WO2023241331A1 - 物联网系统及其认证与通信方法、相关设备 - Google Patents

物联网系统及其认证与通信方法、相关设备 Download PDF

Info

Publication number
WO2023241331A1
WO2023241331A1 PCT/CN2023/096285 CN2023096285W WO2023241331A1 WO 2023241331 A1 WO2023241331 A1 WO 2023241331A1 CN 2023096285 W CN2023096285 W CN 2023096285W WO 2023241331 A1 WO2023241331 A1 WO 2023241331A1
Authority
WO
WIPO (PCT)
Prior art keywords
internet
things
device information
authentication
identity
Prior art date
Application number
PCT/CN2023/096285
Other languages
English (en)
French (fr)
Inventor
郑海涛
于洪达
王怀亮
杜洪军
纪高
李国旗
Original Assignee
京东方科技集团股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 京东方科技集团股份有限公司 filed Critical 京东方科技集团股份有限公司
Publication of WO2023241331A1 publication Critical patent/WO2023241331A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • Embodiments of the present disclosure relate to but are not limited to the technical field of the Internet of Things, and particularly refer to an Internet of Things system, its authentication and communication methods, and related equipment.
  • a first aspect of this disclosure provides an Internet of Things system, including:
  • the Internet of Things terminal is configured to: use the connection certificate of the Internet of Things terminal to establish a connection with the proxy server, and send the device information and authentication identification of the Internet of Things terminal to the proxy server;
  • a proxy server configured to: receive the device information and the authentication identification, and send the device information and the authentication identification to the Internet of Things platform;
  • the Internet of Things platform is configured to: receive the device information and the authentication identification, and perform identity verification on the Internet of Things terminal according to the device information and the authentication identification; in response to the identity verification passing, The proxy server returns a verification success message;
  • the proxy server is further configured to: in response to receiving the verification success message, establish a communication connection with the Internet of Things terminal.
  • the second aspect of this disclosure provides an authentication and communication method for an Internet of Things system, including:
  • the Internet of Things terminal uses the connection certificate to establish a connection with the proxy server, and sends the device information and authentication identification of the Internet of Things terminal to the proxy server;
  • the proxy server receives the device information and the authentication identification, and sends the device information and the authentication identification to the Internet of Things platform;
  • the Internet of Things platform receives the device information and the authentication identification, and performs identity verification on the Internet of Things terminal based on the device information and the authentication identification;
  • the Internet of Things platform In response to the identity verification passing, the Internet of Things platform returns a verification success message to the proxy server;
  • the proxy server In response to receiving the verification success message, the proxy server establishes a communication connection with the Internet of Things terminal.
  • the third aspect of this disclosure provides an authentication and communication method for an Internet of Things system applied to an Internet of Things terminal, including:
  • connection certificate of the Internet of Things terminal to establish a connection with the proxy server, and send the device information and authentication identification of the Internet of Things terminal to the proxy server, so that the proxy server can use the device information and the authentication identification to The identity is sent to the Internet of Things platform, and after the identity verification is passed, the proxy server establishes a communication connection with the Internet of Things terminal.
  • the fourth aspect of this disclosure provides an authentication and communication method for an Internet of Things system applied to a proxy server, including:
  • the Internet-connected terminal performs identity verification; and in response to receiving the verification success message, establishes a communication connection with the Internet of Things terminal.
  • the fifth aspect of this disclosure provides an authentication and communication method for an Internet of Things system applied to an Internet of Things platform, including:
  • a sixth aspect of the present disclosure provides a computer device, including at least one processor; and a memory storing a computer program that can be run by the processor; wherein when the processor executes the program, the second aspect and the third aspect are implemented. Instructions for the methods described in aspects three, four and five.
  • a seventh aspect of the present disclosure provides a non-volatile computer-readable storage medium containing a computer program.
  • the processor When the computer program is executed by one or more processors, the processor performs the steps of the second aspect, The methods described in the third aspect, the fourth aspect and the fifth aspect.
  • An eighth aspect of the present disclosure provides a computer program product, including computer program instructions.
  • the computer program instructions When the computer program instructions are run on a computer, they cause the computer to execute the second aspect, the third aspect, the fourth aspect, and the fifth aspect. the method described.
  • FIG. 1 is a schematic diagram of an Internet of Things system according to an embodiment of the present disclosure.
  • FIG. 2 is a schematic flowchart of an Internet of Things system authentication and communication method according to an embodiment of the present disclosure.
  • FIG. 3 is a schematic diagram of the hardware structure of an exemplary computer device according to an embodiment of the present disclosure.
  • FIG. 1 is a schematic diagram of an Internet of Things system 100 according to an embodiment of the present disclosure.
  • the system 100 may include an IoT terminal 102 , a proxy server 104 and an IoT platform 106 .
