the present application will be introduced in detail below with reference to the accompanying drawings.
图2为本申请实施例提供的建立互操作通道的方法的流程示意图。图2所示的方法是站在第一设备和第二设备交互的角度描述的。第一设备和第二设备例如可以是图1中的第一设备110和第二设备120。Figure 2 is a schematic flowchart of a method for establishing an interoperability channel provided by an embodiment of the present application. The method shown in Figure 2 is described from the perspective of interaction between the first device and the second device. The first device and the second device may be, for example, the first device 110 and the second device 120 in FIG. 1 .
本申请实施例对第一设备和第二设备的具体类型不作限定,只要第一设备和第二设备之间能够实现互操作,或者实现第一设备对第二设备的控制即可。示例性地,第二设备可以是指IoT设备,例如车辆、船舶等智能出行工具,或者智能空调、智能电视等智能家居设备,等等;第一设备可以是指能够控制该IoT设备的终端设备。比如,在一些实施例中,第一设备可以为终端设备,第二设备可以为车设备。The embodiments of the present application do not limit the specific types of the first device and the second device, as long as the first device and the second device can interoperate or realize the control of the second device by the first device. For example, the second device may refer to IoT devices, such as smart travel tools such as vehicles and ships, or smart home devices such as smart air conditioners and smart TVs, etc.; the first device may refer to a terminal device capable of controlling the IoT device. . For example, in some embodiments, the first device may be a terminal device, and the second device may be a vehicle device.
图2所示的方法可以包括步骤S210至步骤S230,下面对这些步骤进行详细描述。The method shown in FIG. 2 may include steps S210 to S230, and these steps will be described in detail below.
在步骤S210,第一设备与第二设备基于节点互操作证书(node operational certificate,NOC)协商共享密钥。应该理解,第一设备和第二设备是分别基于自己拥有的NOC与另一方协商共享密钥,具体地,第一设备可以根据第一设备的第一NOC与第二设备协商共享密钥,第二设备可以根据第二设备的第二NOC与第一设备协商共享密钥。In step S210, the first device and the second device negotiate a shared key based on a node operational certificate (NOC). It should be understood that the first device and the second device negotiate a shared key with the other party based on the NOC they own. Specifically, the first device can negotiate a shared key with the second device based on the first NOC of the first device. The second device may negotiate a shared key with the first device based on the second NOC of the second device.
在一些实施例中,设备的NOC中可以存放NOC对应的密钥信息。应该理解,NOC对应的密钥信息可以是指NOC对应的公钥信息和/或NOC对应的私钥信息。具体地,在本申请实施例中,设备的NOC中可以存放NOC对应的公钥信息,而其对应的私钥信息不能存放在NOC中。示例性地,第一NOC中可以存放第一NOC对应的公钥,第二NOC中可以存放第二NOC对应的公钥。但本申请实施例并不限定于此,例如,设备的NOC中还可以存放除NOC对应的密钥信息之外的其他信息,比如设备的设备 标识等等。In some embodiments, the NOC of the device may store key information corresponding to the NOC. It should be understood that the key information corresponding to the NOC may refer to the public key information corresponding to the NOC and/or the private key information corresponding to the NOC. Specifically, in this embodiment of the present application, the public key information corresponding to the NOC can be stored in the NOC of the device, but the corresponding private key information cannot be stored in the NOC. For example, the first NOC may store the public key corresponding to the first NOC, and the second NOC may store the public key corresponding to the second NOC. However, the embodiments of the present application are not limited to this. For example, the NOC of the device may also store other information in addition to the key information corresponding to the NOC, such as the device identification of the device, and so on.
为了进一步提升共享密钥交换过程的安全性,在一些实施例中,可以采用互操作证书链对设备的NOC进行校验,例如可以采用设备认证中心(certificate authority,CA)签发的互操作证书链对设备的NOC进行校验。为了简洁,后文将CA签发的证书简称为CA证书。In order to further improve the security of the shared key exchange process, in some embodiments, an interoperable certificate chain can be used to verify the NOC of the device. For example, an interoperable certificate chain issued by a device certification authority (certificate authority, CA) can be used. Verify the NOC of the device. For the sake of simplicity, the certificate issued by the CA will be referred to as the CA certificate in the following text.
本申请实施例提及的互操作证书链可以包括二级或多级证书链,本申请实施例对此并不限定。The interoperability certificate chain mentioned in the embodiment of this application may include a two-level or multi-level certificate chain, which is not limited in the embodiment of this application.
在一些实施例中,可以采用三级互操作证书链对设备的NOC进行校验。三级互操作证书链可以包括根CA证书(Root CA Certificate,RCAC)、中间CA证书(Intermediate CA Certificate,ICAC)以及NOC。可选地,ICAC可以是由RCAC签名得到的,NOC可以是由ICAC签名得到的。对应地,采用三级互操作证书链对设备的NOC进行校验时,ICAC可以用于对NOC进行校验,RCAC可以用于对ICAC进行校验。In some embodiments, a three-level interoperability certificate chain may be used to verify the NOC of the device. The three-level interoperability certificate chain can include root CA certificate (Root CA Certificate, RCAC), intermediate CA certificate (Intermediate CA Certificate, ICAC) and NOC. Optionally, ICAC can be signed by RCAC, and NOC can be signed by ICAC. Correspondingly, when the three-level interoperability certificate chain is used to verify the NOC of the device, ICAC can be used to verify the NOC, and RCAC can be used to verify the ICAC.
在一些实施例中,可以采用二级互操作证书链对设备的NOC进行校验。二级互操作证书链可以包括RCAC和NOC。可选地,NOC可以是由RCAC签名得到的。对应地,采用二级互操作证书链对设备的NOC进行校验时,RCAC可以用于对NOC进行校验。In some embodiments, a secondary interoperability certificate chain may be used to verify the NOC of the device. Secondary interoperability certificate chains can include RCAC and NOC. Optionally, the NOC can be signed by RCAC. Correspondingly, when the secondary interoperability certificate chain is used to verify the NOC of the device, RCAC can be used to verify the NOC.
在一些实施例中,第一设备可以向第二设备配置互操作证书链,例如配置三级互操作证书链,或配置二级互操作证书链。示例性地,第一设备向第二设备配置的互操作证书链为三级互操作证书链时,该证书链可以包括第一设备的RCAC、第一设备的ICAC、以及第二NOC,第二NOC中可以包含第二NOC对应的公钥,第二NOC对应的私钥只能存储于第二设备。第一设备向第二设备配置的互操作证书链为二级互操作证书链时,该证书链可以包括第一设备的RCAC以及第二NOC,第二NOC中可以包含第二NOC对应的公钥,第二NOC对应的私钥只能存储于第二设备。但本申请实施例并不限定于此,第二设备的互操作证书链也可以是其他设备配置的,用于向第二设备配置互操作证书链的设备可以称为调试专员(commissioner)。In some embodiments, the first device may configure an interoperability certificate chain to the second device, for example, configure a third-level interoperability certificate chain, or configure a second-level interoperability certificate chain. For example, when the interoperability certificate chain configured by the first device to the second device is a three-level interoperability certificate chain, the certificate chain may include the RCAC of the first device, the ICAC of the first device, and the second NOC. The NOC can contain the public key corresponding to the second NOC, and the private key corresponding to the second NOC can only be stored in the second device. When the interoperability certificate chain configured by the first device to the second device is a secondary interoperability certificate chain, the certificate chain may include the RCAC of the first device and the second NOC, and the second NOC may include the public key corresponding to the second NOC. , the private key corresponding to the second NOC can only be stored in the second device. However, the embodiments of the present application are not limited to this. The interoperability certificate chain of the second device may also be configured by other devices. The device used to configure the interoperability certificate chain to the second device may be called a commissioning specialist (commissioner).
在一些实施例中,第一设备和第二设备在协商共享密钥前,可以根据第一设备和第二设备分别支持的密钥协商方式(或类型),协商确定共享密钥的协商方式。在本申请实施例中,第一设备和第二设备协商确定的共享密钥的协商方式为:基于NOC协商共享密钥。关于第一设备和第二设备如何协商确定共享密钥的协商方式,后文将会详细介绍,此处暂不赘述。In some embodiments, before negotiating the shared key, the first device and the second device may negotiate to determine a shared key negotiation method according to the key negotiation methods (or types) supported by the first device and the second device respectively. In this embodiment of the present application, the first device and the second device negotiate and determine the shared key in a negotiation manner: negotiating the shared key based on the NOC. How the first device and the second device negotiate to determine the shared key will be introduced in detail later, and will not be described here.
在本申请实施例中,第一设备和第二设备协商出的共享密钥只有第一设备和第二设备彼此知道,第一设备和第二设备可以基于协商出的共享密钥进行加密通信。第一设备和第二设备在协商共享密钥的过程中,可以根据一种或多种信息生成该共享密钥。关于第一设备和第二设备如何协商或如何生成共享密钥的具体描述,可以参见后文,此处暂不赘述。In this embodiment of the present application, only the first device and the second device know the shared key negotiated by the first device and the second device, and the first device and the second device can perform encrypted communications based on the negotiated shared key. During the process of negotiating the shared key, the first device and the second device may generate the shared key based on one or more types of information. For a detailed description of how the first device and the second device negotiate or how to generate a shared key, please refer to the following and will not be described again here.
在一些实施例中,第一设备和第二设备可以利用一些密钥算法来生成共享密钥,例如,两者可以使用相同的密钥算法来生成共享密钥,以保证生成的共享密钥的对应性和一致性。本申请实施例对密钥算法的具体类型不作限定,示例性地,密钥算法可以是对称加密算法,比如数据加密标准(data encryption standard,DES)算法、高级加密标准(advanced encryption standard,AES)算法等。In some embodiments, the first device and the second device may use some key algorithms to generate the shared key. For example, both devices may use the same key algorithm to generate the shared key to ensure the security of the generated shared key. Correspondence and consistency. The embodiments of this application do not limit the specific type of the key algorithm. For example, the key algorithm can be a symmetric encryption algorithm, such as the data encryption standard (data encryption standard, DES) algorithm, advanced encryption standard (advanced encryption standard, AES) Algorithms etc.
在步骤S220,第一设备与第二设备建立基于共享密钥的互操作通道。第一设备和第二设备基于互操作通道进行通信(例如,发送或接收控制指令)时,该共享密钥用于对第一设备和第二设备之间的通信进行加密和安全性保护。换句话说,第一设备和第二设备基于互操作通道进行通信时,该共享密钥可以用于对互操作通道中传输的信息进行加密,以提升通信的安全性。In step S220, the first device and the second device establish an interoperation channel based on the shared key. When the first device and the second device communicate (for example, send or receive control instructions) based on the interoperability channel, the shared key is used to encrypt and security protect the communication between the first device and the second device. In other words, when the first device and the second device communicate based on the interoperability channel, the shared key can be used to encrypt information transmitted in the interoperability channel to improve communication security.
如前文所述,第一设备和第二设备可以利用互操作通道实现第一设备对第二设备的控制(设备之间的互操作)。在本申请实施例中,互操作通道可以理解为一种控制信道(或,安全控制信道),第一设备和第二设备之间建立互操作通道之后,第一设备可以通过该互操作通道对第二设备进行控制。第一设备与第二设备建立基于共享密钥的互操作通道后,第一设备与第二设备利用互操作通道进行通信时,可以基于两者协商出的共享密钥进行加密通信,加强了对互操作通道中的信息(比如数据、指令等)的安全性保护,提升了通信的安全等级。As mentioned above, the first device and the second device can use the interoperation channel to realize the control of the second device by the first device (interoperation between devices). In the embodiment of this application, an interoperability channel can be understood as a control channel (or security control channel). After an interoperability channel is established between the first device and the second device, the first device can use the interoperability channel to The second device takes control. After the first device and the second device establish an interoperability channel based on the shared key, when the first device and the second device communicate using the interoperability channel, they can perform encrypted communication based on the shared key negotiated by the two, which strengthens the security of the communication. The security protection of information (such as data, instructions, etc.) in the interoperability channel improves the security level of communication.
在一些实施例中,第一设备与第二设备建立基于共享密钥的互操作通道时,每次建立互操作通道对应的共享密钥可以是不同的、随机的,即第一设备和第二设备每次建立互操作通道之前,可以先约定一个新的共享密钥,然后再用该共享密钥进行加密通信等处理,进一步提高互操作通道的通信的安全性。In some embodiments, when the first device and the second device establish an interoperation channel based on a shared key, the shared key corresponding to each establishment of the interoperation channel may be different and random, that is, the first device and the second device Before each time a device establishes an interoperability channel, it can agree on a new shared key, and then use the shared key to encrypt communications and other processes to further improve the security of interoperability channel communications.
在步骤S230,第一设备通过互操作通道对第二设备进行控制。示例性地,第一设备可以通过互操作通道向第二设备发送控制指令(或称,控制命令、控制信令等)实现对第二设备的控制。In step S230, the first device controls the second device through the interoperation channel. For example, the first device may send a control instruction (also known as a control command, control signaling, etc.) to the second device through an interoperation channel to control the second device.
在一些实施例中,第一设备对第二设备进行控制可以是指第一设备控制第二设备执行一些操作,例如,打开操作、关闭操作、调节操作等。作为一个示例,第二设备为车辆时,第一设备对第二设备进行控制可以是指控制打开车门、关闭车窗等。作为另一个示例,第二设备为智能空调时,第一设备对第二设备进行控制可以是指控制打开空调、调节空调模式、调节温度等。In some embodiments, the first device controlling the second device may mean that the first device controls the second device to perform some operations, such as opening operations, closing operations, adjusting operations, etc. As an example, when the second device is a vehicle, the first device controlling the second device may mean controlling opening of the vehicle door, closing of the vehicle window, etc. As another example, when the second device is a smart air conditioner, the first device controlling the second device may mean controlling to turn on the air conditioner, adjust the air conditioner mode, adjust the temperature, etc.
在一些实施例中,第一设备对第二设备进行控制可以是指第一设备访问第二设备的资源。作为一个示例,第二设备为温度传感器时,第一设备对第二设备进行控制可以是指查看第二设备的温度,以便第二设备的温度超过某一阈值时,对第二设备执行一些操作。In some embodiments, the first device controlling the second device may refer to the first device accessing resources of the second device. As an example, when the second device is a temperature sensor, the first device controlling the second device may refer to checking the temperature of the second device, so that when the temperature of the second device exceeds a certain threshold, some operations are performed on the second device. .
本申请实施例中,第一设备和第二设备可以基于NOC协商互操作通道对应的共享密钥,以保证互操作通道的通信的安全性和可靠性,实现第一设备对第二设备的安全控制。基于NOC协商共享密钥的方式,有助于降低共享密钥被泄露的风险。In the embodiment of this application, the first device and the second device can negotiate the shared key corresponding to the interoperability channel based on the NOC to ensure the security and reliability of the communication of the interoperability channel and realize the security of the first device to the second device. control. Negotiating the shared key based on NOC helps reduce the risk of the shared key being leaked.
本申请实施例对步骤S210的实现方式不作限定。下面结合图3,给出步骤S210的一种可能的实现方式,对第一设备和第二设备基于NOC协商共享密钥的过程进行详细描述。示例性地,步骤S210可以包括步骤S212至步骤S218,下面对这些步骤进行详细描述。The embodiment of the present application does not limit the implementation manner of step S210. A possible implementation of step S210 is given below with reference to FIG. 3 , and the process of the first device and the second device negotiating a shared key based on the NOC is described in detail. For example, step S210 may include steps S212 to S218, and these steps will be described in detail below.
在步骤S212,第一设备向第二设备发送第一消息,第一消息可以用于请求第二设备协商共享密钥。因此,在一些实施例中,第一消息也可以称为密钥协商请求消息,或者称为密钥交换请求消息等。In step S212, the first device sends a first message to the second device, and the first message may be used to request the second device to negotiate a shared key. Therefore, in some embodiments, the first message may also be called a key agreement request message, or a key exchange request message, or the like.
在本申请实施例中,第一消息包含第一数据,第一数据包含第一NOC。在一些实施例中,第一NOC中可以包含第一NOC对应的公钥,或者还可以包含第一设备的设备标识等。In this embodiment of the present application, the first message includes the first data, and the first data includes the first NOC. In some embodiments, the first NOC may include the public key corresponding to the first NOC, or may also include the device identification of the first device, etc.