  • the IoT terminal 102 may be various IoT terminal devices, such as smart air conditioners, smart all-in-one lights, etc. For the convenience of illustration, only one Internet of Things terminal 102 is shown in Figure 1. In fact, there can be more Internet of Things terminals in the Internet of Things system 100, and these Internet of Things terminals can all use the methods provided by the embodiments of the present disclosure. methods and have corresponding technical effects.
  • the proxy server (Broker) 104 can be set to provide one or more message queue services, for example, Message Queuing Telemetry Transport Protocol (Message Queuing Telemetry Transport, MQTT for short) service, Kafka service, etc.
  • a connection can be established between the proxy server 104 and the IoT terminal 102 based on Transport Layer Security (TLS) to ensure communication security.
  • TLS Transport Layer Security
  • the IoT platform 106 may be configured to provide services related to the IoT system 100, and may further include a device management service 1062 and an identity authentication service 1064.
  • the device management service 1062 can be set to be responsible for managing the life cycle of one or more IoT terminals 102 in the system 100, including device registration, device status management, etc.
  • the device management service 1062 can verify device availability based on device information (for example, product serial number (Serial Number, SN code for short)), thereby making an availability judgment on the device before verifying the identity. If the device is unavailable, Then the subsequent verification process can no longer be performed, and the verification failure message can be returned directly, thereby improving verification efficiency.
  • device information for example, product serial number (Serial Number, SN code for short)
  • the authentication service 1064 may be configured to manage the device's certificates and authenticate the device based on the certificates.
  • the IoT terminal 102 can be registered on the IoT platform 106 before leaving the factory.
  • the identity authentication service 1064 can issue two certificates for the IoT terminal 102 , a connection certificate 1022 used to establish a communication connection and an identity certificate 1024 used to verify the identity of the device.
  • the Internet of Things terminal 102 can save these two certificates as factory-preset information, and can be used for subsequent identity authentication and communication. In this way, by utilizing the confidentiality nature of the certificate and issuing two certificates for the Internet of Things terminal 102, it is used to authenticate the identity of the device on the one hand, and on the other hand, the security of the device's private data during the authentication and communication process is improved. It can be seen that the device authentication method based on dual certificates improves security.
  • the identity authentication service 1064 may also be used to authenticate the certificates it issues and manage the issued certificates.
  • connection certificate 1022 can be used to establish a two-way authenticated secure Transport Layer Security (TLS) connection with the proxy server (Broker) 104, and can include a TLS certificate (Cert), a TLS key ( Key) and TLS CA (Certificate Authority, referred to as CA) certificate.
  • TLS Transport Layer Security
  • the identity certificate 1024 can be used to generate an identity challenge code, and can include a certificate (Identity Cert) and a secret key (Identity Key).
  • the certificate-based authentication process and communication establishment process of the IoT terminal are independent of each other.
  • the IoT terminal 102 needs to perform identity verification on the IoT platform 106 first. After passing the identity verification, it can establish a communication connection with the proxy server 104 and maintain subsequent communication sessions using session or token methods. It can be seen that in this process, in order to achieve communication with the IoT platform 106, the IoT terminal 102 needs to perform multiple interaction processes before starting communication.
  • embodiments of the present disclosure provide an authentication and communication method for the Internet of Things system, which can integrate the identity authentication of the Internet of Things terminal and the connection authentication process with the proxy server, simplifying the device authentication and connection process.
  • FIG. 2 is a schematic flowchart of an authentication and communication method 200 for an Internet of Things system according to an embodiment of the present disclosure.
  • the method 200 can be applied to the system 100 of Figure 1 and can include the following steps.
  • the IoT terminal 102 can first apply for identity authentication to the IoT platform 106, for example, by sending an identity authentication request to apply for identity authentication.
  • the identity authentication request may include device information (for example, SN code) of the Internet of Things terminal 102 and the identity certificate 1024 of the Internet of Things terminal 102 .
  • the sent identity certificate 1024 may only include the certificate Identity Cert in the identity certificate 1024, so that the identity authentication service 1064 can verify the certificate Identity Cert based on the information it saves.
  • the device management service 1062 may perform device verification on the IoT terminal based on the device information, for example, verify the availability of the IoT terminal.
  • the so-called availability may refer to whether the IoT terminal is a legally registered device in the system 100 .
  • the IoT terminal 102 needs to register the device on the IoT platform 106 before leaving the factory. Therefore, the IoT platform 106 can save the device information provided by the IoT terminal 102 when registering.
  • the device management service 1062 searches for The device information stored locally on the networking platform 106 can determine whether the device is a legally registered device.
  • the device management service 1062 may send the device information and the identity certificate 1024 (eg, Identity Cert) to the identity authentication service 1064.
  • the device management service 1062 can directly return an authentication failure message to the IoT terminal 102 to remind it that the registration may not be completed.
  • the identity authentication service 1064 may authenticate the identity of the Internet of Things terminal according to the device information and the identity certificate. In some embodiments, the identity authentication service 1064 mainly verifies the certificate Identity Cert of the identity certificate 1024.
  • the identity authentication service 1064 can generate a challenge code (Challenge Code) corresponding to the IoT terminal, and send the challenge code to the IoT terminal 102.
  • Challenge Code can also be called challenge password. It generally refers to a set of encrypted passwords generated following the Handshake Authentication Protocol (CHAP), which is used to ensure that the user's real password is not leaked during the transmission process.
  • CHAP Handshake Authentication Protocol
  • the identity authentication service 1064 can directly return a verification failure message to the IoT terminal 102 to indicate that it may be an illegal device.
  • the IoT terminal 102 can use the Identity Key of the identity certificate 1024 to sign the challenge code and the device information to obtain an authentication identification (Identify Sign).
  • the Internet of Things terminal 102 can establish a connection with the proxy server 104 using the connection certificate 1022, and send the device information (for example, SN code) of the Internet of Things terminal 102 and the authentication identification to the proxy server 104.
  • the device information for example, SN code
  • step 214 may further include: the IoT terminal 102 may use the connection certificate 1022 to establish a TLS connection with the proxy server 104, thereby improving communication security.
  • the device information may be used as the username (Username) of the TLS connection, and the authentication identification may be used as the password (Secret) of the TLS connection.
  • the device information and the authentication identification can be sent to the proxy server 104 when establishing a TLS connection, thereby improving processing efficiency.
  • step 216 after the proxy server 104 establishes a TLS connection with the Internet of Things terminal 102, it may receive the device information and the authentication identification, and send the device information and the authentication identification to the Internet of Things platform 106, for example, send Provide the device management service 1062.
  • the proxy server 104 can use the Broker's authentication callback (Callback) mechanism to call back the username (Username) and password (Secret) to the device management service 1062 through authentication callback, so that the proxy server 104 Initiate an identity authentication request to the device management service 1062 for the Internet of Things terminal 102.
  • Callback Broker's authentication callback
  • the Internet of Things platform 106 may receive the device information and the authentication identification, and perform identity verification on the Internet of Things terminal 102 based on the device information and the authentication identification.
  • this step may further include:
  • Step 218 The device management service 1062 may verify the availability of the IoT terminal 102 according to the device information (eg, SN code).
  • the device information eg, SN code
  • Step 220 In response to determining that the Internet of Things terminal is available, the device management service 1062 sends the device information and the authentication identification to the identity authentication service 1062 for identity verification. Based on the foregoing description, the authentication identification is obtained based on the challenge code, and the identity verification process includes verification of the challenge code. Therefore, in some embodiments, this step can be considered to be a challenge identity verification for the device. When the device is unavailable, the device management service 1062 can directly return an authentication failure message to the IoT terminal 102 to remind it that the registration may not be completed.
  • Step 222 The identity authentication service 1064 may perform identity authentication on the IoT terminal 102 based on the device information and the authentication identification.
  • the proxy server 104 when the proxy server 104 transmits information to the Internet of Things platform 106, it may send the user name (Username) and password (Secret), where the user The name (Username) is the device information, and the password (Secret) is the authentication identification. Therefore, the device management service 1062 can use the username (Username) to verify the availability of the IoT terminal 102 .
  • step 222 may further include:
  • the device information is used to search for the identity certificate and challenge code corresponding to the Internet of Things terminal 102; then, the identity certificate and challenge code obtained by the search and the device information are used to verify the authentication identification.
  • the certificate (Identify Cert) of the identity certificate 1024 is used to verify the authentication identification based on the device information (for example, SN code) and the challenge code (Challenge Code), thereby completing the identity authentication.
  • step 220 in response to the identity verification passing, the IoT platform 106 returns a verification success message to the proxy server 104 to notify the proxy server 104 that the challenge authentication has been completed and the connection authentication has passed.
  • the identity authentication service 1064 can return a verification failure message to the proxy server 104; in response to receiving the verification failure message, the proxy server 104 can feed back the verification failure message to the Internet of Things terminal 102, or directly disconnect connection with the Internet of Things terminal 102, or disconnecting from the Internet of Things terminal 102 after feeding back the verification failure message to the Internet of Things terminal 102. This prevents communication with illegal devices and prevents system security from being affected.
  • the identity authentication service 1064 may also directly return an authentication failure message to the IoT terminal 102 to indicate that it may be an illegal device.