在一些实施例中,第一数据除包含第一NOC之外,还可以包含其他信息。示例性地,第一数据还可以包含以下信息中的一种或多种:第一设备的CA证书、第一设备生成的随机数、以及第一签名,其中,第一签名是第一设备使用第一NOC对应的私钥生成的签名。In some embodiments, the first data may also include other information in addition to the first NOC. Exemplarily, the first data may also include one or more of the following information: a CA certificate of the first device, a random number generated by the first device, and a first signature, where the first signature is a certificate used by the first device. The signature generated by the private key corresponding to the first NOC.
第一设备的CA证书可以是指第一设备的RCAC证书,也可以是指第一设备的ICAC证书,本申请实施例对此并不限定。示例性地,若第一设备和第二设备基于三级互操作证书链进行身份校验时,第一数据中包含的第一设备的CA证书可以是指第一设备的ICAC证书;若第一设备和第二设备基于二级互操作证书链进行身份校验时,第一数据中包含的第一设备的CA证书可以是指第一设备的RCAC证书。The CA certificate of the first device may refer to the RCAC certificate of the first device, or may refer to the ICAC certificate of the first device, which is not limited in this application embodiment. For example, if the first device and the second device perform identity verification based on a three-level interoperability certificate chain, the CA certificate of the first device included in the first data may refer to the ICAC certificate of the first device; if the first device When the device and the second device perform identity verification based on the secondary interoperability certificate chain, the CA certificate of the first device included in the first data may refer to the RCAC certificate of the first device.
第一设备生成的随机数可以用于防止重放攻击(replay attacks)。在认证协议或数据加密传输体系中,随机数可以作为种子数据、种子向量参与到第一设备和第二设备之间的身份识别或数据有效性判别之中。应该理解,在第一设备和第二设备每次协商共享密钥的过程中,第一设备生成的随机数可以是不同的、随机的。优选地,第一设备生成的随机数可以是真随机数。The random numbers generated by the first device can be used to prevent replay attacks. In an authentication protocol or data encryption transmission system, random numbers can be used as seed data and seed vectors to participate in the identification or data validity determination between the first device and the second device. It should be understood that in each process of the first device and the second device negotiating the shared key, the random number generated by the first device may be different and random. Preferably, the random number generated by the first device may be a true random number.
第一签名可以用于第二设备对第一设备进行身份验证。在一些实施例中,第一签名中可以包括以下信息中的一种或多种:第一NOC、第一设备的CA证书、第一设备生成的随机数。第一设备可以使用第一NOC对应的私钥对这些信息中的一种或多种进行加密以生成第一签名。第一设备可以将第一签名以及第一签名中的内容发送给第二设备,以便于第二设备使用第一NOC对应的公钥对第一设备发送的第一签名进行校验,以对第一设备的身份进行验证,同时证明第一NOC是真实的,不是仿冒的。The first signature may be used by the second device to authenticate the first device. In some embodiments, the first signature may include one or more of the following information: the first NOC, the CA certificate of the first device, and a random number generated by the first device. The first device may encrypt one or more of the information using the private key corresponding to the first NOC to generate the first signature. The first device may send the first signature and the content in the first signature to the second device, so that the second device uses the public key corresponding to the first NOC to verify the first signature sent by the first device to verify the second device. The identity of a device is verified, while proving that the first NOC is authentic and not counterfeit.
应该理解,第一设备生成的第一签名中包含的信息与第一数据中除第一签名之外的信息可以是一致的,例如,第一设备生成的第一签名中包含第一NOC、第一设备的CA证书、第一设备生成的随机数,那么,对应的第一数据中除第一签名外,也应该包含第一NOC、第一设备的CA证书、第一设备生成的随机数。进一步地,若第一设备生成的第一签名中包含的第一设备的CA证书为第一设备的RCAC证书时,第一数据中也包含第一设备的RCAC证书;若第一设备生成的第一签名中包含的第一设备的CA证书为第一设备的ICAC证书时,第一数据中也包含第一设备的ICAC证书。It should be understood that the information contained in the first signature generated by the first device may be consistent with the information in the first data other than the first signature. For example, the first signature generated by the first device includes the first NOC, the first The CA certificate of a device and the random number generated by the first device, then the corresponding first data should also include the first NOC, the CA certificate of the first device and the random number generated by the first device in addition to the first signature. Further, if the CA certificate of the first device contained in the first signature generated by the first device is the RCAC certificate of the first device, the first data also contains the RCAC certificate of the first device; if the CA certificate of the first device generated by the first device is When the CA certificate of the first device included in a signature is the ICAC certificate of the first device, the first data also contains the ICAC certificate of the first device.
在步骤S214,第二设备根据第一NOC和第二NOC,生成共享密钥。In step S214, the second device generates a shared key based on the first NOC and the second NOC.
如前文所述,第二NOC可以是调试专员(比如,第一设备)提前配置的。在一些实施例中,第二设备根据第一NOC和第二NOC,生成共享密钥可以是指,第二设备根据第一NOC对应的公钥和第二NOC对应的私钥,生成共享密钥。具体地,第二设备可以根据第一NOC对应的公钥和第二NOC对应的私钥生成第二密钥,然后根据第二密钥生成共享密钥。As mentioned above, the second NOC may be configured in advance by the debugging specialist (for example, the first device). In some embodiments, the second device generating the shared key based on the first NOC and the second NOC may mean that the second device generates the shared key based on the public key corresponding to the first NOC and the private key corresponding to the second NOC. . Specifically, the second device may generate the second key based on the public key corresponding to the first NOC and the private key corresponding to the second NOC, and then generate the shared key based on the second key.
示例性地,第二设备可以根据第二密钥以及以下信息中的一种或多种来生成共享密钥:第一设备生成的随机数、第二设备生成的随机数、第一设备的设备标识、第二设备的设备标识、第一设备的身份识别码。作为一种实现方式,第二设备可以以该信息中的一种或多种作为密钥参数,使用密钥算法来生成共享密钥。Exemplarily, the second device may generate the shared key based on the second key and one or more of the following information: a random number generated by the first device, a random number generated by the second device, the device of the first device identification, the device identification of the second device, and the identification code of the first device. As an implementation manner, the second device can use one or more of the information as key parameters and use a key algorithm to generate the shared key.
需要说明的是,第一设备生成的随机数以及第一设备的设备标识可以是第一设备在第一消息中携带的,例如,第一设备的设备标识可以携带于第一NOC中。第二设备生成的随机数可以是第二设备在生成共享密钥之前临时生成的。第一设备的身份识别码可以是第一设备提前为第二设备配置的或者也可以是第二设备生成的。关于第一设备的身份识别码后文将会详细描述,此处暂不赘述。It should be noted that the random number generated by the first device and the device identification of the first device may be carried by the first device in the first message. For example, the device identification of the first device may be carried in the first NOC. The random number generated by the second device may be temporarily generated by the second device before generating the shared key. The identification code of the first device may be configured by the first device for the second device in advance or may be generated by the second device. The identification code of the first device will be described in detail later and will not be described in detail here.
在一些实施例中,第二设备在生成共享密钥之前可以先对第一设备的身份进行验证,该验证可以是指第二设备可以利用第一NOC对应的公钥对第一设备生成的第一签名进行校验。在一些实施例中,第二设备对第一设备的身份进行验证还可以包括,第二设备使用第一设备的CA证书对第一NOC进行验证,例如,第二设备使用存储的CA证书对第一NOC进行验证。示例性地,若配置的互操作证书链为 三级互操作证书链,则第二设备使用存储的第一设备的RCAC校验第一设备发来的ICAC,使用存储的第一设备的ICAC校验第一NOC;若配置的互操作证书链为二级互操作证书链,则第二设备使用存储的第一设备的RCAC校验第一NOC。In some embodiments, the second device can first verify the identity of the first device before generating the shared key. The verification may mean that the second device can use the public key corresponding to the first NOC to verify the identity of the first device generated by the first NOC. A signature is verified. In some embodiments, the second device verifying the identity of the first device may also include the second device using the CA certificate of the first device to verify the first NOC. For example, the second device uses the stored CA certificate to verify the first NOC. A NOC for verification. For example, if the configured interoperability certificate chain is a three-level interoperability certificate chain, the second device uses the stored RCAC of the first device to verify the ICAC sent by the first device, and uses the stored ICAC of the first device to verify the ICAC. Verify the first NOC; if the configured interoperability certificate chain is a secondary interoperability certificate chain, the second device uses the stored RCAC of the first device to verify the first NOC.
在步骤S216,第二设备向第一设备发送第一响应,第一响应可以理解为是第二设备针对第一设备发送的第一消息返回的响应消息,后文提及的响应也可指是针对某一消息返回的响应消息,后文不再赘述。第一响应包含第二数据。第二数据包含第二NOC。In step S216, the second device sends a first response to the first device. The first response can be understood as a response message returned by the second device in response to the first message sent by the first device. The response mentioned later can also refer to The response message returned for a certain message will not be described in detail later. The first response contains the second data. The second data includes the second NOC.
在一些实施例中,第二数据是第二设备使用第一NOC对应的公钥进行加密的数据。In some embodiments, the second data is data encrypted by the second device using the public key corresponding to the first NOC.
在一些实施例中,第二数据除包含第二NOC之外,还可以包含其他信息。示例性地,第二数据还可以包含以下信息中的一种或多种:第一设备的CA证书、第二设备生成的随机数、第二签名,其中第二签名是第二设备使用第二NOC对应的私钥生成的签名。In some embodiments, the second data may also include other information in addition to the second NOC. Exemplarily, the second data may also include one or more of the following information: the CA certificate of the first device, a random number generated by the second device, and a second signature, where the second signature is generated by the second device using the second The signature generated by the private key corresponding to the NOC.
应该理解,第一设备的CA证书可以为第一设备的RCAC证书,或者第一设备的ICAC证书,为了简洁,第一设备的CA证书的相关描述可以参见前文,此处不再赘述。第二设备生成的随机数的相关描述同样可以参见前文第一设备生成的随机数的相关描述,此处不再赘述。It should be understood that the CA certificate of the first device may be the RCAC certificate of the first device or the ICAC certificate of the first device. For the sake of simplicity, the relevant description of the CA certificate of the first device can be found in the previous article and will not be repeated here. For the description of the random number generated by the second device, please refer to the previous description of the random number generated by the first device, and will not be described again here.
第二设备生成的第二签名可以用于第一设备对第二设备进行身份验证。在一些实施例中,第二设备生成的第二签名中可以包括以下信息中的一种或多种:第二NOC、第一设备的CA证书、第二设备生成的随机数。第一设备的CA证书例如可以是第二设备中存储的第一设备的CA证书,第一设备的CA证书可以是指第一设备的RCAC证书,也可以是指第一设备的ICAC证书。关于第一设备对第二设备生成的第二签名的校验过程可以参见前文第二设备对第一设备的第一签名的校验过程。The second signature generated by the second device may be used by the first device to authenticate the second device. In some embodiments, the second signature generated by the second device may include one or more of the following information: the second NOC, the CA certificate of the first device, and a random number generated by the second device. For example, the CA certificate of the first device may be the CA certificate of the first device stored in the second device. The CA certificate of the first device may refer to the RCAC certificate of the first device or the ICAC certificate of the first device. Regarding the verification process of the second signature generated by the first device against the second device, please refer to the aforementioned verification process of the first signature by the second device against the first device.
在一些实施例中,第一设备从第二设备接收第一响应之后,第一设备还可以使用第一设备的CA证书校验第二NOC。示例性地,若配置的互操作证书链为三级互操作证书链,则第一设备使用第一设备的RCAC校验第二设备发来的ICAC,使用存储的第一设备的ICAC校验第二NOC;若配置的互操作证书链为二级互操作证书链,则第一设备使用第一设备的RCAC校验第二NOC。In some embodiments, after the first device receives the first response from the second device, the first device may also verify the second NOC using the CA certificate of the first device. For example, if the configured interoperability certificate chain is a three-level interoperability certificate chain, the first device uses the RCAC of the first device to verify the ICAC sent by the second device, and uses the stored ICAC of the first device to verify the ICAC sent by the second device. Two NOCs; if the configured interoperability certificate chain is a secondary interoperability certificate chain, the first device uses the RCAC of the first device to verify the second NOC.
本申请实施例对步骤S214和步骤S216的执行顺序不作限定。在一些实施例中,步骤S216的执行顺序可以早于步骤S214,或者可以同时执行步骤S214和步骤S216。The embodiment of the present application does not limit the execution order of step S214 and step S216. In some embodiments, step S216 may be performed earlier than step S214, or step S214 and step S216 may be performed simultaneously.
在步骤S218,第一设备根据第二NOC和第一NOC,生成共享密钥。In step S218, the first device generates a shared key based on the second NOC and the first NOC.
在一些实施例中,第一设备根据第二NOC和第一NOC,生成共享密钥可以是指,第一设备根据第二NOC对应的公钥和第一NOC对应的私钥,生成共享密钥。具体地,第一设备可以根据第二NOC对应的公钥和第一NOC对应的私钥生成第一密钥,然后根据第一密钥生成共享密钥。In some embodiments, the first device generating the shared key based on the second NOC and the first NOC may mean that the first device generates the shared key based on the public key corresponding to the second NOC and the private key corresponding to the first NOC. . Specifically, the first device may generate the first key based on the public key corresponding to the second NOC and the private key corresponding to the first NOC, and then generate the shared key based on the first key.
示例性地,第一设备可以根据第一密钥以及以下信息中的一种或多种来生成共享密钥:第一设备生成的随机数、第二设备生成的随机数、第一设备的设备标识、第二设备的设备标识、第一设备的身份识别码。作为一种实现方式,第一设备可以以该信息中的一种或多种作为密钥参数,使用密钥算法来生成共享密钥,例如,可以与第二设备使用相同的密钥算法来生成共享密钥。Exemplarily, the first device may generate the shared key based on the first key and one or more of the following information: a random number generated by the first device, a random number generated by the second device, a device of the first device identification, the device identification of the second device, and the identification code of the first device. As an implementation manner, the first device can use one or more of the information as key parameters and use a key algorithm to generate the shared key. For example, the first device can use the same key algorithm as the second device to generate the shared key. Shared key.
如前文所述,第一设备向第二设备发送的第一消息中包含第一数据。在一些实施例中,该第一数据为加密的数据。下面继续结合图3,对第一设备对第一数据进行加密进行详细描述。As mentioned above, the first message sent by the first device to the second device includes the first data. In some embodiments, the first data is encrypted data. Next, the encryption of the first data by the first device will be described in detail with reference to FIG. 3 .
继续参见图3,在一些实施例中,在步骤S212之前,本申请实施例提供的方法还可以包括步骤S211。在步骤S211,第一设备根据第一设备的身份识别码对第一数据进行加密。Continuing to refer to Figure 3, in some embodiments, before step S212, the method provided by the embodiment of the present application may further include step S211. In step S211, the first device encrypts the first data according to the identification code of the first device.
一方面,第一设备的身份识别码可以用于指示第一设备的身份,以便第二设备对第一设备的身份进行识别。另一方面,第一设备的身份识别码可以用于对第一数据进行加密,以避免第一数据在传输的过程中泄露。On the one hand, the identity code of the first device can be used to indicate the identity of the first device, so that the second device can identify the identity of the first device. On the other hand, the identification code of the first device can be used to encrypt the first data to prevent the first data from being leaked during transmission.
在一些实施例中,第一设备的身份识别码可以由PIN码(pincode)表示。In some embodiments, the identification code of the first device may be represented by a PIN code.
第一设备根据第一设备的身份识别码对第一数据进行加密后,第二设备接收到第一数据后,需要根据第一设备的身份识别码对第一数据进行解密。第二设备成功解密第一数据后,才能够获知第一NOC以及第一数据中的其他信息,避免了第一NOC明文传输导致的容易泄露的问题。After the first device encrypts the first data according to the identification code of the first device, after the second device receives the first data, it needs to decrypt the first data according to the identification code of the first device. Only after the second device successfully decrypts the first data can it learn the first NOC and other information in the first data, thus avoiding the problem of easy leakage caused by the clear text transmission of the first NOC.