  • the proxy server 104 establishes a communication connection with the Internet of Things terminal 102 in response to receiving the verification success message. Afterwards, the IoT terminal 102 can start communicating with the IoT platform through the proxy server 104 106 realizes communication and can send and receive messages normally.
  • This disclosed embodiment uses the connection authentication callback capability provided by the proxy server (Broker service) to integrate the identity authentication of the Internet of Things terminal and the Broker connection authentication process, thereby simplifying the device authentication and connection process.
  • the proxy server Broker service
  • the methods of the embodiments of the present disclosure may be executed by a single device, such as a computer or server.
  • the method of this embodiment can also be applied in a distributed scenario, and is completed by multiple devices cooperating with each other.
  • one device among the multiple devices can only perform one or more steps in the method of the embodiment of the present disclosure, and the multiple devices will interact with each other to complete all the steps. method described.
  • Embodiments of the present disclosure also provide an authentication and communication method for an Internet of Things system applied to an Internet of Things terminal, including: using the connection certificate of the Internet of Things terminal to establish a connection with a proxy server, and sending the said The device information and authentication identification of the Internet of Things terminal are used by the proxy server to send the device information and the authentication identification to the Internet of Things platform, so that the Internet of Things platform can verify the device information and the authentication identification according to the device information and the authentication identification.
  • the Internet of Things terminal performs identity verification, and after the identity verification passes, the proxy server establishes a communication connection with the Internet of Things terminal.
  • the embodiment of the present disclosure also provides an authentication and communication method for the Internet of Things system applied to the proxy server, including:
  • the Internet-connected terminal performs identity verification; and in response to receiving the verification success message, establishes a communication connection with the Internet of Things terminal.
  • the embodiment of the present disclosure also provides an authentication and communication method for the Internet of Things system applied to the Internet of Things platform, including:
  • FIG. 3 shows a schematic diagram of the hardware structure of an exemplary computer device 300 provided by an embodiment of the present disclosure.
  • Computer device 300 may be used to implement IoT platform 106 of FIG. 1 .
  • the computer device 300 can also be used to implement the Internet of Things terminal 102 and proxy server 104 in Figure 1 .
  • computer device 300 may include: processor 302 , memory 304 , network module 306 , peripheral interface 308 and bus 310 .
  • processor 302 the memory 304
  • network module 306 implement communication connections between each other within the computer device 300 through the bus 310.
  • the processor 302 may be a central processing unit (CPU), an image processor, a neural network processor (NPU), a microcontroller (MCU), a programmable logic device, a digital signal processor (DSP), an application-specific Integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits.
  • the processor 302 may be used to perform the authentication and communication methods of the physical network system described in the embodiments of the present disclosure.
  • processor 302 may also include multiple processors integrated into a single logical component. For example, as shown in Figure 3, processor 302 may include multiple processors 302a, 302b, and 302c.
  • Memory 304 may be configured to store data (eg, instructions, computer code, etc.). As shown in FIG. 3 , the data stored in the memory 304 may include program instructions (for example, program instructions for implementing the methods of embodiments of the present disclosure) and data to be processed (for example, the memory may store configuration files of other modules, etc.). Processor 302 may also access program instructions and data stored in memory 304 and execute the program instructions to operate on data to be processed. Memory 304 may include volatile storage or non-volatile storage. In some embodiments, memory 304 may include random access memory (RAM), read only memory (ROM), optical disks, magnetic disks, hard drives, solid state drives (SSD), flash memory, memory sticks, and the like.
  • RAM random access memory
  • ROM read only memory
  • SSD solid state drives
  • Network module 306 may be configured to provide communication to computer device 300 with other external devices via a network.
  • the network can be any wired or wireless network capable of transmitting and receiving data.
  • the network may be a wired network, a local wireless network (eg, Bluetooth, WiFi, Near Field Communication (NFC), etc.), a cellular network, the Internet, or a combination thereof.
  • the type of network is not limited to the above examples.
  • Peripheral interface 308 may be configured to connect computer device 300 with one or more peripheral devices to enable information input and output.
  • peripheral devices may include input devices such as keyboards, mice, touch pads, touch screens, microphones, and various sensors, as well as output devices such as displays, speakers, vibrators, and indicator lights.
  • Bus 310 may be configured to transmit information between various components of computer device 300 (eg, processor 302, memory 304, network module 306, and peripheral interface 308), such as an internal bus (eg, processor-memory bus), an external bus (USB port, PCI-E bus), etc.
  • the architecture of the computer device 300 may also include necessary components for normal operation. Other components.
  • the architecture of the above-mentioned computer device 300 may also include only the components necessary to implement the embodiments of the present disclosure, and does not necessarily include all the components shown in the figure.
  • the present disclosure also provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions are used to cause the computer to The method 200 described in any of the above embodiments is executed.