在一些实施例中,第一设备的身份识别码可以是由第一设备和第二设备协商确定的。也就是说,在第一设备根据第一设备的身份识别码对第一数据进行加密之前,第一设备还可以与第二设备协商第一身份识别码,该第一身份识别码可以用于第一身份识别码对应的设备访问第二设备的身份识别码,即某一设备想要访问第二设备时,需要以其对应的第一身份识别码作为凭证来实现对第二设备的访问。本申请对第一设备与第二设备协商第一身份识别码的实现方式不作具体限定。示例性地,下面分别结合图4和图5,介绍两种第一设备与第二设备协商第一身份识别码的实现方式。In some embodiments, the identity code of the first device may be determined through negotiation between the first device and the second device. That is to say, before the first device encrypts the first data according to the identification code of the first device, the first device can also negotiate the first identification code with the second device, and the first identification code can be used for the first identification code. The device corresponding to one identification code accesses the identification code of the second device. That is, when a device wants to access the second device, it needs its corresponding first identification code as a credential to achieve access to the second device. This application does not specifically limit the implementation method of negotiating the first identity code between the first device and the second device. Exemplarily, two implementation methods for the first device and the second device to negotiate the first identity code are introduced below with reference to FIG. 4 and FIG. 5 respectively.
图4为本申请一实施例提供的第一设备与第二设备协商第一身份识别码的流程示意图。如图4所示,在步骤S410,第一设备向第二设备发送第二消息,第二消息用于配置第一身份识别码。也就是说,在该实施例中,第一身份识别码可以是第一设备配置的,如此一来,每个第一设备可以对应一个固定的 身份识别码,因此,在一些实施例中,采用这种第一设备配置第一身份识别码的方案也可以称为采用固定身份识别码的方案。Figure 4 is a schematic flowchart of a first device negotiating a first identity code with a second device according to an embodiment of the present application. As shown in Figure 4, in step S410, the first device sends a second message to the second device, and the second message is used to configure the first identity code. That is to say, in this embodiment, the first identification code may be configured by the first device. In this way, each first device may correspond to a fixed identification code. Therefore, in some embodiments, using This solution in which the first device configures the first identity code can also be called a solution in which a fixed identity code is used.
作为一种实现方式,第一设备在配置阶段,可以预先向第二设备配置第一身份识别码。配置第一身份识别码之后,第一身份识别码对应的设备便可以访问第二设备。As an implementation manner, during the configuration phase, the first device may configure the first identity code to the second device in advance. After configuring the first identification code, the device corresponding to the first identification code can access the second device.
为了避免身份识别码的明文传输,在一些实施例中,第一设备在配置第一身份识别码时,可以以元组信息的形式向第二设备配置第一身份识别码以及第一身份识别码对应的索引,例如<pincode,pincode_index>。换句话说,第一设备可以向第二设备配置第一身份识别码以及第一身份识别码的索引,该第一身份识别码与第一身份识别码的索引存在一一映射关系。如此一来,第一设备使用第一设备的身份识别码对第一数据进行加密后,无需向第二设备传输第一设备的身份识别码以便于第二设备解密,而是向第二设备传输该身份识别码对应的索引即可,第二设备可以根据身份识别码索引知晓正确的身份识别码,从而对第一数据进行解密,进一步提高了通信的安全性。In order to avoid the clear text transmission of the identification code, in some embodiments, when configuring the first identification code, the first device can configure the first identification code and the first identification code to the second device in the form of tuple information. The corresponding index, such as <pincode, pincode_index>. In other words, the first device can configure the first identity code and the index of the first identity code to the second device, and there is a one-to-one mapping relationship between the first identity code and the index of the first identity code. In this way, after the first device uses the first device's identification code to encrypt the first data, it does not need to transmit the first device's identification code to the second device for decryption by the second device, but transmits it to the second device. The index corresponding to the identification code is sufficient. The second device can know the correct identification code according to the identification code index, thereby decrypting the first data, further improving the security of communication.
在一些实施例中,若第一设备向第二设备配置了第一身份识别码以及第一身份识别码对应的索引时,第一设备在向第二设备发送第一消息时,第一消息中除包含第一数据之外,还可以包含第一设备的身份识别码对应的索引。其中,第一消息中的第一数据使用第一设备的身份识别码进行加密,而第一设备的身份识别码对应的索引不加密。In some embodiments, if the first device configures the first identity code and the index corresponding to the first identity code to the second device, when the first device sends the first message to the second device, in the first message In addition to containing the first data, it may also contain an index corresponding to the identification code of the first device. Wherein, the first data in the first message is encrypted using the identification code of the first device, and the index corresponding to the identification code of the first device is not encrypted.
在一些实施例中,第一设备可以向第二设备配置包含多组第一身份识别码的列表,该列表中可以包含多个元组信息,每个元组信息用于表示一组第一身份识别码以及第一身份识别码对应的索引,每个元组信息中的第一身份识别码对应的设备均可以访问第二设备。In some embodiments, the first device may configure a list containing multiple sets of first identity codes to the second device. The list may contain multiple tuple information, and each tuple information is used to represent a set of first identities. The identification code and the index corresponding to the first identification code. The device corresponding to the first identification code in each tuple information can access the second device.
在一些实施例中,第一设备向第二设备配置第一身份识别码以及第一身份识别码对应的索引时,第一身份识别码对应的索引的取值可以为非零值、非全F值。In some embodiments, when the first device configures the first identification code and the index corresponding to the first identification code to the second device, the value of the index corresponding to the first identification code may be a non-zero value or a non-all-F value. value.
在一些实施例中,第一设备在配置阶段除了向第二设备配置第一身份识别码之外,还可以配置其他信息,例如,配置前文所述的互操作证书链,或者,配置其他基础配置等。In some embodiments, in addition to configuring the first identity code to the second device during the configuration phase, the first device can also configure other information, such as configuring the interoperability certificate chain mentioned above, or configuring other basic configurations. wait.
在一些实施例中,第一设备向第二设备配置了第一身份识别码的相关信息(例如,身份识别码及对应的索引)之后,第一设备可以对应存储配置的第一身份识别码的相关信息。In some embodiments, after the first device configures the related information of the first identification code (for example, the identification code and the corresponding index) to the second device, the first device can store the configured first identification code accordingly. Related Information.
在一些实施例中,第二设备也可以存储第一设备配置的第一身份识别码的相关信息,例如,存储可访问第二设备的第一身份识别码以及第一身份识别码对应的索引。In some embodiments, the second device may also store information related to the first identification code configured by the first device, for example, store the first identification code that can access the second device and the index corresponding to the first identification code.
本申请实施例对第二设备存储的方式不作限定。在一些实施例中,第二设备可以将第一身份识别码的相关信息存储至第二设备的资源中。在一些实施例中,第二设备可以将第一身份识别码的相关信息存储至功能集(cluster)中,例如存储至新定义的功能集中。The embodiment of the present application does not limit the storage method of the second device. In some embodiments, the second device may store information related to the first identity code in a resource of the second device. In some embodiments, the second device may store information related to the first identity code into a function cluster, for example, into a newly defined function cluster.
第二设备存储第一身份识别码的相关信息后,便可以根据第一设备发送的身份识别码索引查询正确的身份识别码。After the second device stores the relevant information of the first identification code, it can query the correct identification code according to the identification code index sent by the first device.
图5为本申请另一实施例提供的第一设备与第二设备协商第一身份识别码的流程示意图。如图5所示,在步骤S510,第一设备向第二设备发送第三消息,第三消息用于指示第二设备返回第一身份识别码。第二设备返回第一身份识别码之后,第一身份识别码对应的设备便可以访问第二设备。也就是说,在该实施例中,第一身份识别码可以是第二设备生成的。Figure 5 is a schematic flowchart of a first device negotiating a first identity code with a second device according to another embodiment of the present application. As shown in Figure 5, in step S510, the first device sends a third message to the second device, and the third message is used to instruct the second device to return the first identity code. After the second device returns the first identification code, the device corresponding to the first identification code can access the second device. That is to say, in this embodiment, the first identification code may be generated by the second device.
在一些实施例中,第一设备和第二设备协商共享密钥时,第二设备可以为第一设备返回一个临时身份识别码,因此,在一些实施例中,采用这种第二设备为第一设备返回临时身份识别码的方案也可以称为采用临时身份识别码的方案。In some embodiments, when the first device and the second device negotiate a shared key, the second device can return a temporary identity code to the first device. Therefore, in some embodiments, this second device is used to provide the first device with a temporary identity code. The scheme in which a device returns a temporary identification code can also be called a scheme in which a temporary identification code is used.
作为一种实现方式,第一设备在向第二设备发送第一消息之前,可以向第二设备发送第三消息,该第三消息中可以携带指示第一设备不具有身份识别码的信息,例如第三消息中可以携带身份识别码索引值为0的数据,身份识别码索引值为0表示第一设备不具有身份识别码。As an implementation manner, before sending the first message to the second device, the first device may send a third message to the second device, and the third message may carry information indicating that the first device does not have an identity code, for example The third message may carry data with an identity code index value of 0. An identity code index value of 0 indicates that the first device does not have an identity code.
在步骤S520,第二设备接收第三消息后,为第一设备返回第一身份识别码。在一些实施例中,第二设备为第一设备返回的第一身份识别码为临时身份识别码,第一设备可以根据返回的临时身份识别码,实现对第二设备的访问。In step S520, after receiving the third message, the second device returns the first identification code to the first device. In some embodiments, the first identification code returned by the second device for the first device is a temporary identification code, and the first device can access the second device based on the returned temporary identification code.
作为一种实现方式,第二设备接收第三消息后,根据第三消息知晓第一设备不具有身份识别码,基于此,第二设备可以生成临时身份识别码并将该临时身份识别码显示在第二设备的显示屏上,以便于第一设备知晓该临时身份识别码。As an implementation manner, after receiving the third message, the second device knows that the first device does not have an identification code according to the third message. Based on this, the second device can generate a temporary identification code and display the temporary identification code on on the display screen of the second device so that the first device knows the temporary identification code.
在一些实施例中,第二设备知晓第一设备不具有身份识别码后,还可以向第一设备发送第三响应,第三响应可以用于告知第一设备输入第二设备为第一设备返回的临时身份识别码。In some embodiments, after the second device knows that the first device does not have an identification code, it can also send a third response to the first device. The third response can be used to inform the first device to input and the second device returns a response for the first device. temporary identification code.
在一些实施例中,第一设备输入第一设备的临时身份识别码后,可以向第二设备发送第一消息。可选地,第一设备在向第二设备发送第一消息时,第一消息中除包含第一数据之外,还可以包含第一设备的临时身份识别码对应的索引,该临时身份识别码对应的索引用于表示第一设备已经具有身份识别码 了。示例性地,第一消息中包含的临时身份识别码对应的索引可以为全F值,该全F值用于表示第一设备具有临时身份识别码了。In some embodiments, after the first device inputs the temporary identification code of the first device, it may send the first message to the second device. Optionally, when the first device sends the first message to the second device, the first message, in addition to containing the first data, may also contain an index corresponding to the temporary identity code of the first device. The temporary identity code The corresponding index is used to indicate that the first device already has an identification code. For example, the index corresponding to the temporary identification code contained in the first message may be a full F value, and the full F value is used to indicate that the first device has a temporary identification code.
在一些实施例中,第一设备输入临时身份识别码后,可以不保存该临时身份识别码。In some embodiments, after the first device inputs the temporary identification code, it may not save the temporary identification code.
前文提及,在一些实施例中,第一设备和第二设备在协商共享密钥前,可以根据第一设备和第二设备分别支持的密钥协商方式(或类型),协商确定共享密钥的协商方式。下面结合图6,对第一设备和第二设备协商共享密钥的协商方式的过程进行详细介绍。As mentioned above, in some embodiments, before negotiating the shared key, the first device and the second device may negotiate to determine the shared key according to the key negotiation method (or type) supported by the first device and the second device respectively. negotiation method. The following describes in detail the process of the first device and the second device negotiating the shared key negotiation method with reference to FIG. 6 .
在步骤S610,第一设备向第二设备发送第四消息,第四消息用于指示第一设备支持的密钥协商方式。In step S610, the first device sends a fourth message to the second device, where the fourth message is used to indicate the key negotiation method supported by the first device.
第一设备支持的密钥协商方式可以包括一种或多种,示例性地,第一设备支持的密钥协商方式可以包括以下方式中的一种或多种:基于密钥对协商、基于NOC协商、以及基于sigma协议协商。The key negotiation methods supported by the first device may include one or more. For example, the key negotiation methods supported by the first device may include one or more of the following methods: key pair negotiation, NOC-based Negotiation, and negotiation based on sigma protocol.
应该理解,第一设备和第二设备协商确定出共享密钥的协商方式之后,可以基于该协商方式协商共享密钥,并建立基于该共享密钥的互操作通道,因此,在一些实施例中,可以根据第一设备和第二设备协商共享密钥的方式的不同,将互操作通道划分为不同的类型。示例性地,第一设备和第二设备基于NOC协商共享密钥,其对应的互操作通道的类型为基于NOC的互操作通道。或者说,第一设备支持的密钥协商方式也可以称为第一设备支持的建立互操作的类型。因此,在一些实施例中,第四消息也可以称为互操作会话建立请求消息,本申请对此并不限定。It should be understood that after the first device and the second device negotiate and determine the negotiation method of the shared key, they can negotiate the shared key based on the negotiation method and establish an interoperability channel based on the shared key. Therefore, in some embodiments, , the interoperability channel can be divided into different types according to the different ways in which the first device and the second device negotiate the shared key. For example, the first device and the second device negotiate a shared key based on the NOC, and the type of the corresponding interoperation channel is an NOC-based interoperation channel. In other words, the key negotiation method supported by the first device may also be referred to as the type of interoperability establishment supported by the first device. Therefore, in some embodiments, the fourth message may also be called an interoperation session establishment request message, which is not limited by this application.
在步骤S620,第二设备向第一设备发送第四响应,第四响应用于指示基于NOC协商共享密钥。In step S620, the second device sends a fourth response to the first device, where the fourth response is used to indicate negotiating the shared key based on the NOC.
作为一种实现方式,第二设备可以根据第一设备支持的密钥协商方式,确定基于NOC协商共享密钥,并将该信息通过第四响应通知给第一设备。As an implementation manner, the second device may determine to negotiate the shared key based on the NOC according to the key negotiation mode supported by the first device, and notify the first device of the information through a fourth response.
作为另一种实现方式,第二设备接收到第四消息之后,可以在第四响应中指示第二设备支持的密钥协商方式,由第一设备确定共享密钥的协商方式。第二设备支持的密钥协商方式可以包括以下方式的一种或多种:基于密钥对协商、基于NOC协商、以及基于sigma协议协商。As another implementation manner, after receiving the fourth message, the second device may indicate the key negotiation method supported by the second device in the fourth response, and the first device determines the negotiation method of the shared key. The key negotiation method supported by the second device may include one or more of the following methods: key pair-based negotiation, NOC-based negotiation, and sigma protocol-based negotiation.
例如,第二设备仅支持基于NOC协商共享密钥,那么第四响应中仅包含基于NOC协商共享密钥的方式,第一设备接收到第四响应后,可以直接确定基于NOC与第二设备协商共享密钥。或者,第二设备支持的密钥协商方式包括多种,例如,包括基于NOC协商和基于sigma协议协商,那么第一设备接收到第四响应后,可以从第二设备支持的密钥协商方式中选择一种,在本申请实施例中,第一设备选择的密钥协商方式为基于NOC与第二设备协商共享密钥。For example, if the second device only supports NOC-based shared key negotiation, then the fourth response only contains the method of NOC-based shared key negotiation. After receiving the fourth response, the first device can directly determine to negotiate with the second device based on NOC. Shared key. Alternatively, the second device supports multiple key negotiation methods, for example, including NOC-based negotiation and sigma protocol-based negotiation. Then, after receiving the fourth response, the first device can choose from the key negotiation methods supported by the second device. Choose one. In this embodiment of the present application, the key negotiation method selected by the first device is to negotiate a shared key with the second device based on NOC.
为了便于本领域技术人员理解本申请实施例的技术方案的实施过程,下面给出两个具体示例。应该理解,该示例并不用于限定本申请的技术方案,例如,示例中的步骤并不都是必须的,实际实施时可能只采用部分步骤,或者采用比列举的步骤更多的步骤;或者,示例中的步骤的执行顺序也不是必须的,某些步骤是可以同时执行或者调换执行顺序的。In order to facilitate those skilled in the art to understand the implementation process of the technical solutions of the embodiments of this application, two specific examples are given below. It should be understood that this example is not used to limit the technical solution of the present application. For example, not all steps in the example are necessary, and only some of the steps may be used in actual implementation, or more steps than the listed steps may be used; or, The execution order of the steps in the example is not necessary. Some steps can be executed at the same time or the execution order is reversed.
示例一(采用固定身份识别码)Example 1 (using fixed identification code)
图7为本申请另一实施例提供的建立互操作通道的方法的流程示意图。如图7所示,该方法可以包括步骤S7010至步骤S7150。Figure 7 is a schematic flowchart of a method for establishing an interoperability channel provided by another embodiment of the present application. As shown in Figure 7, the method may include steps S7010 to S7150.
在步骤S7010,第一设备与第二设备建立配置通道。该配置通道可以是一种安全配置信道,用于第一设备与第二设备之间进行配置操作。In step S7010, the first device establishes a configuration channel with the second device. The configuration channel may be a secure configuration channel, used for configuration operations between the first device and the second device.
在步骤S7020,第一设备向第二设备发送第二消息,第二消息用于配置第一身份识别码以及第一身份识别码对应的索引,例如配置元组信息<pincode,pincode_index>,以便第一身份识别码对应的设备可以访问第二设备。In step S7020, the first device sends a second message to the second device. The second message is used to configure the first identification code and the index corresponding to the first identification code, for example, configure the tuple information <pincode, pincode_index>, so that the first The device corresponding to one identification code can access the second device.
在一些实施例中,第一设备可以向第二设备配置多组第一身份识别码以及第一身份识别码对应的索引,即配置多组元组信息。该多组元组信息可以形成配置列表,用于指示可访问第二设备的第一身份识别码的相关信息。In some embodiments, the first device may configure multiple sets of first identification codes and indexes corresponding to the first identification codes to the second device, that is, configure multiple sets of tuple information. The multiple sets of tuple information may form a configuration list, used to indicate information related to the first identification code that can access the second device.
在一些实施例中,第一设备向第二设备配置第一身份识别码以及第一身份识别码对应的索引后,第一设备可以对应存储该第一身份识别码以及第一身份识别码对应的索引。In some embodiments, after the first device configures the first identity code and the index corresponding to the first identity code to the second device, the first device can correspondingly store the first identity code and the index corresponding to the first identity code. index.
在步骤S7030,第二设备存储第一设备配置的第一身份识别码以及第一身份识别码对应的索引,例如存储至第二设备的资源中,或者存储至第二设备的功能集(比如新定义的功能集)中。In step S7030, the second device stores the first identification code configured by the first device and the index corresponding to the first identification code, for example, in a resource of the second device, or in a function set of the second device (such as a new defined function set).
在一些实施例中,第二设备存储第一设备配置的第一身份识别码以及第一身份识别码对应的索引之后,还可以向第一设备返回配置状态,该配置状态例如可以用于指示第二设备已存储第一身份识别码以及第一身份识别码对应的索引。In some embodiments, after the second device stores the first identification code configured by the first device and the index corresponding to the first identification code, it may also return a configuration status to the first device. The configuration status may be used to indicate, for example, the third The second device has stored the first identification code and the index corresponding to the first identification code.
在步骤S7040,第一设备向第二设备配置互操作证书链。例如,第一设备向第二设备配置第一设备的RCAC、第二NOC;或者,第一设备向第二设备配置第一设备的RCAC、第一设备的ICAC、第二NOC。In step S7040, the first device configures the interoperability certificate chain to the second device. For example, the first device configures the RCAC and the second NOC of the first device to the second device; or the first device configures the RCAC of the first device, the ICAC and the second NOC of the first device to the second device.
在步骤S7050,第一设备与第二设备之间的配置结束,退出配置通道。In step S7050, the configuration between the first device and the second device ends, and the configuration channel exits.
在一些实施例中,第一设备除了向第二设备配置第一身份识别码、以及配置互操作证书链之外,还可以向第二设备配置一些基础配置,待完成身份识别码、互操作证书链以及基础配置后,第一设备与第二设备之间的配置结束,退出配置通道。In some embodiments, in addition to configuring the first identity code and the interoperability certificate chain to the second device, the first device can also configure some basic configurations to the second device. The identity code and interoperability certificate are to be completed. After the chain and basic configuration are completed, the configuration between the first device and the second device is completed and the configuration channel is exited.
在步骤S7060,第一设备向第二设备发送第四消息,第四消息用于指示第一设备支持的密钥协商方式。In step S7060, the first device sends a fourth message to the second device, where the fourth message is used to indicate the key negotiation method supported by the first device.
在一些实施例中,第一设备支持的密钥协商方式可以包括以下方式中的一种或多种:基于密钥对协商、基于NOC协商、基于sigma协议协商。In some embodiments, the key negotiation method supported by the first device may include one or more of the following methods: key pair-based negotiation, NOC-based negotiation, and sigma protocol-based negotiation.
在步骤S7070,第二设备向第一设备返回第四响应。第四响应可以用于指示第二设备支持的密钥协商方式,例如第二设备支持的密钥协商方式为基于NOC协商。In step S7070, the second device returns a fourth response to the first device. The fourth response may be used to indicate the key negotiation method supported by the second device. For example, the key negotiation method supported by the second device is NOC-based negotiation.
在步骤S7080,第一设备使用第一设备的身份识别码对第一数据进行加密。In step S7080, the first device encrypts the first data using the identification code of the first device.
作为一种实现方式,首先第一设备可以生成随机数r1,然后使用第一NOC对应的私钥对第一NOC、第一设备的CA证书(例如,第一设备的ICAC)、以及随机数r1等信息中的一种或多种进行加密得到第一签名sign1,进一步得到第一数据,第一数据可以包括以下信息中的一种或多种:第一NOC、第一设备的CA证书(例如,第一设备的ICAC)、随机数r1、第一签名sign1。得到第一数据后,第一设备可以使用第一设备的身份识别码对第一数据进行加密。As an implementation manner, first the first device can generate a random number r1, and then use the private key corresponding to the first NOC to pair the first NOC, the first device's CA certificate (for example, the first device's ICAC), and the random number r1 Encrypt one or more of the following information to obtain the first signature sign1, and further obtain the first data. The first data may include one or more of the following information: the first NOC, the CA certificate of the first device (for example, , ICAC of the first device), random number r1, first signature sign1. After obtaining the first data, the first device can encrypt the first data using the identification code of the first device.
在步骤S7090,第一设备向第二设备发送第一消息,第一消息中可以携带使用第一设备的身份识别码进行加密的第一数据以及该身份识别码对应的索引,该索引是不加密的。In step S7090, the first device sends a first message to the second device. The first message may carry the first data encrypted using the identity code of the first device and the index corresponding to the identity code. The index is not encrypted. of.
在一些实施例中,该身份识别码对应的索引为非零值、非全F值。In some embodiments, the index corresponding to the identification code is a non-zero value or a non-full F value.
在步骤S7100,第二设备根据第一NOC和第二NOC,生成共享密钥。In step S7100, the second device generates a shared key based on the first NOC and the second NOC.
在一些实施例中,第二设备接收第一消息之后,可以通过第一消息中携带的索引值对应找到身份识别码,使用该身份识别码解密第一数据。In some embodiments, after receiving the first message, the second device can find the identification code corresponding to the index value carried in the first message, and use the identification code to decrypt the first data.
在一些实施例中,第二设备解密第一数据后,可以使用第一NOC(例如,第一NOC对应的公钥)校验第一签名sign1,验证第一设备的身份以及第一设备的密钥对的真实性。In some embodiments, after the second device decrypts the first data, it can use the first NOC (for example, the public key corresponding to the first NOC) to verify the first signature sign1, verify the identity of the first device and the password of the first device. The authenticity of the key pair.
在一些实施例中,第二设备还可以使用存储的CA证书校验第一设备发来的NOC。以互操作证书链为三级互操作证书链为例,第二设备可以使用存储的第一设备的RCAC校验第一设备发来的ICAC,使用存储的第一设备的ICAC校验第一NOC。In some embodiments, the second device can also use the stored CA certificate to verify the NOC sent by the first device. Taking the interoperability certificate chain as a three-level interoperability certificate chain as an example, the second device can use the stored RCAC of the first device to verify the ICAC sent by the first device, and use the stored ICAC of the first device to verify the first NOC. .
在一些实施例中,第二设备解密第一数据后,可以生成随机数r2,然后使用第二NOC对应的私钥对第二NOC、第二设备存储的第一设备的CA证书(例如,存储的ICAC)、随机数r2等信息中的一种或多种进行加密得到第二签名sign2,进一步得到第二数据,第二数据可以包括以下信息中的一种或多种:第二NOC、第二设备存储的第一设备的CA证书(例如,存储的ICAC)、随机数r2、第二签名sign2。In some embodiments, after the second device decrypts the first data, it can generate a random number r2, and then use the private key corresponding to the second NOC to compare the CA certificate of the first device stored in the second NOC and the second device (for example, store ICAC), random number r2 and other information are encrypted to obtain the second signature sign2, and further obtain the second data. The second data may include one or more of the following information: the second NOC, the third The second device stores the CA certificate of the first device (for example, the stored ICAC), the random number r2, and the second signature sign2.
基于此,第二设备可以根据以下信息中的一种或多种生成共享密钥:根据第一NOC对应的公钥和第二NOC对应的私钥生成的第二密钥、随机数r1、随机数r2、第一设备的设备标识、第二设备的设备标识、第一设备的身份识别码等。Based on this, the second device can generate a shared key based on one or more of the following information: the second key generated based on the public key corresponding to the first NOC and the private key corresponding to the second NOC, the random number r1, the random number The number r2, the device identification of the first device, the device identification of the second device, the identification code of the first device, etc.
在步骤S7110,第二设备向第一设备发送第一响应,第一响应中携带使用第一NOC对应的公钥进行加密的第二数据。In step S7110, the second device sends a first response to the first device, where the first response carries second data encrypted using the public key corresponding to the first NOC.
在步骤S7120,第一设备根据第二NOC和第一NOC,生成共享密钥。In step S7120, the first device generates a shared key based on the second NOC and the first NOC.
在一些实施例中,第一设备接收第一响应后,可以通过第一NOC对应的私钥解密第二数据,使用第二NOC(例如,第二NOC对应的公钥)解签第二签名sign2,以对第二设备的身份进行校验。In some embodiments, after receiving the first response, the first device can decrypt the second data using the private key corresponding to the first NOC, and use the second NOC (for example, the public key corresponding to the second NOC) to decrypt the second signature sign2 , to verify the identity of the second device.
在一些实施例中,第一设备还可以使用第一设备的CA证书校验第二设备发来的NOC。以互操作证书链为三级互操作证书链为例,第一设备可以使用第一设备的RCAC校验第二设备发来的ICAC,使用存储的第一设备的ICAC校验第二NOC。In some embodiments, the first device can also use the CA certificate of the first device to verify the NOC sent by the second device. Taking the interoperability certificate chain as a three-level interoperability certificate chain as an example, the first device can use the RCAC of the first device to verify the ICAC sent by the second device, and use the stored ICAC of the first device to verify the second NOC.
基于此,第一设备可以根据以下信息中的一种或多种生成共享密钥:根据第二NOC对应的公钥和第一NOC对应的私钥生成的第一密钥、随机数r1、随机数r2、第一设备的设备标识、第二设备的设备标识、第一设备的身份识别码等。Based on this, the first device can generate a shared key based on one or more of the following information: the first key generated based on the public key corresponding to the second NOC and the private key corresponding to the first NOC, the random number r1, the random number The number r2, the device identification of the first device, the device identification of the second device, the identification code of the first device, etc.
在步骤S7130,第一设备可以向第二设备返回密钥协商的结果,该结果可以用于指示第一设备已经确定共享密钥。In step S7130, the first device may return a key negotiation result to the second device, and the result may be used to indicate that the first device has determined the shared key.
在步骤S7140,第一设备和第二设备建立基于共享密钥的互操作通道。In step S7140, the first device and the second device establish an interoperation channel based on the shared key.
在步骤S7150,第一设备通过互操作通道对第二设备进行控制。In step S7150, the first device controls the second device through the interoperation channel.
示例二(采用临时身份识别码)Example 2 (using temporary identification code)
图8为本申请又一实施例提供的建立互操作通道的方法的流程示意图。如图8所示,该方法可以包 括步骤S8010至步骤S8150。Figure 8 is a schematic flowchart of a method for establishing an interoperability channel provided by yet another embodiment of the present application. As shown in Figure 8, the method may include steps S8010 to S8150.
在步骤S8010,第一设备与第二设备建立配置通道。该配置通道可以是一种安全配置信道,用于第一设备与第二设备之间进行配置操作。In step S8010, the first device establishes a configuration channel with the second device. The configuration channel may be a secure configuration channel, used for configuration operations between the first device and the second device.
在步骤S8020,第一设备向第二设备配置互操作证书链。例如,第一设备向第二设备配置第一设备的RCAC、第二NOC;或者,第一设备向第二设备配置第一设备的RCAC、第一设备的ICAC、第二NOC。In step S8020, the first device configures the interoperability certificate chain to the second device. For example, the first device configures the RCAC and the second NOC of the first device to the second device; or the first device configures the RCAC of the first device, the ICAC and the second NOC of the first device to the second device.
在步骤S8030,第一设备与第二设备之间的配置结束,退出配置通道。In step S8030, the configuration between the first device and the second device ends, and the configuration channel exits.
在步骤S8040,第一设备向第二设备发送第四消息,第四消息用于指示第一设备支持的密钥协商方式。In step S8040, the first device sends a fourth message to the second device, where the fourth message is used to indicate the key negotiation method supported by the first device.
在一些实施例中,第一设备支持的密钥协商方式可以包括以下方式中的一种或多种:基于密钥对协商、基于NOC协商、基于sigma协议协商。In some embodiments, the key negotiation method supported by the first device may include one or more of the following methods: key pair-based negotiation, NOC-based negotiation, and sigma protocol-based negotiation.
在步骤S8050,第二设备向第一设备返回第四响应。第四响应可以用于指示第二设备支持的密钥协商方式,例如第二设备支持的密钥协商方式为基于NOC协商。In step S8050, the second device returns a fourth response to the first device. The fourth response may be used to indicate the key negotiation method supported by the second device. For example, the key negotiation method supported by the second device is NOC-based negotiation.
在步骤S8060,第一设备向第二设备发送第三消息,第三消息用于指示第二设备返回第一身份识别码。In step S8060, the first device sends a third message to the second device, and the third message is used to instruct the second device to return the first identification code.
在一些实施例中,第三消息中可以携带指示第一设备不具有身份识别码的信息,例如,可以携带身份识别码索引为0的数据来指示第一设备不具有身份识别码。In some embodiments, the third message may carry information indicating that the first device does not have an identity code. For example, data with an identity code index of 0 may be carried to indicate that the first device does not have an identity code.
在步骤S8070,第二设备为第一设备返回第一身份识别码,该第一身份识别码可以是临时身份识别码。In step S8070, the second device returns a first identification code to the first device. The first identification code may be a temporary identification code.
在一些实施例中,第二设备可以向第一设备发送第三响应,返回错误码,告知第一设备需要输入第二设备为第一设备返回的临时身份识别码。In some embodiments, the second device may send a third response to the first device, return an error code, and inform the first device that it needs to enter the temporary identity code returned by the second device for the first device.
在一些实施例中,第二设备可以将需要输入的临时身份识别码显示在第二设备的显示屏上。In some embodiments, the second device may display the temporary identification code that needs to be entered on the display screen of the second device.
在步骤S8080,第一设备使用第一设备的身份识别码对第一数据进行加密。In step S8080, the first device encrypts the first data using the identification code of the first device.