  • the computer-readable media in this embodiment include permanent and non-permanent, removable and non-removable media, and information storage can be implemented by any method or technology.
  • Information may be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), and read-only memory.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random access memory
  • read-only memory read-only memory
  • ROM read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory or other memory technology
  • compact disc read-only memory CD-ROM
  • DVD digital versatile disc
  • Magnetic tape cassettes tape magnetic disk storage or other magnetic storage devices or any other non-transmission medium can be used to store information that can be accessed by a computing device.
  • the computer instructions stored in the storage media of the above embodiments are used to cause the computer to execute the method 200 as described in any of the above embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be described again here.
  • the present disclosure also provides a computer program product, which includes a computer program.
  • the computer program is executable by one or more processors such that the processors perform the method 200 .
  • the processor that executes the corresponding step may belong to the corresponding execution subject.
  • the computer program product of the above embodiments is used to cause the processor to execute the method 200 as described in any of the above embodiments, and has the beneficial effects of the corresponding method embodiments, which will not be described again here.
  • DRAM dynamic RAM

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

一种物联网系统及其认证与通信方法、相关设备。该物联网系统(100),包括:物联网终端(102),被配置为:利用所述物联网终端(102)的连接证书与代理服务器(104)建立连接,并向所述代理服务器(104)发送所述物联网终端(102)的设备信息和认证标识;代理服务器(104),被配置为:接收所述设备信息和所述认证标识,并将所述设备信息和所述认证标识发送到物联网平台(106);物联网平台(106),被配置为:接收所述设备信息和所述认证标识,并根据所述设备信息和所述认证标识对所述物联网终端(102)进行身份验证;响应于所述身份验证通过,向所述代理服务器(104)返回验证成功消息;所述代理服务器(104),还被配置为:响应于接收到所述验证成功消息,与所述物联网终端(102)建立通信连接。

Description

物联网系统及其认证与通信方法、相关设备
本申请要求于2022年06月17日提交中国专利局、申请号为202210692570.6、发明名称为“物联网系统及其认证与通信方法、相关设备”的中国专利申请的优先权,其内容应理解为通过引用的方式并入本申请中。
技术领域
本公开实施例涉及但不限于物联网技术领域,尤指一种物联网系统及其认证与通信方法、相关设备。
背景技术
目前,物联网设备的认证过程和通信建立过程相互独立,导致工作效率较低。
发明内容
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。
本公开第一方面,提供了一种物联网系统,包括:
物联网终端,被配置为:利用所述物联网终端的连接证书与代理服务器建立连接,并向所述代理服务器发送所述物联网终端的设备信息和认证标识;
代理服务器,被配置为:接收所述设备信息和所述认证标识,并将所述设备信息和所述认证标识发送到物联网平台;
物联网平台,被配置为:接收所述设备信息和所述认证标识,并根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;响应于所述身份验证通过,向所述代理服务器返回验证成功消息;