作为一种实现方式,第一设备输入临时身份识别码之后,首先可以生成随机数r1,然后使用第一NOC对应的私钥对第一NOC、第一设备的CA证书(例如,第一设备的ICAC)、随机数r1等信息中的一种或多种进行加密得到第一签名sign1,进一步得到第一数据,第一数据可以包括以下信息中的一种或多种:第一NOC、第一设备的CA证书(例如,第一设备的ICAC)、随机数r1、第一签名sign1。得到第一数据后,第一设备可以使用第一设备的身份识别码对第一数据进行加密。As an implementation manner, after the first device inputs the temporary identity code, it can first generate a random number r1, and then use the private key corresponding to the first NOC to compare the first NOC and the first device's CA certificate (for example, the first device's CA certificate). ICAC), random number r1 and other information are encrypted to obtain the first signature sign1, and further obtain the first data. The first data may include one or more of the following information: the first NOC, the first The CA certificate of the device (for example, the ICAC of the first device), the random number r1, and the first signature sign1. After obtaining the first data, the first device can encrypt the first data using the identification code of the first device.
在一些实施例中,第一设备输入临时身份识别码之后,可以不保存该身份识别码。In some embodiments, after the first device inputs the temporary identification code, the first device may not save the identification code.
在步骤S8090,第一设备向第二设备发送第一消息,第一消息中可以携带使用第一设备的身份识别码进行加密的第一数据以及该身份识别码对应的索引,该索引是不加密的。In step S8090, the first device sends a first message to the second device. The first message may carry the first data encrypted using the identification code of the first device and the index corresponding to the identification code. The index is not encrypted. of.
在一些实施例中,该身份识别码对应的索引为全F值,该全F值用于指示第一设备有临时身份识别码了。In some embodiments, the index corresponding to the identification code is a full F value, and the full F value is used to indicate that the first device has a temporary identification code.
在步骤S8100,第二设备根据第一NOC和第二NOC,生成共享密钥。In step S8100, the second device generates a shared key based on the first NOC and the second NOC.
在一些实施例中,第二设备接收第一消息之后,可以通过第一消息中携带的索引值对应找到身份识别码,使用该身份识别码解密第一数据。In some embodiments, after receiving the first message, the second device can find the identification code corresponding to the index value carried in the first message, and use the identification code to decrypt the first data.
在一些实施例中,第二设备解密第一数据后,可以使用第一NOC对应的公钥校验第一签名sign1,验证第一设备的身份以及第一设备的密钥对的真实性。In some embodiments, after the second device decrypts the first data, it can use the public key corresponding to the first NOC to verify the first signature sign1 to verify the identity of the first device and the authenticity of the key pair of the first device.
在一些实施例中,第二设备还可以使用存储的CA证书校验第一设备发来的NOC。以互操作证书链为三级互操作证书链为例,第二设备可以使用存储的第一设备的RCAC校验第一设备发来的ICAC,使用存储的第一设备的ICAC校验第一NOC。In some embodiments, the second device can also use the stored CA certificate to verify the NOC sent by the first device. Taking the interoperability certificate chain as a three-level interoperability certificate chain as an example, the second device can use the stored RCAC of the first device to verify the ICAC sent by the first device, and use the stored ICAC of the first device to verify the first NOC. .
在一些实施例中,第二设备解密第一数据后,可以生成随机数r2,然后使用第二NOC对应的私钥对第二NOC、第二设备存储的第一设备的CA证书(例如,存储的ICAC)、随机数r2等信息中的一种或多种进行加密得到第二签名sign2,进一步得到第二数据,第二数据可以包括以下信息中的一种或多种:第二NOC、第二设备存储的第一设备的CA证书(例如,存储的ICAC)、随机数r2、第二签名sign2。In some embodiments, after the second device decrypts the first data, it can generate a random number r2, and then use the private key corresponding to the second NOC to compare the CA certificate of the first device stored in the second NOC and the second device (for example, store ICAC), random number r2 and other information are encrypted to obtain the second signature sign2, and further obtain the second data. The second data may include one or more of the following information: the second NOC, the third The second device stores the CA certificate of the first device (for example, the stored ICAC), the random number r2, and the second signature sign2.
基于此,第二设备可以根据以下信息中的一种或多种生成共享密钥:根据第一NOC对应的公钥和第二NOC对应的私钥生成的第二密钥、随机数r1、随机数r2、第一设备的设备标识、第二设备的设备标识、第一设备的身份识别码等。Based on this, the second device can generate a shared key based on one or more of the following information: the second key generated based on the public key corresponding to the first NOC and the private key corresponding to the second NOC, the random number r1, the random number The number r2, the device identification of the first device, the device identification of the second device, the identification code of the first device, etc.
在步骤S8110,第二设备向第一设备发送第一响应,第一响应中携带使用第一NOC对应的公钥进行加密的第二数据。In step S8110, the second device sends a first response to the first device, where the first response carries second data encrypted using the public key corresponding to the first NOC.
在步骤S8120,第一设备根据第二NOC和第一NOC,生成共享密钥。In step S8120, the first device generates a shared key based on the second NOC and the first NOC.
在一些实施例中,第一设备接收第一响应后,可以通过第一NOC对应的私钥解密第二数据,使用第二NOC(例如,第二NOC对应的公钥)解签第二签名sign2,以对第二设备的身份进行校验。In some embodiments, after receiving the first response, the first device can decrypt the second data using the private key corresponding to the first NOC, and use the second NOC (for example, the public key corresponding to the second NOC) to decrypt the second signature sign2 , to verify the identity of the second device.
在一些实施例中,第一设备还可以使用第一设备的CA证书校验第二设备发来的NOC。以互操作证书链为三级互操作证书链为例,第一设备可以使用第一设备的RCAC校验第二设备发来的ICAC,使用存储的第一设备的ICAC校验第二NOC。In some embodiments, the first device can also use the CA certificate of the first device to verify the NOC sent by the second device. Taking the interoperability certificate chain as a three-level interoperability certificate chain as an example, the first device can use the RCAC of the first device to verify the ICAC sent by the second device, and use the stored ICAC of the first device to verify the second NOC.
基于此,第一设备可以根据以下信息中的一种或多种生成共享密钥:根据第二NOC对应的公钥和第一NOC对应的私钥生成的第一密钥、随机数r1、随机数r2、第一设备的设备标识、第二设备的设备标识、第一设备的身份识别码等。Based on this, the first device can generate a shared key based on one or more of the following information: the first key generated based on the public key corresponding to the second NOC and the private key corresponding to the first NOC, the random number r1, the random number The number r2, the device identification of the first device, the device identification of the second device, the identification code of the first device, etc.
在步骤S8130,第一设备可以向第二设备返回密钥协商的结果,该结果可以用于指示第一设备已经确定共享密钥。In step S8130, the first device may return a key negotiation result to the second device, and the result may be used to indicate that the first device has determined the shared key.
在步骤S8140,第一设备和第二设备建立基于共享密钥的互操作通道。In step S8140, the first device and the second device establish an interoperation channel based on the shared key.
在步骤S8150,第一设备通过互操作通道对第二设备进行控制。In step S8150, the first device controls the second device through the interoperation channel.
上文结合图1至图8,详细描述了本申请的方法实施例,下面结合图9至图11,详细描述本申请的装置实施例。应理解,方法实施例的描述与装置实施例的描述相互对应,因此,未详细描述的部分可以参见前面方法实施例。The method embodiments of the present application are described in detail above with reference to FIGS. 1 to 8 , and the device embodiments of the present application are described in detail below with reference to FIGS. 9 to 11 . It should be understood that the description of the method embodiments corresponds to the description of the device embodiments. Therefore, the parts not described in detail can be referred to the previous method embodiments.
图9为本申请一实施例提供的建立互操作通道的装置的结构示意图。该装置可以配置于前文所述的第一设备。图9所示的装置900可以包括第一协商模块910、建立模块920以及控制模块930。Figure 9 is a schematic structural diagram of a device for establishing an interoperability channel provided by an embodiment of the present application. The device may be configured in the first device mentioned above. The device 900 shown in FIG. 9 may include a first negotiation module 910, an establishment module 920 and a control module 930.
第一协商模块910可以用于根据所述第一设备的第一NOC与第二设备协商共享密钥。The first negotiation module 910 may be configured to negotiate a shared key with the second device according to the first NOC of the first device.
建立模块920可以用于与所述第二设备建立基于所述共享密钥的互操作通道。The establishment module 920 may be configured to establish an interoperability channel based on the shared key with the second device.
控制模块930可以用于通过所述互操作通道向第二设备发送控制指令,以对所述第二设备进行控制,其中,所述第一设备为终端设备,所述第二设备为车设备。The control module 930 may be configured to send a control instruction to a second device through the interoperation channel to control the second device, where the first device is a terminal device and the second device is a vehicle device.
可选地,第一协商模块进一步包括:第一发送模块,用于向所述第二设备发送第一消息,所述第一消息包含第一数据,所述第一数据包含所述第一NOC,所述第一NOC用于所述第二设备生成所述共享密钥;第一接收模块,用于从所述第二设备接收所述第一响应,所述第一响应包含第二数据,所述第二数据包含所述第二NOC;生成模块,用于根据所述第二NOC和所述第一NOC,生成所述共享密钥。Optionally, the first negotiation module further includes: a first sending module, configured to send a first message to the second device, where the first message includes first data, and the first data includes the first NOC. , the first NOC is used by the second device to generate the shared key; the first receiving module is used to receive the first response from the second device, where the first response contains second data, The second data includes the second NOC; a generating module is configured to generate the shared key according to the second NOC and the first NOC.
可选地,第一数据还包含以下信息中的一种或多种:所述第一设备的设备认证中心CA证书、所述第一设备生成的随机数、以及第一签名;和/或,所述第二数据还包含以下信息中的一种或多种:所述第一设备的CA证书、所述第二设备生成的随机数、以及第二签名。Optionally, the first data also includes one or more of the following information: the device certification center CA certificate of the first device, the random number generated by the first device, and the first signature; and/or, The second data also includes one or more of the following information: the CA certificate of the first device, a random number generated by the second device, and a second signature.
可选地,第一签名为所述第一设备使用所述第一NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第一NOC、所述第一设备的CA证书、所述第一设备生成的随机数;所述第二签名为所述第二设备使用所述第二NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第二NOC、所述第一设备的CA证书、所述第二设备生成的随机数。Optionally, the first signature is obtained by the first device using the private key corresponding to the first NOC to encrypt one or more of the following information: the first NOC, the first device's CA certificate, random number generated by the first device; the second signature is obtained by the second device using the private key corresponding to the second NOC to encrypt one or more of the following information: The second NOC, the CA certificate of the first device, and the random number generated by the second device.
可选地,装置900还包括:校验模块,用于使用所述第一设备的CA证书校验所述第二NOC。Optionally, the apparatus 900 further includes: a verification module, configured to verify the second NOC using the CA certificate of the first device.
可选地,装置900还包括:加密模块,用于根据所述第一设备的身份识别码对所述第一数据进行加密。Optionally, the apparatus 900 further includes: an encryption module, configured to encrypt the first data according to the identification code of the first device.
可选地,装置900还包括:第二协商模块,用于与所述第二设备协商第一身份识别码,所述第一身份识别码用于所述第一身份识别码对应的设备访问所述第二设备的身份识别码。Optionally, the apparatus 900 further includes: a second negotiation module, configured to negotiate a first identity code with the second device, and the first identity code is used for the device corresponding to the first identity code to access the device. The identification code of the second device.
可选地,第二协商模块进一步包括:第二发送模块,用于向所述第二设备发送第二消息,所述第二消息用于配置第一身份识别码。Optionally, the second negotiation module further includes: a second sending module, configured to send a second message to the second device, where the second message is used to configure the first identity code.
可选地,第二协商模块进一步包括:第三发送模块,用于向所述第二设备发送第三消息,所述第三消息用于指示所述第二设备返回第一身份识别码。Optionally, the second negotiation module further includes: a third sending module, configured to send a third message to the second device, where the third message is used to instruct the second device to return the first identity code.
可选地,第三消息携带指示所述第一设备不具有身份识别码的信息,装置900还包括:第二接收模块,用于接收所述第二设备返回的第一身份识别码。Optionally, the third message carries information indicating that the first device does not have an identification code. The apparatus 900 further includes: a second receiving module configured to receive the first identification code returned by the second device.
可选地,第二设备返回的第一身份识别码显示在所述第二设备的显示屏上。Optionally, the first identification code returned by the second device is displayed on the display screen of the second device.
可选地,第二设备返回的所述第一身份识别码为临时身份识别码。Optionally, the first identification code returned by the second device is a temporary identification code.
可选地,装置900还包括:第三协商模块,用于与所述第二设备协商所述共享密钥的协商方式。Optionally, the apparatus 900 further includes: a third negotiation module, configured to negotiate the negotiation method of the shared key with the second device.
可选地,第三协商模块进一步包括:第四发送模块,用于向所述第二设备发送第四消息,所述第四消息用于指示所述第一设备支持的密钥协商方式;第三接收模块,用于从所述第二设备接收所述第四响应,所述第四响应用于指示基于NOC协商所述共享密钥。Optionally, the third negotiation module further includes: a fourth sending module, configured to send a fourth message to the second device, where the fourth message is used to indicate the key negotiation method supported by the first device; Three receiving modules, configured to receive the fourth response from the second device, where the fourth response is used to indicate negotiating the shared key based on the NOC.
可选地,第一设备和/或所述第二设备支持的密钥协商方式包括以下方式中的一种或多种:基于密钥对协商,基于NOC协商,以及基于sigma协议协商。Optionally, the key negotiation methods supported by the first device and/or the second device include one or more of the following methods: key pair-based negotiation, NOC-based negotiation, and sigma protocol-based negotiation.
可选地,共享密钥是所述第一设备根据以下信息中的一种或多种生成的:第一密钥、所述第一设备 生成的随机数、所述第二设备生成的随机数、所述第一设备的设备标识、所述第二设备的设备标识、以及所述第一设备的身份识别码,其中,所述第一密钥是所述第一设备根据所述第二NOC对应的公钥和所述第一NOC对应的私钥生成的。Optionally, the shared key is generated by the first device based on one or more of the following information: a first key, a random number generated by the first device, a random number generated by the second device , the device identification of the first device, the device identification of the second device, and the identification code of the first device, wherein the first key is the first device according to the second NOC The corresponding public key and the private key corresponding to the first NOC are generated.
图10为本申请另一实施例提供的建立互操作通道的装置的结构示意图。该装置可以配置于前文所述的第二设备。图10所示的装置1000可以包括第一协商模块1010、建立模块1020、以及第一接收模块1030。Figure 10 is a schematic structural diagram of a device for establishing an interoperability channel provided by another embodiment of the present application. The device may be configured in the second device mentioned above. The device 1000 shown in FIG. 10 may include a first negotiation module 1010, an establishment module 1020, and a first receiving module 1030.
第一协商模块1010可以用于根据所述第二设备的第二NOC与第一设备协商共享密钥。The first negotiation module 1010 may be configured to negotiate a shared key with the first device according to the second NOC of the second device.
建立模块1020可以用于与所述第一设备建立基于所述共享密钥的互操作通道。The establishing module 1020 may be configured to establish an interoperability channel based on the shared key with the first device.
第一接收模块1030可以用于通过所述互操作通道接收所述第一设备的控制指令,其中,所述第一设备为终端设备,所述第二设备为车设备。The first receiving module 1030 may be configured to receive the control instruction of the first device through the interoperation channel, where the first device is a terminal device and the second device is a vehicle device.
可选地,第一协商模块进一步包括:第二接收模块,用于接收所述第一设备发送的第一消息,所述第一消息包含第一数据,所述第一数据包含所述第一NOC;生成模块,用于根据所述第一NOC和所述第二NOC,生成所述共享密钥;第一发送模块,用于向所述第一设备发送所述第一响应,所述第一响应包含第二数据,所述第二数据包含所述第二NOC,所述第二NOC用于所述第一设备生成所述共享密钥。Optionally, the first negotiation module further includes: a second receiving module, configured to receive a first message sent by the first device, where the first message includes first data, and the first data includes the first NOC; a generating module, configured to generate the shared key according to the first NOC and the second NOC; a first sending module, configured to send the first response to the first device, the A response includes second data, the second data includes the second NOC, and the second NOC is used by the first device to generate the shared key.
可选地,第一数据还包含以下信息中的一种或多种:所述第一设备的设备认证中心CA证书、所述第一设备生成的随机数、以及第一签名;和/或,所述第二数据还包含以下信息中的一种或多种:所述第一设备的CA证书、所述第二设备生成的随机数、以及第二签名。Optionally, the first data also includes one or more of the following information: the device certification center CA certificate of the first device, the random number generated by the first device, and the first signature; and/or, The second data also includes one or more of the following information: the CA certificate of the first device, a random number generated by the second device, and a second signature.
可选地,第一签名为所述第一设备使用所述第一NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第一NOC、所述第一设备的CA证书、所述第一设备生成的随机数;所述第二签名为所述第二设备使用所述第二NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第二NOC、所述第一设备的CA证书、所述第二设备生成的随机数。Optionally, the first signature is obtained by the first device using the private key corresponding to the first NOC to encrypt one or more of the following information: the first NOC, the first device's CA certificate, random number generated by the first device; the second signature is obtained by the second device using the private key corresponding to the second NOC to encrypt one or more of the following information: The second NOC, the CA certificate of the first device, and the random number generated by the second device.
可选地,装置1000还包括:校验模块,用于使用所述第一设备的CA证书校验所述第一NOC。Optionally, the apparatus 1000 further includes: a verification module, configured to verify the first NOC using the CA certificate of the first device.
可选地,装置1000还包括:解密模块,用于根据所述第一设备的身份识别码对所述第一数据进行解密。Optionally, the apparatus 1000 further includes: a decryption module, configured to decrypt the first data according to the identification code of the first device.
可选地,装置1000还包括:第二协商模块,用于与所述第一设备协商第一身份识别码,所述第一身份识别码用于所述第一身份识别码对应的设备访问所述第二设备的身份识别码。Optionally, the apparatus 1000 further includes: a second negotiation module, configured to negotiate a first identity code with the first device, and the first identity code is used to access the device corresponding to the first identity code. The identification code of the second device.
可选地,第二协商模块进一步包括:第三接收模块,用于接收所述第一设备发送的第二消息,所述第二消息用于配置第一身份识别码。Optionally, the second negotiation module further includes: a third receiving module, configured to receive a second message sent by the first device, where the second message is used to configure the first identity code.
可选地,第二协商模块进一步包括:第四接收模块,用于接收所述第一设备发送的第三消息,所述第三消息用于指示所述第二设备返回第一身份识别码。Optionally, the second negotiation module further includes: a fourth receiving module, configured to receive a third message sent by the first device, where the third message is used to instruct the second device to return the first identity code.
可选地,第三消息携带指示所述第一设备不具有身份识别码的信息,装置1000还包括:返回模块,用于为所述第一设备返回第一身份识别码。Optionally, the third message carries information indicating that the first device does not have an identification code, and the apparatus 1000 further includes: a return module configured to return a first identification code for the first device.
可选地,第二设备返回的所述第一身份识别码显示在所述第二设备的显示屏上。Optionally, the first identification code returned by the second device is displayed on the display screen of the second device.
可选地,第二设备返回的所述第一身份识别码为临时身份识别码。Optionally, the first identification code returned by the second device is a temporary identification code.
可选地,装置1000还包括:第三协商模块,用于与所述第一设备协商所述共享密钥的协商方式。Optionally, the apparatus 1000 further includes: a third negotiation module, configured to negotiate a negotiation method of the shared key with the first device.
可选地,第三协商模块进一步包括:第五接收模块,用于接收所述第一设备发送的第四消息,所述第四消息用于指示所述第一设备支持的密钥协商方式;第二发送模块,用于向所述第一设备发送所述第四响应,所述第四响应用于指示基于NOC协商所述共享密钥。Optionally, the third negotiation module further includes: a fifth receiving module, configured to receive a fourth message sent by the first device, where the fourth message is used to indicate the key negotiation method supported by the first device; The second sending module is configured to send the fourth response to the first device, where the fourth response is used to indicate negotiating the shared key based on the NOC.
可选地,第一设备和/或所述第二设备支持的密钥协商方式包括以下方式中的一种或多种:基于密钥对协商,基于NOC协商,以及基于sigma协议协商。Optionally, the key negotiation methods supported by the first device and/or the second device include one or more of the following methods: key pair-based negotiation, NOC-based negotiation, and sigma protocol-based negotiation.
可选地,共享密钥是所述第二设备根据以下信息中的一种或多种生成的:第二密钥、所述第一设备生成的随机数、所述第二设备生成的随机数、所述第一设备的设备标识、所述第二设备的设备标识、以及所述第一设备的身份识别码,其中,所述第二密钥是所述第二设备根据所述第一NOC对应的公钥和所述第二NOC对应的私钥生成的。Optionally, the shared key is generated by the second device based on one or more of the following information: a second key, a random number generated by the first device, a random number generated by the second device , the device identification of the first device, the device identification of the second device, and the identification code of the first device, wherein the second key is the second device according to the first NOC The corresponding public key and the corresponding private key of the second NOC are generated.
在可选的实施例中,建立互操作通道的装置900和/或建立互操作通道的装置1000还可以包括收发器1130和存储器1120,具体如图11所示。In an optional embodiment, the device 900 for establishing an interoperation channel and/or the device 1000 for establishing an interoperation channel may also include a transceiver 1130 and a memory 1120, as specifically shown in FIG. 11 .
图11是本申请实施例的通信装置的示意性结构图。图11中的虚线表示该单元或模块为可选的。该装置1100可用于实现上述方法实施例中描述的方法。装置1100可以是芯片、终端设备或网络设备。Figure 11 is a schematic structural diagram of a communication device according to an embodiment of the present application. The dashed line in Figure 11 indicates that the unit or module is optional. The device 1100 can be used to implement the method described in the above method embodiment. Device 1100 may be a chip, terminal device or network device.
装置1100可以包括一个或多个处理器1110。该处理器1110可支持装置1100实现前文方法实施例所描述的方法。该处理器1110可以是通用处理器或者专用处理器。例如,该处理器可以为中央处理单元(central processing unit,CPU)。或者,该处理器还可以是其他通用处理器、数字信号处理器(digital  signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。Apparatus 1100 may include one or more processors 1110. The processor 1110 can support the device 1100 to implement the method described in the foregoing method embodiments. The processor 1110 may be a general-purpose processor or a special-purpose processor. For example, the processor may be a central processing unit (CPU). Alternatively, the processor can also be another general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), or an off-the-shelf programmable gate array (FPGA) Or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.
装置1100还可以包括一个或多个存储器1120。存储器1120上存储有程序,该程序可以被处理器1110执行,使得处理器1110执行前文方法实施例所描述的方法。存储器1120可以独立于处理器1110也可以集成在处理器1110中。Apparatus 1100 may also include one or more memories 1120. The memory 1120 stores a program, which can be executed by the processor 1110, so that the processor 1110 executes the method described in the foregoing method embodiment. The memory 1120 may be independent of the processor 1110 or integrated in the processor 1110 .
装置1100还可以包括收发器1130。处理器1110可以通过收发器1130与其他设备或芯片进行通信。例如,处理器1110可以通过收发器1130与其他设备或芯片进行数据收发。Device 1100 may also include a transceiver 1130. Processor 1110 may communicate with other devices or chips through transceiver 1130. For example, the processor 1110 can transmit and receive data with other devices or chips through the transceiver 1130 .
本申请实施例还提供一种计算机可读存储介质,用于存储程序。该计算机可读存储介质可应用于本申请实施例提供的终端或网络设备中,并且该程序使得计算机执行本申请各个实施例中的由终端或网络设备执行的方法。An embodiment of the present application also provides a computer-readable storage medium for storing a program. The computer-readable storage medium can be applied in the terminal or network device provided by the embodiments of the present application, and the program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
本申请实施例还提供一种计算机程序产品。该计算机程序产品包括程序。该计算机程序产品可应用于本申请实施例提供的终端或网络设备中,并且该程序使得计算机执行本申请各个实施例中的由终端或网络设备执行的方法。An embodiment of the present application also provides a computer program product. The computer program product includes a program. The computer program product can be applied in the terminal or network device provided by the embodiments of the present application, and the program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
本申请实施例还提供一种计算机程序。该计算机程序可应用于本申请实施例提供的终端或网络设备中,并且该计算机程序使得计算机执行本申请各个实施例中的由终端或网络设备执行的方法。An embodiment of the present application also provides a computer program. The computer program can be applied to the terminal or network device provided by the embodiments of the present application, and the computer program causes the computer to execute the methods performed by the terminal or network device in various embodiments of the present application.
应理解,本申请中术语“系统”和“网络”可以被可互换使用。另外,本申请使用的术语仅用于对本申请的具体实施例进行解释,而非旨在限定本申请。本申请的说明书和权利要求书及所述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。It should be understood that the terms "system" and "network" may be used interchangeably in this application. In addition, the terms used in this application are only used to explain specific embodiments of the application and are not intended to limit the application. The terms “first”, “second”, “third” and “fourth” in the description, claims and drawings of this application are used to distinguish different objects, rather than to describe a specific sequence. . Furthermore, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusion.
在本申请的实施例中,提到的“指示”可以是直接指示,也可以是间接指示,还可以是表示具有关联关系。举例说明,A指示B,可以表示A直接指示B,例如B可以通过A获取;也可以表示A间接指示B,例如A指示C,B可以通过C获取;还可以表示A和B之间具有关联关系。In the embodiments of this application, the "instruction" mentioned may be a direct instruction, an indirect instruction, or an association relationship. For example, A indicates B, which can mean that A directly indicates B, for example, B can be obtained through A; it can also mean that A indirectly indicates B, for example, A indicates C, and B can be obtained through C; it can also mean that there is an association between A and B. relation.
在本申请实施例中,“与A相应的B”表示B与A相关联,根据A可以确定B。但还应理解,根据A确定B并不意味着仅仅根据A确定B,还可以根据A和/或其它信息确定B。In the embodiment of this application, "B corresponding to A" means that B is associated with A, and B can be determined based on A. However, it should also be understood that determining B based on A does not mean determining B only based on A. B can also be determined based on A and/or other information.
在本申请实施例中,术语“对应”可表示两者之间具有直接对应或间接对应的关系,也可以表示两者之间具有关联关系,也可以是指示与被指示、配置与被配置等关系。In the embodiments of this application, the term "correspondence" can mean that there is a direct correspondence or indirect correspondence between the two, or it can also mean that there is an association between the two, or it can also mean indicating and being instructed, configuring and being configured, etc. relation.
本申请实施例中,“预定义”或“预配置”可以通过在设备(例如,包括终端设备和网络设备)中预先保存相应的代码、表格或其他可用于指示相关信息的方式来实现,本申请对于其具体的实现方式不做限定。比如预定义可以是指协议中定义的。In the embodiment of this application, "predefinition" or "preconfiguration" can be achieved by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in devices (for example, including terminal devices and network devices). The application does not limit its specific implementation method. For example, predefined can refer to what is defined in the protocol.
本申请实施例中,所述“协议”可以指通信领域的标准协议,例如可以包括LTE协议、NR协议以及应用于未来的通信系统中的相关协议,本申请对此不做限定。In the embodiment of this application, the "protocol" may refer to a standard protocol in the communication field, which may include, for example, LTE protocol, NR protocol, and related protocols applied in future communication systems. This application does not limit this.
本申请实施例中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。The term "and/or" in the embodiment of this application is only an association relationship describing associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, and A and B exist simultaneously. , there are three situations of B alone. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship.
在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。In the various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its functions and internal logic, and should not be determined by the implementation process of the embodiments of the present application. constitute any limitation.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质 传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够读取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,数字通用光盘(digital video disc,DVD))或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be read by a computer or a data storage device such as a server or data center integrated with one or more available media. The available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., digital video discs (DVD)) or semiconductor media (e.g., solid state disks (SSD) )wait.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (71)

  1. 一种建立互操作通道的方法,其特征在于,包括:A method for establishing an interoperability channel, which is characterized by including:
    第一设备根据所述第一设备的第一节点互操作证书NOC与第二设备协商共享密钥;The first device negotiates a shared key with the second device based on the first node interoperability certificate NOC of the first device;
    所述第一设备与所述第二设备建立基于所述共享密钥的互操作通道;The first device and the second device establish an interoperability channel based on the shared key;
    所述第一设备通过所述互操作通道向所述第二设备发送控制指令,以对所述第二设备进行控制;The first device sends control instructions to the second device through the interoperation channel to control the second device;
    其中,所述第一设备为终端设备,所述第二设备为车设备。Wherein, the first device is a terminal device, and the second device is a vehicle device.
  2. 根据权利要求1所述的方法,其特征在于,所述第一设备根据所述第一设备的第一NOC与第二设备协商共享密钥,包括:The method of claim 1, wherein the first device negotiates a shared key with the second device based on the first NOC of the first device, including:
    所述第一设备向所述第二设备发送第一消息,所述第一消息包含第一数据,所述第一数据包含所述第一NOC,所述第一NOC用于所述第二设备生成所述共享密钥;The first device sends a first message to the second device, the first message includes first data, the first data includes the first NOC, and the first NOC is for the second device. Generate the shared key;
    所述第一设备从所述第二设备接收第一响应,所述第一响应包含第二数据,所述第二数据包含所述第二设备的第二NOC;The first device receives a first response from the second device, the first response includes second data, and the second data includes a second NOC of the second device;
    所述第一设备根据所述第二NOC和所述第一NOC,生成所述共享密钥。The first device generates the shared key based on the second NOC and the first NOC.
  3. 根据权利要求2所述的方法,其特征在于:The method according to claim 2, characterized in that:
    所述第一数据还包含以下信息中的一种或多种:所述第一设备的设备认证中心CA证书、所述第一设备生成的随机数、以及第一签名;和/或The first data also includes one or more of the following information: the device certification center CA certificate of the first device, a random number generated by the first device, and a first signature; and/or
    所述第二数据还包含以下信息中的一种或多种:所述第一设备的CA证书、所述第二设备生成的随机数、以及第二签名。The second data also includes one or more of the following information: the CA certificate of the first device, a random number generated by the second device, and a second signature.
  4. 根据权利要求3所述的方法,其特征在于,所述第一签名为所述第一设备使用所述第一NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第一NOC、所述第一设备的CA证书、所述第一设备生成的随机数;The method according to claim 3, wherein the first signature is obtained by the first device using the private key corresponding to the first NOC to encrypt one or more of the following information: The first NOC, the CA certificate of the first device, and the random number generated by the first device;
    所述第二签名为所述第二设备使用所述第二NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第二NOC、所述第一设备的CA证书、所述第二设备生成的随机数。The second signature is obtained by the second device using the private key corresponding to the second NOC to encrypt one or more of the following information: the second NOC, the CA certificate of the first device , a random number generated by the second device.
  5. 根据权利要求2-4中任一项所述的方法,其特征在于,在所述第一设备从所述第二设备接收第一响应之后,所述方法还包括:The method according to any one of claims 2-4, characterized in that, after the first device receives the first response from the second device, the method further includes:
    所述第一设备使用所述第一设备的CA证书校验所述第二NOC。The first device verifies the second NOC using the CA certificate of the first device.
  6. 根据权利要求2-5中任一项所述的方法,其特征在于,在所述第一设备向所述第二设备发送第一消息之前,所述方法还包括:The method according to any one of claims 2-5, characterized in that, before the first device sends the first message to the second device, the method further includes:
    所述第一设备根据所述第一设备的身份识别码对所述第一数据进行加密。The first device encrypts the first data according to the identification code of the first device.
  7. 根据权利要求6所述的方法,其特征在于,在所述第一设备根据所述第一设备的身份识别码对所述第一数据进行加密之前,所述方法还包括:The method according to claim 6, characterized in that, before the first device encrypts the first data according to the identification code of the first device, the method further includes:
    所述第一设备与所述第二设备协商第一身份识别码,所述第一身份识别码用于所述第一身份识别码对应的设备访问所述第二设备。The first device negotiates with the second device a first identity code, and the first identity code is used for the device corresponding to the first identity code to access the second device.
  8. 根据权利要求7所述的方法,其特征在于,所述第一设备与所述第二设备协商第一身份识别码,包括:The method according to claim 7, characterized in that the first device and the second device negotiate a first identity code, including:
    所述第一设备向所述第二设备发送第二消息,所述第二消息用于配置所述第一身份识别码。The first device sends a second message to the second device, where the second message is used to configure the first identity code.
  9. 根据权利要求7所述的方法,其特征在于,所述第一设备与所述第二设备协商第一身份识别码,包括:The method according to claim 7, characterized in that the first device and the second device negotiate a first identity code, including:
    所述第一设备向所述第二设备发送第三消息,所述第三消息用于指示所述第二设备返回所述第一身份识别码。The first device sends a third message to the second device, where the third message is used to instruct the second device to return the first identification code.