所述代理服务器,还被配置为:响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
本公开第二方面,提供了一种物联网系统的认证与通信方法,包括:
物联网终端利用连接证书与代理服务器建立连接,并向所述代理服务器发送所述物联网终端的设备信息和认证标识;
代理服务器接收所述设备信息和所述认证标识,并将所述设备信息和所述认证标识发送到物联网平台;
物联网平台接收所述设备信息和所述认证标识,并根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;
所述物联网平台响应于所述身份验证通过,向所述代理服务器返回验证成功消息;
所述代理服务器响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
本公开第三方面,提供了一种应用于物联网终端的物联网系统的认证与通信方法,包括:
利用所述物联网终端的连接证书与代理服务器建立连接,并向所述代理服务器发送所述物联网终端的设备信息和认证标识,以供所述代理服务器将所述设备信息和所述认证标 识发送到物联网平台,以及在身份验证通过后,所述代理服务器与所述物联网终端建立通信连接。
本公开第四方面,提供了一种应用于代理服务器的物联网系统的认证与通信方法,包括:
接收物联网终端发送的设备信息和认证标识,并将所述设备信息和所述认证标识发送到物联网平台,以供所述物联网平台根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;以及响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
本公开第五方面,提供了一种应用于物联网平台的物联网系统的认证与通信方法,包括:
接收代理服务器转发的物联网终端发送的设备信息和认证标识,并根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;响应于所述身份验证通过,向所述代理服务器返回验证成功消息,以供所述代理服务器响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
本公开第六方面,提供了一种计算机设备,包括至少一个处理器;以及存储有可在处理器运行的计算机程序的存储器;其中所述处理器执行所述程序时实现如第二方面、第三方面、第四方面、第五方面所述的方法的指令。
本公开第七方面,提供了一种包含计算机程序的非易失性计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,使得所述处理器执行如第二方面、第三方面、第四方面、第五方面所述的方法。
本公开第八方面,提供了一种计算机程序产品,包括计算机程序指令,当所述计算机程序指令在计算机上运行时,使得计算机执行如第二方面、第三方面、第四方面、第五方面所述的方法。
在阅读并理解了附图和详细描述后,可以明白其他方面。
附图概述
为了更清楚地说明本公开或相关技术中的技术方案,下面将对实施例或相关技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本公开的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是根据本公开实施例的物联网系统的示意图。
图2是根据本公开实施例的物联网系统认证及通讯方法的流程示意图。
图3是根据本公开实施例的示例性计算机设备的硬件结构示意图。
详述
以下结合实施例,并参照附图,对本公开进一步详细说明。
除非另外定义,本公开实施例使用的技术术语或者科学术语应当为本公开所属领域内具有一般技能的人士所理解的通常意义。本公开实施例中使用的“第一”、“第二”以及类似的词语并不表示任何顺序、数量或者重要性,而只是用来区分不同的组成部分。“包括” 或者“包含”等类似的词语意指出现该词前面的元件或者物件涵盖出现在该词后面列举的元件或者物件及其等同,而不排除其他元件或者物件。“连接”或者“相连”等类似的词语并非限定于物理的或者机械的连接,而是可以包括电性的连接,不管是直接的还是间接的。“上”、“下”、“左”、“右”等仅用于表示相对位置关系,当被描述对象的绝对位置改变后,则该相对位置关系也可能相应地改变。
图1是根据本公开实施例的物联网系统100的示意图。
如图1所示,该系统100可以包括物联网终端102、代理服务器104和物联网平台106。
物联网终端102可以是各种物联网终端设备,例如,智能空调、智能一体机灯,等等。图1中为了示意的方便,仅示出一个物联网终端102,实际上,在物联网系统100中还可以有更多的物联网终端,这些物联网终端都可以采用本公开实施例所提供的方法,并具有相应的技术效果。
代理服务器(Broker)104可以设置为提供一种或两种以上的消息队列服务,例如,消息队列遥测传输协议(Message Queuing Telemetry Transport,简称MQTT)服务、Kafka服务等。在一些实施例中,代理服务器104与物联网终端102之间可以基于传输层安全性协议(Transport Layer Security,简称TLS)来建立连接,从而保证通信的安全性。
物联网平台106可以设置为提供物联网系统100相关的服务,并可以进一步包括设备管理服务1062和身份认证服务1064。
其中,设备管理服务1062可以设置为负责管理系统100中一个或两个以上个物联网终端102的生命周期包括设备注册、设备状态管理等。在一些实施例中,设备管理服务1062可以基于设备信息(例如,产品序列号(Serial Number,简称SN码))来验证设备可用性,从而在验证身份之前对设备进行可用性判断,若设备不可用,则可以不再进行后续的验证流程,可直接返回验证失败消息,从而提高验证效率。
身份认证服务1064可以设置为管理设备的证书并基于证书来对设备进行身份验证。
随着人们生活中物联网设备的不断增长,并且伴随互联网通讯环境的复杂性,人们对私有设备的安全性越来越重视。由于一些实施例的物联网设备认证方式(例如,直接利用设备的固有信息(SN码、MAC地址等)来进行设备身份认证)存在着泄漏设备关键信息的极大可能。