  10. 根据权利要求9所述的方法,其特征在于,所述第三消息携带指示所述第一设备不具有身份识别码的信息,The method of claim 9, wherein the third message carries information indicating that the first device does not have an identification code,
    所述方法还包括:The method also includes:
    所述第一设备接收所述第二设备返回的所述第一身份识别码。The first device receives the first identification code returned by the second device.
  11. 根据权利要求10所述的方法,其特征在于,所述第二设备返回的所述第一身份识别码显示在所述第二设备的显示屏上。The method according to claim 10, characterized in that the first identification code returned by the second device is displayed on the display screen of the second device.
  12. 根据权利要求9-11中任一项所述的方法,其特征在于,所述第二设备返回的所述第一身份识别码为临时身份识别码。The method according to any one of claims 9-11, characterized in that the first identification code returned by the second device is a temporary identification code.
  13. 根据权利要求1-12中任一项所述的方法,其特征在于,在所述第一设备根据所述第一设备的第一NOC与第二设备协商共享密钥之前,所述方法还包括:The method according to any one of claims 1-12, characterized in that, before the first device negotiates a shared key with the second device according to the first NOC of the first device, the method further includes :
    所述第一设备与所述第二设备协商所述共享密钥的协商方式。The first device negotiates with the second device a negotiation method for the shared key.
  14. 根据权利要求13所述的方法,其特征在于,所述第一设备与所述第二设备协商所述共享密钥的协商方式,包括:The method according to claim 13, characterized in that the first device and the second device negotiate a negotiation method for the shared key, including:
    所述第一设备向所述第二设备发送第四消息,所述第四消息用于指示所述第一设备支持的密钥协商方式;The first device sends a fourth message to the second device, where the fourth message is used to indicate a key negotiation method supported by the first device;
    所述第一设备从所述第二设备接收第四响应,所述第四响应用于指示基于NOC协商所述共享密钥。The first device receives a fourth response from the second device, the fourth response being used to indicate negotiating the shared key based on the NOC.
  15. 根据权利要求14所述的方法,其特征在于,所述第一设备和/或所述第二设备支持的密钥协商方式包括以下方式中的一种或多种:基于密钥对协商,基于NOC协商,以及基于sigma协议协商。The method according to claim 14, characterized in that the key negotiation method supported by the first device and/or the second device includes one or more of the following methods: based on key pair negotiation, based on NOC negotiation, and negotiation based on sigma protocol.
  16. 根据权利要求1-15中任一项所述的方法,其特征在于,所述共享密钥是所述第一设备根据以下信息中的一种或多种生成的:第一密钥、所述第一设备生成的随机数、所述第二设备生成的随机数、所述第一设备的设备标识、所述第二设备的设备标识、以及所述第一设备的身份识别码,其中,所述第一密钥是所述第一设备根据第二NOC对应的公钥和所述第一NOC对应的私钥生成的。The method according to any one of claims 1-15, characterized in that the shared key is generated by the first device according to one or more of the following information: the first key, the The random number generated by the first device, the random number generated by the second device, the device identification of the first device, the device identification of the second device, and the identification code of the first device, wherein, The first key is generated by the first device based on the public key corresponding to the second NOC and the private key corresponding to the first NOC.
  17. 一种建立互操作通道的方法,其特征在于,包括:A method for establishing an interoperability channel, which is characterized by including:
    第二设备根据所述第二设备的第二节点互操作证书NOC与第一设备协商共享密钥;The second device negotiates a shared key with the first device based on the second node interoperability certificate NOC of the second device;
    所述第二设备与所述第一设备建立基于所述共享密钥的互操作通道;The second device establishes an interoperability channel based on the shared key with the first device;
    所述第二设备通过所述互操作通道接收所述第一设备的控制指令;The second device receives the control instruction of the first device through the interoperation channel;
    其中,所述第一设备为终端设备,所述第二设备为车设备。Wherein, the first device is a terminal device, and the second device is a vehicle device.
  18. 根据权利要求17所述的方法,其特征在于,所述第二设备根据所述第二设备的第二NOC与第一设备协商共享密钥,包括:The method of claim 17, wherein the second device negotiates a shared key with the first device based on the second NOC of the second device, including:
    所述第二设备接收所述第一设备发送的第一消息,所述第一消息包含第一数据,所述第一数据包含所述第一设备的第一NOC;The second device receives the first message sent by the first device, the first message includes first data, and the first data includes the first NOC of the first device;
    所述第二设备根据所述第一NOC和所述第二NOC,生成所述共享密钥;The second device generates the shared key based on the first NOC and the second NOC;
    所述第二设备向所述第一设备发送第一响应,所述第一响应包含第二数据,所述第二数据包含所述第二NOC,所述第二NOC用于所述第一设备生成所述共享密钥。The second device sends a first response to the first device, the first response includes second data, the second data includes the second NOC, and the second NOC is for the first device Generate the shared key.
  19. 根据权利要求18所述的方法,其特征在于:The method according to claim 18, characterized in that:
    所述第一数据还包含以下信息中的一种或多种:所述第一设备的设备认证中心CA证书、所述第一设备生成的随机数、以及第一签名;和/或The first data also includes one or more of the following information: the device certification center CA certificate of the first device, a random number generated by the first device, and a first signature; and/or
    所述第二数据还包含以下信息中的一种或多种:所述第一设备的CA证书、所述第二设备生成的随机数、以及第二签名。The second data also includes one or more of the following information: the CA certificate of the first device, a random number generated by the second device, and a second signature.
  20. 根据权利要求19所述的方法,其特征在于,所述第一签名为所述第一设备使用所述第一NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第一NOC、所述第一设备的CA证书、所述第一设备生成的随机数;The method of claim 19, wherein the first signature is obtained by the first device using the private key corresponding to the first NOC to encrypt one or more of the following information: The first NOC, the CA certificate of the first device, and the random number generated by the first device;
    所述第二签名为所述第二设备使用所述第二NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第二NOC、所述第一设备的CA证书、所述第二设备生成的随机数。The second signature is obtained by the second device using the private key corresponding to the second NOC to encrypt one or more of the following information: the second NOC, the CA certificate of the first device , a random number generated by the second device.
  21. 根据权利要求18-20中任一项所述的方法,其特征在于,在所述第二设备接收所述第一设备发送的第一消息之后,所述方法还包括:The method according to any one of claims 18-20, characterized in that, after the second device receives the first message sent by the first device, the method further includes:
    所述第二设备使用所述第一设备的CA证书校验所述第一NOC。The second device verifies the first NOC using the CA certificate of the first device.
  22. 根据权利要求18-21中任一项所述的方法,其特征在于,在所述第二设备接收所述第一设备发送的第一消息之后,所述方法还包括:The method according to any one of claims 18-21, characterized in that, after the second device receives the first message sent by the first device, the method further includes:
    所述第二设备根据所述第一设备的身份识别码对所述第一数据进行解密。The second device decrypts the first data according to the identification code of the first device.
  23. 根据权利要求22所述的方法,其特征在于,在所述第二设备根据所述第一设备的身份识别码对所述第一数据进行解密之前,所述方法还包括:The method according to claim 22, characterized in that, before the second device decrypts the first data according to the identification code of the first device, the method further includes:
    所述第二设备与所述第一设备协商第一身份识别码,所述第一身份识别码用于所述第一身份识别码对应的设备访问所述第二设备。The second device negotiates a first identity code with the first device, and the first identity code is used for the device corresponding to the first identity code to access the second device.
  24. 根据权利要求23所述的方法,其特征在于,所述第二设备与所述第一设备协商第一身份识别码,包括:The method according to claim 23, characterized in that the second device negotiates the first identity code with the first device, including:
    所述第二设备接收所述第一设备发送的第二消息,所述第二消息用于配置所述第一身份识别码。The second device receives a second message sent by the first device, and the second message is used to configure the first identity code.
  25. 根据权利要求23所述的方法,其特征在于,所述第二设备与所述第一设备协商第一身份识别码,包括:The method according to claim 23, characterized in that the second device negotiates the first identity code with the first device, including:
    所述第二设备接收所述第一设备发送的第三消息,所述第三消息用于指示所述第二设备返回所述第一身份识别码。The second device receives a third message sent by the first device, and the third message is used to instruct the second device to return the first identification code.
  26. 根据权利要求25所述的方法,其特征在于,所述第三消息携带指示所述第一设备不具有身份识别码的信息,The method of claim 25, wherein the third message carries information indicating that the first device does not have an identification code,
    所述方法还包括:The method also includes:
    所述第二设备为所述第一设备返回所述第一身份识别码。The second device returns the first identification code to the first device.
  27. 根据权利要求26所述的方法,其特征在于,所述第二设备返回的所述第一身份识别码显示在所述第二设备的显示屏上。The method according to claim 26, characterized in that the first identification code returned by the second device is displayed on the display screen of the second device.
  28. 根据权利要求25-27中任一项所述的方法,其特征在于,所述第二设备返回的所述第一身份识别码为临时身份识别码。The method according to any one of claims 25 to 27, characterized in that the first identification code returned by the second device is a temporary identification code.
  29. 根据权利要求17-28中任一项所述的方法,其特征在于,在第二设备根据所述第二设备的第二NOC与第一设备协商共享密钥之前,所述方法还包括:The method according to any one of claims 17-28, characterized in that, before the second device negotiates a shared key with the first device based on the second NOC of the second device, the method further includes:
    所述第二设备与所述第一设备协商所述共享密钥的协商方式。The second device negotiates with the first device a negotiation method for the shared key.
  30. 根据权利要求29所述的方法,其特征在于,所述第二设备与所述第一设备协商所述共享密钥的协商方式,包括:The method according to claim 29, characterized in that the second device and the first device negotiate a negotiation method for the shared key, including:
    所述第二设备接收所述第一设备发送的第四消息,所述第四消息用于指示所述第一设备支持的密钥协商方式;The second device receives a fourth message sent by the first device, where the fourth message is used to indicate a key negotiation method supported by the first device;
    所述第二设备向所述第一设备发送第四响应,所述第四响应用于指示基于NOC协商所述共享密钥。The second device sends a fourth response to the first device, where the fourth response is used to indicate negotiating the shared key based on the NOC.
  31. 根据权利要求30所述的方法,其特征在于,所述第一设备和/或所述第二设备支持的密钥协商方式包括以下方式中的一种或多种:基于密钥对协商,基于NOC协商,以及基于sigma协议协商。The method according to claim 30, characterized in that the key negotiation method supported by the first device and/or the second device includes one or more of the following methods: based on key pair negotiation, based on NOC negotiation, and negotiation based on sigma protocol.
  32. 根据权利要求17-31中任一项所述的方法,其特征在于,所述共享密钥是所述第二设备根据以下信息中的一种或多种生成的:第二密钥、所述第一设备生成的随机数、所述第二设备生成的随机数、所述第一设备的设备标识、所述第二设备的设备标识、以及所述第一设备的身份识别码,其中,所述第二密钥是所述第二设备根据所述第一NOC对应的公钥和所述第二NOC对应的私钥生成的。The method according to any one of claims 17-31, characterized in that the shared key is generated by the second device according to one or more of the following information: the second key, the The random number generated by the first device, the random number generated by the second device, the device identification of the first device, the device identification of the second device, and the identification code of the first device, wherein, The second key is generated by the second device based on the public key corresponding to the first NOC and the private key corresponding to the second NOC.
  33. 一种建立互操作通道的装置,其特征在于,所述装置配置于第一设备,所述装置包括:A device for establishing an interoperability channel, characterized in that the device is configured on a first device, and the device includes:
    第一协商模块,用于根据所述第一设备的第一节点互操作证书NOC与第二设备协商共享密钥;A first negotiation module configured to negotiate a shared key with the second device based on the first node interoperability certificate NOC of the first device;
    建立模块,用于与所述第二设备建立基于所述共享密钥的互操作通道;An establishment module, configured to establish an interoperability channel based on the shared key with the second device;
    控制模块,用于通过所述互操作通道向所述第二设备发送控制指令,以对所述第二设备进行控制;A control module, configured to send control instructions to the second device through the interoperability channel to control the second device;
    其中,所述第一设备为终端设备,所述第二设备为车设备。Wherein, the first device is a terminal device, and the second device is a vehicle device.
  34. 根据权利要求33所述的装置,其特征在于,所述第一协商模块进一步包括:The device according to claim 33, characterized in that the first negotiation module further includes:
    第一发送模块,用于向所述第二设备发送第一消息,所述第一消息包含第一数据,所述第一数据包含所述第一NOC,所述第一NOC用于所述第二设备生成所述共享密钥;A first sending module configured to send a first message to the second device, where the first message includes first data, where the first data includes the first NOC, and the first NOC is used for the third device. The second device generates the shared key;
    第一接收模块,用于从所述第二设备接收第一响应,所述第一响应包含第二数据,所述第二数据包含所述第二NOC;A first receiving module configured to receive a first response from the second device, the first response including second data, and the second data including the second NOC;
    生成模块,用于根据所述第二NOC和所述第一NOC,生成所述共享密钥。A generating module, configured to generate the shared key according to the second NOC and the first NOC.
  35. 根据权利要求34所述的装置,其特征在于:The device according to claim 34, characterized in that:
    所述第一数据还包含以下信息中的一种或多种:所述第一设备的设备认证中心CA证书、所述第一设备生成的随机数、以及第一签名;和/或The first data also includes one or more of the following information: the device certification center CA certificate of the first device, a random number generated by the first device, and a first signature; and/or
    所述第二数据还包含以下信息中的一种或多种:所述第一设备的CA证书、所述第二设备生成的随机数、以及第二签名。The second data also includes one or more of the following information: the CA certificate of the first device, a random number generated by the second device, and a second signature.
  36. 根据权利要求35所述的装置,其特征在于,所述第一签名为所述第一设备使用所述第一NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第一NOC、所述第一设备的CA证书、所述第一设备生成的随机数;The device according to claim 35, wherein the first signature is obtained by the first device using the private key corresponding to the first NOC to encrypt one or more of the following information: The first NOC, the CA certificate of the first device, and the random number generated by the first device;
    所述第二签名为所述第二设备使用所述第二NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第二NOC、所述第一设备的CA证书、所述第二设备生成的随机数。The second signature is obtained by the second device using the private key corresponding to the second NOC to encrypt one or more of the following information: the second NOC, the CA certificate of the first device , a random number generated by the second device.
  37. 根据权利要求34-36中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 34-36, characterized in that the device further includes:
    校验模块,用于使用所述第一设备的CA证书校验所述第二NOC。A verification module, configured to use the CA certificate of the first device to verify the second NOC.
  38. 根据权利要求34-37中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 34-37, characterized in that the device further includes:
    加密模块,用于根据所述第一设备的身份识别码对所述第一数据进行加密。An encryption module, configured to encrypt the first data according to the identification code of the first device.
  39. 根据权利要求38所述的装置,其特征在于,所述装置还包括:The device of claim 38, further comprising:
    第二协商模块,用于与所述第二设备协商第一身份识别码,所述第一身份识别码用于所述第一身份识别码对应的设备访问所述第二设备。The second negotiation module is configured to negotiate a first identity code with the second device. The first identity code is used for the device corresponding to the first identity code to access the second device.
  40. 根据权利要求39所述的装置,其特征在于,所述第二协商模块进一步包括:The device according to claim 39, characterized in that the second negotiation module further includes:
    第二发送模块,用于向所述第二设备发送第二消息,所述第二消息用于配置所述第一身份识别码。The second sending module is configured to send a second message to the second device, where the second message is used to configure the first identity code.
  41. 根据权利要求39所述的装置,其特征在于,所述第二协商模块进一步包括:The device according to claim 39, characterized in that the second negotiation module further includes:
    第三发送模块,用于向所述第二设备发送第三消息,所述第三消息用于指示所述第二设备返回所述 第一身份识别码。A third sending module is configured to send a third message to the second device, where the third message is used to instruct the second device to return the first identification code.
  42. 根据权利要求41所述的装置,其特征在于,所述第三消息携带指示所述第一设备不具有身份识别码的信息,The device according to claim 41, wherein the third message carries information indicating that the first device does not have an identification code,
    所述装置还包括:The device also includes:
    第二接收模块,用于接收所述第二设备返回的所述第一身份识别码。The second receiving module is configured to receive the first identification code returned by the second device.