鉴于此,在一些实施例中,物联网终端102在出厂前可以在物联网平台106上进行注册,当物联网终端102注册成功后,身份认证服务1064可以为该物联网终端102签发两个证书,用于建立通信连接的连接证书1022和用于验证设备身份的身份证书1024。物联网终端102可以保存这两个证书作为出厂预置的信息,并可以用于后续的身份认证和通信。这样,利用证书的保密性质,通过为物联网终端102签发两个证书,一方面用于认证设备身份,另一方面提高了认证及通讯过程设备隐私数据的安全性。可见,该基于双证书的设备认证方法,提高了安全性。
在一些实施例中,除了签发证书,身份认证服务1064还可以用于对其签发的证书进行认证以及管理所签发的证书。
在一些实施例中,连接证书1022可以用于建立与代理服务器(Broker)104的双向认证的安全传输层协议(Transport Layer Security,简称TLS)连接,可以包括TLS证书(Cert)、TLS秘钥(Key)和TLS CA(Certificate Authority,简称CA)证书。
在一些实施例中,身份证书1024可以用于生成身份挑战码,并可以包括证书(Identity Cert)和秘钥(Identity Key)。
物联网终端的基于证书的认证过程和通信建立过程是相互独立的。例如,物联网终端102在建立通信时,需要先在物联网平台106进行身份验证,在身份验证通过后才能与代理服务器104建立通信连接,并使用基于session或token方式保持之后的通信会话。可以看出,在这个过程中,为了实现与物联网平台106的通信,物联网终端102需要执行多次交互过程,才能开始进行通信。
有鉴于此,本公开实施例提供了一种物联网系统的认证与通信方法,可以将物联网终端的身份认证及其与代理服务器的连接认证过程融合,简化了设备认证与连接流程。
图2是根据本公开实施例的物联网系统的认证与通信方法200的流程示意图。
如图2所示,该方法200可以应用于图1的系统100,并可以包括以下步骤。
在初始状态下,如图2所示,在一些实施例中,在步骤202,物联网终端102可以先向所述物联网平台106申请身份认证,例如,通过发送身份认证请求来申请身份认证,该身份认证请求可以包括所述物联网终端102的设备信息(例如,SN码)和所述物联网终端102的身份证书1024。在一些实施例中,发送的身份证书1024可以仅包括身份证书1024中的证书Identity Cert,从而使得身份认证服务1064可以根据其保存的信息来对证书Identity Cert进行验证。
在步骤204,设备管理服务1062可以基于所述设备信息对所述物联网终端进行设备验证,例如,验证所述物联网终端的可用性。所谓可用性,例如,可以是指该物联网终端是否属于该系统100中的合法注册的设备。基于前面所述,物联网终端102在出厂之前需要在物联网平台106上进行设备注册,因此,物联网平台106可以保存物联网终端102在注册时提供的设备信息,设备管理服务1062通过查找物联网平台106本地存储的设备信息就可以确定该设备是否属于合法注册的设备。
在步骤206,响应于确定所述物联网终端102属于可用设备,设备管理服务1062可以将所述设备信息和所述身份证书1024(例如,Identity Cert)发送给所述身份认证服务1064。当设备不可用时,设备管理服务1062可以直接返回认证失败消息给物联网终端102,以提示其可能未完成注册。
在步骤208,身份认证服务1064可以根据所述设备信息和所述身份证书对所述物联网终端进行身份验证。在一些实施例中,身份认证服务1064主要对身份证书1024的证书Identity Cert进行校验。
在步骤210,身份认证服务1064响应于所述身份验证通过(例如,证书校验成功),可以生成所述物联网终端对应的挑战码(Challenge Code),并将所述挑战码发送给所述物联网终端102。挑战码(Challenge Code)也可以称作挑战口令,一般是指遵循握手验证协议(CHAP)而生成的一组加密口令,用于在传输过程中保证用户的真实密码不被泄露。当身份验证不通过时,身份认证服务1064可以直接返回验证失败消息给物联网终端102,以提示其可能属于不合法设备。
在步骤212,所述物联网终端102可以利用所述身份证书1024的秘钥Identity Key对所述挑战码和所述设备信息进行签名,得到认证标识(Identify Sign)。
在步骤214,物联网终端102可以利用连接证书1022与代理服务器104建立连接,并向所述代理服务器104发送所述物联网终端102的设备信息(例如,SN码)和所述认证标识。
在一些实施例中,步骤214可以进一步包括:物联网终端102可以利用所述连接证书1022与所述代理服务器104建立TLS连接,从而可以提高通信安全性。
在一些实施例中,所述设备信息可以作为所述TLS连接的用户名(Username),所述认证标识可以作为所述TLS连接的密码(Secret)。这样,在建立TLS连接时就可以将所述设备信息和所述认证标识发送给代理服务器104,提升处理效率。
在步骤216,代理服务器104与物联网终端102建立TLS连接后,可以接收所述设备信息和所述认证标识,并将所述设备信息和所述认证标识发送到物联网平台106,例如,发送给所述设备管理服务1062。
在一些实施例中,代理服务器104可以利用Broker的认证回调(Callback)机制,通过认证回调的方式将所述用户名(Username)和密码(Secret)回调给设备管理服务1062,从而由代理服务器104为物联网终端102向设备管理服务1062发起身份认证请求。
接着,物联网平台106可以接收所述设备信息和所述认证标识,并根据所述设备信息和所述认证标识对所述物联网终端102进行身份验证。
在一些实施例中,该步骤可以进一步包括:
步骤218,设备管理服务1062可以根据所述设备信息(例如,SN码)验证所述物联网终端102的可用性。