  43. 根据权利要求42所述的装置,其特征在于,所述第二设备返回的所述第一身份识别码显示在所述第二设备的显示屏上。The device according to claim 42, characterized in that the first identification code returned by the second device is displayed on the display screen of the second device.
  44. 根据权利要求41-43中任一项所述的装置,其特征在于,所述第二设备返回的所述第一身份识别码为临时身份识别码。The device according to any one of claims 41-43, characterized in that the first identification code returned by the second device is a temporary identification code.
  45. 根据权利要求33-44中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 33-44, characterized in that the device further includes:
    第三协商模块,用于与所述第二设备协商所述共享密钥的协商方式。The third negotiation module is configured to negotiate the negotiation method of the shared key with the second device.
  46. 根据权利要求45所述的装置,其特征在于,所述第三协商模块进一步包括:The device according to claim 45, characterized in that the third negotiation module further includes:
    第四发送模块,用于向所述第二设备发送第四消息,所述第四消息用于指示所述第一设备支持的密钥协商方式;A fourth sending module, configured to send a fourth message to the second device, where the fourth message is used to indicate the key negotiation method supported by the first device;
    第三接收模块,用于从所述第二设备接收第四响应,所述第四响应用于指示基于NOC协商所述共享密钥。The third receiving module is configured to receive a fourth response from the second device, where the fourth response is used to indicate negotiating the shared key based on the NOC.
  47. 根据权利要求46所述的装置,其特征在于,所述第一设备和/或所述第二设备支持的密钥协商方式包括以下方式中的一种或多种:基于密钥对协商,基于NOC协商,以及基于sigma协议协商。The device according to claim 46, wherein the key negotiation method supported by the first device and/or the second device includes one or more of the following methods: based on key pair negotiation, based on NOC negotiation, and negotiation based on sigma protocol.
  48. 根据权利要求33-47中任一项所述的装置,其特征在于,所述共享密钥是所述第一设备根据以下信息中的一种或多种生成的:第一密钥、所述第一设备生成的随机数、所述第二设备生成的随机数、所述第一设备的设备标识、所述第二设备的设备标识、以及所述第一设备的身份识别码,其中,所述第一密钥是所述第一设备根据所述第二NOC对应的公钥和所述第一NOC对应的私钥生成的。The device according to any one of claims 33-47, characterized in that the shared key is generated by the first device according to one or more of the following information: the first key, the The random number generated by the first device, the random number generated by the second device, the device identification of the first device, the device identification of the second device, and the identification code of the first device, wherein, The first key is generated by the first device based on the public key corresponding to the second NOC and the private key corresponding to the first NOC.
  49. 一种建立互操作通道的装置,其特征在于,所述装置配置于第二设备,所述装置包括:A device for establishing an interoperability channel, characterized in that the device is configured on a second device, and the device includes:
    第一协商模块,用于根据所述第二设备的第二节点互操作证书NOC与第一设备协商共享密钥;A first negotiation module configured to negotiate a shared key with the first device based on the second node interoperability certificate NOC of the second device;
    建立模块,用于与所述第一设备建立基于所述共享密钥的互操作通道;An establishment module, configured to establish an interoperability channel based on the shared key with the first device;
    第一接收模块,用于通过所述互操作通道接收所述第一设备的控制指令;A first receiving module, configured to receive control instructions of the first device through the interoperation channel;
    其中,所述第一设备为终端设备,所述第二设备为车设备。Wherein, the first device is a terminal device, and the second device is a vehicle device.
  50. 根据权利要求49所述的装置,其特征在于,所述第一协商模块进一步包括:The device according to claim 49, wherein the first negotiation module further includes:
    第二接收模块,用于接收所述第一设备发送的第一消息,所述第一消息包含第一数据,所述第一数据包含所述第一设备的第一NOC;a second receiving module, configured to receive the first message sent by the first device, the first message containing first data, and the first data containing the first NOC of the first device;
    生成模块,用于根据所述第一NOC和所述第二NOC,生成所述共享密钥;A generating module, configured to generate the shared key according to the first NOC and the second NOC;
    第一发送模块,用于向所述第一设备发送第一响应,所述第一响应包含第二数据,所述第二数据包含所述第二NOC,所述第二NOC用于所述第一设备生成所述共享密钥。A first sending module configured to send a first response to the first device, where the first response includes second data, the second data includes the second NOC, and the second NOC is used for the first device. A device generates the shared key.
  51. 根据权利要求50所述的装置,其特征在于:The device according to claim 50, characterized in that:
    所述第一数据还包含以下信息中的一种或多种:所述第一设备的设备认证中心CA证书、所述第一设备生成的随机数、以及第一签名;和/或The first data also includes one or more of the following information: the device certification center CA certificate of the first device, a random number generated by the first device, and a first signature; and/or
    所述第二数据还包含以下信息中的一种或多种:所述第一设备的CA证书、所述第二设备生成的随机数、以及第二签名。The second data also includes one or more of the following information: the CA certificate of the first device, a random number generated by the second device, and a second signature.
  52. 根据权利要求51所述的装置,其特征在于,所述第一签名为所述第一设备使用所述第一NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第一NOC、所述第一设备的CA证书、所述第一设备生成的随机数;The device according to claim 51, wherein the first signature is obtained by the first device using the private key corresponding to the first NOC to encrypt one or more of the following information: The first NOC, the CA certificate of the first device, and the random number generated by the first device;
    所述第二签名为所述第二设备使用所述第二NOC对应的私钥对以下信息中的一种或多种进行加密得到的:所述第二NOC、所述第一设备的CA证书、所述第二设备生成的随机数。The second signature is obtained by the second device using the private key corresponding to the second NOC to encrypt one or more of the following information: the second NOC, the CA certificate of the first device , a random number generated by the second device.
  53. 根据权利要求50-52中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 50-52, characterized in that the device further includes:
    校验模块,用于使用所述第一设备的CA证书校验所述第一NOC。A verification module, configured to verify the first NOC using the CA certificate of the first device.
  54. 根据权利要求50-53中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 50-53, characterized in that the device further includes:
    解密模块,用于根据所述第一设备的身份识别码对所述第一数据进行解密。A decryption module, configured to decrypt the first data according to the identification code of the first device.
  55. 根据权利要求54所述的装置,其特征在于,所述装置还包括:The device of claim 54, further comprising:
    第二协商模块,用于与所述第一设备协商第一身份识别码,所述第一身份识别码用于所述第一身份识别码对应的设备访问所述第二设备。The second negotiation module is configured to negotiate a first identity code with the first device. The first identity code is used for the device corresponding to the first identity code to access the second device.
  56. 根据权利要求55所述的装置,其特征在于,所述第二协商模块进一步包括:The device according to claim 55, characterized in that the second negotiation module further includes:
    第三接收模块,用于接收所述第一设备发送的第二消息,所述第二消息用于配置所述第一身份识别 码。The third receiving module is configured to receive a second message sent by the first device, where the second message is used to configure the first identification code.
  57. 根据权利要求55所述的装置,其特征在于,所述第二协商模块进一步包括:The device according to claim 55, characterized in that the second negotiation module further includes:
    第四接收模块,用于接收所述第一设备发送的第三消息,所述第三消息用于指示所述第二设备返回所述第一身份识别码。The fourth receiving module is configured to receive a third message sent by the first device, where the third message is used to instruct the second device to return the first identification code.
  58. 根据权利要求57所述的装置,其特征在于,所述第三消息携带指示所述第一设备不具有身份识别码的信息,The device according to claim 57, wherein the third message carries information indicating that the first device does not have an identification code,
    所述装置还包括:The device also includes:
    返回模块,用于为所述第一设备返回所述第一身份识别码。A return module, configured to return the first identification code to the first device.
  59. 根据权利要求58所述的装置,其特征在于,所述第二设备返回的所述第一身份识别码显示在所述第二设备的显示屏上。The device according to claim 58, characterized in that the first identification code returned by the second device is displayed on the display screen of the second device.
  60. 根据权利要求57-59中任一项所述的装置,其特征在于,所述第二设备返回的所述第一身份识别码为临时身份识别码。The device according to any one of claims 57-59, characterized in that the first identification code returned by the second device is a temporary identification code.
  61. 根据权利要求49-60中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 49-60, characterized in that the device further includes:
    第三协商模块,用于与所述第一设备协商所述共享密钥的协商方式。The third negotiation module is configured to negotiate the negotiation method of the shared key with the first device.
  62. 根据权利要求61所述的装置,其特征在于,所述第三协商模块进一步包括:The device according to claim 61, characterized in that the third negotiation module further includes:
    第五接收模块,用于接收所述第一设备发送的第四消息,所述第四消息用于指示所述第一设备支持的密钥协商方式;A fifth receiving module, configured to receive a fourth message sent by the first device, where the fourth message is used to indicate the key negotiation method supported by the first device;
    第二发送模块,用于向所述第一设备发送第四响应,所述第四响应用于指示基于NOC协商所述共享密钥。The second sending module is configured to send a fourth response to the first device, where the fourth response is used to indicate negotiating the shared key based on the NOC.
  63. 根据权利要求62所述的装置,其特征在于,所述第一设备和/或所述第二设备支持的密钥协商方式包括以下方式中的一种或多种:基于密钥对协商,基于NOC协商,以及基于sigma协议协商。The device according to claim 62, wherein the key negotiation method supported by the first device and/or the second device includes one or more of the following methods: based on key pair negotiation, based on NOC negotiation, and negotiation based on sigma protocol.
  64. 根据权利要求49-63中任一项所述的装置,其特征在于,所述共享密钥是所述第二设备根据以下信息中的一种或多种生成的:第二密钥、所述第一设备生成的随机数、所述第二设备生成的随机数、所述第一设备的设备标识、所述第二设备的设备标识、以及所述第一设备的身份识别码,其中,所述第二密钥是所述第二设备根据所述第一NOC对应的公钥和所述第二NOC对应的私钥生成的。The device according to any one of claims 49-63, characterized in that the shared key is generated by the second device according to one or more of the following information: the second key, the The random number generated by the first device, the random number generated by the second device, the device identification of the first device, the device identification of the second device, and the identification code of the first device, wherein, The second key is generated by the second device based on the public key corresponding to the first NOC and the private key corresponding to the second NOC.
  65. 一种通信装置,其特征在于,所述通信装置配置于第一设备,所述装置包括存储器和处理器,所述存储器用于存储程序,所述处理器用于调用所述存储器中的程序,以使所述第一设备执行如权利要求1-16中任一项所述的方法。A communication device, characterized in that the communication device is configured in a first device, the device includes a memory and a processor, the memory is used to store programs, and the processor is used to call the program in the memory to The first device is caused to perform the method according to any one of claims 1-16.
  66. 一种通信装置,其特征在于,所述通信装置配置于第二设备,所述装置包括存储器和处理器,所述存储器用于存储程序,所述处理器用于调用所述存储器中的程序,以使所述第二设备执行如权利要求17-32中任一项所述的方法。A communication device, characterized in that the communication device is configured in a second device, the device includes a memory and a processor, the memory is used to store programs, and the processor is used to call the program in the memory to The second device is caused to perform the method according to any one of claims 17-32.
  67. 一种装置,其特征在于,包括处理器,用于从存储器中调用程序,以使所述装置执行如权利要求1-32中任一项所述的方法。A device, characterized by comprising a processor for calling a program from a memory, so that the device executes the method according to any one of claims 1-32.
  68. 一种芯片,其特征在于,包括处理器,用于从存储器调用程序,使得安装有所述芯片的设备执行如权利要求1-32中任一项所述的方法。A chip, characterized in that it includes a processor for calling a program from a memory, so that a device equipped with the chip executes the method according to any one of claims 1-32.
  69. 一种计算机可读存储介质,其特征在于,其上存储有程序,所述程序使得计算机执行如权利要求1-32中任一项所述的方法。A computer-readable storage medium, characterized in that a program is stored thereon, and the program causes the computer to execute the method according to any one of claims 1-32.
  70. 一种计算机程序产品,其特征在于,包括程序,所述程序使得计算机执行如权利要求1-32中任一项所述的方法。A computer program product, characterized by comprising a program that causes a computer to execute the method according to any one of claims 1-32.
  71. 一种计算机程序,其特征在于,所述计算机程序使得计算机执行如权利要求1-32中任一项所述的方法。A computer program, characterized in that the computer program causes the computer to perform the method according to any one of claims 1-32.
PCT/CN2022/096796 2022-06-02 2022-06-02 Method and apparatus for establishing interoperability channel, and chip and storage medium WO2023230979A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/096796 WO2023230979A1 (en) 2022-06-02 2022-06-02 Method and apparatus for establishing interoperability channel, and chip and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/096796 WO2023230979A1 (en) 2022-06-02 2022-06-02 Method and apparatus for establishing interoperability channel, and chip and storage medium

Publications (1)

Publication Number Publication Date
WO2023230979A1 true WO2023230979A1 (en) 2023-12-07

Family

ID=89026774

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/096796 WO2023230979A1 (en) 2022-06-02 2022-06-02 Method and apparatus for establishing interoperability channel, and chip and storage medium

Country Status (1)

Country Link
WO (1) WO2023230979A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109309910A (en) * 2018-10-30 2019-02-05 深圳市元征科技股份有限公司 Communication data transmission method, system, equipment and computer readable storage medium
CN109842862A (en) * 2017-11-29 2019-06-04 通用汽车环球科技运作有限责任公司 Secure short range wireless communication connection is established in the car
CN111194028A (en) * 2019-11-05 2020-05-22 储长青 Safety control method based on vehicle
US20210367767A1 (en) * 2020-05-21 2021-11-25 Marvell Asia Pte. Ltd. Methods and systems for secure network communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109842862A (en) * 2017-11-29 2019-06-04 通用汽车环球科技运作有限责任公司 Secure short range wireless communication connection is established in the car
CN109309910A (en) * 2018-10-30 2019-02-05 深圳市元征科技股份有限公司 Communication data transmission method, system, equipment and computer readable storage medium
CN111194028A (en) * 2019-11-05 2020-05-22 储长青 Safety control method based on vehicle
US20210367767A1 (en) * 2020-05-21 2021-11-25 Marvell Asia Pte. Ltd. Methods and systems for secure network communication

Similar Documents

Publication Publication Date Title
WO2019153701A1 (en) Method and apparatus for obtaining device identification
US11736304B2 (en) Secure authentication of remote equipment
CN110235424A (en) For providing the device and method with managing security information in a communications system
US9755824B2 (en) Power line based theft protection of electronic devices
CN105472192A (en) Intelligent equipment capable of realizing control safety authorization and sharing, terminal equipment and method
US11019489B2 (en) Automatically connecting to a secured network
CN111355684B (en) Internet of things data transmission method, device and system, electronic equipment and medium
US10708769B2 (en) Cloud assisted accessory pairing
WO2022160124A1 (en) Service authorisation management method and apparatus
CN112449323B (en) Communication method, device and system
WO2023279897A1 (en) Secure binding method and system, storage medium, and electronic apparatus
WO2021022406A1 (en) Identity authentication method and device
CN113301537B (en) Method, device, electronic equipment and storage medium for establishing communication connection
WO2023279283A1 (en) Method for establishing secure vehicle communication, and vehicle, terminal and system
WO2022041151A1 (en) Device verification method, device, and cloud
WO2023230979A1 (en) Method and apparatus for establishing interoperability channel, and chip and storage medium
CN114785532B (en) Security chip communication method and device based on bidirectional signature authentication
WO2023230983A1 (en) Method and apparatus for establishing interoperation channel, chip, and storage medium
CN113141333A (en) Communication method, device, server, system and storage medium for network access device
WO2023230975A1 (en) Method and apparatus for establishing interoperation channel, and chip and storage medium
WO2022094936A1 (en) Access method, device, and cloud platform device
CN113455032B (en) Communication method, communication device, and computer-readable medium
KR20210060282A (en) SYSTEMS AND METHODS FOR AUTHENTICATING IoT DEVICE THROUGH CLOUD USING HARDWARE SECURITY MODULE
EP4184857A1 (en) Bluetooth node pairing method and related apparatus
WO2023240587A1 (en) Device permission configuration method and apparatus, and terminal device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22944309

Country of ref document: EP

Kind code of ref document: A1