步骤220,响应于确定所述物联网终端可用,设备管理服务1062将所述设备信息和所述认证标识发送给所述身份认证服务1062以进行身份验证。基于前面所述,该认证标识是基于挑战码得到的,该身份验证过程则包含了对挑战码的验证,因此,在一些实施例中,可以认为该步骤是对设备进行挑战身份验证。当设备不可用时,设备管理服务1062可以直接返回认证失败消息给物联网终端102,以提示其可能未完成注册。
步骤222,所述身份认证服务1064可以根据所述设备信息和所述认证标识对所述物联网终端102进行身份验证。
由于前述步骤是基于代理服务器的Broker的认证回调机制来实现的,代理服务器104在向物联网平台106传递信息时,发送的可以是所述用户名(Username)和密码(Secret),其中,用户名(Username)是所述设备信息,密码(Secret)是所述认证标识。于是,设备管理服务1062可以利用该用户名(Username)来验证所述物联网终端102的可用性。
在一些实施例中,步骤222可以进一步包括:
利用所述设备信息查找所述物联网终端102对应的身份证书和挑战码;然后,利用查找得到的身份证书和挑战码以及所述设备信息,验证所述认证标识。例如,利用身份证书1024的证书(Identify Cert),基于所述设备信息(例如,SN码)和所述挑战码(Challenge Code)对所述认证标识进行验签,从而完成身份认证。
在步骤220,所述物联网平台106响应于所述身份验证通过,向所述代理服务器104返回验证成功消息,以通知代理服务器104已完成挑战认证,且连接认证通过。当身份验证不通过时,身份认证服务1064可以向代理服务器104返回验证失败消息;代理服务器104响应于接收到该验证失败消息,可以向物联网终端102反馈该验证失败消息,或者,直接断开与物联网终端102的连接,亦或者,在向物联网终端102反馈该验证失败消息之后断开与物联网终端102的连接。从而避免与不合法设备进行通信,防止系统安全性受到影响。
在一些实施例中,身份认证服务1064也可以直接返回验证失败消息给物联网终端102,以提示其可能属于不合法设备。
在步骤222,所述代理服务器104响应于接收到所述验证成功消息,与所述物联网终端102建立通信连接。之后,物联网终端102可以开始通过代理服务器104与物联网平台 106实现通信,并可以正常收发消息。
本公开实施例通过借助代理服务器(Broker服务)提供的连接认证回调能力,将物联网终端的身份认证及Broker连接认证过程融合,简化了设备认证与连接流程。
本公开实施例的方法可以由单个设备执行,例如一台计算机或服务器等。本实施例的方法也可以应用于分布式场景下,由多台设备相互配合来完成。在这种分布式场景的情况下,这多台设备中的一台设备可以只执行本公开实施例的方法中的某一个或多个步骤,这多台设备相互之间会进行交互以完成所述的方法。
上述对本公开的一些实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于上述实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。
本公开实施例还提供了一种应用于物联网终端的物联网系统的认证与通信方法,包括:利用所述物联网终端的连接证书与代理服务器建立连接,并向所述代理服务器发送所述物联网终端的设备信息和认证标识,以供所述代理服务器将所述设备信息和所述认证标识发送到物联网平台,以供所述物联网平台根据所述设备信息和所述认证标识对所述物联网终端进行身份验证,以及在身份验证通过后,所述代理服务器与所述物联网终端建立通信连接。
本公开实施例还提供了一种应用于代理服务器的物联网系统的认证与通信方法,包括:
接收物联网终端发送的设备信息和认证标识,并将所述设备信息和所述认证标识发送到物联网平台,以供所述物联网平台根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;以及响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
本公开实施例还提供了一种应用于物联网平台的物联网系统的认证与通信方法,包括:
接收代理服务器转发的物联网终端发送的设备信息和认证标识,并根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;响应于所述身份验证通过,向所述代理服务器返回验证成功消息,以供所述代理服务器响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
本公开实施例还提供了一种计算机设备,用于实现上述的方法200。图3示出了本公开实施例所提供的示例性计算机设备300的硬件结构示意图。计算机设备300可以用于实现图1的物联网平台106。在一些场景中,该计算机设备300,也可以用于实现图1的物联网终端102和代理服务器104。
如图3所示,计算机设备300可以包括:处理器302、存储器304、网络模块306、外围接口308和总线310。其中,处理器302、存储器304、网络模块306和外围接口308通过总线310实现彼此之间在计算机设备300的内部的通信连接。
处理器302可以是中央处理器(Central Processing Unit,CPU)、图像处理器、神经网络处理器(NPU)、微控制器(MCU)、可编程逻辑器件、数字信号处理器(DSP)、应用专用集成电路(Application Specific Integrated Circuit,ASIC)、或者一个或多个集成电路。处理器302可以用于执行与本公开实施例描述的物理网系统的认证与通讯方法。在一些实施例中,处理器302还可以包括集成为单一逻辑组件的多个处理器。例如,如图3所示,处理器302可以包括多个处理器302a、302b和302c。
存储器304可以配置为存储数据(例如,指令、计算机代码等)。如图3所示,存储器304存储的数据可以包括程序指令(例如,用于实现本公开实施例的方法的程序指令)以及要处理的数据(例如,存储器可以存储其他模块的配置文件等)。处理器302也可以访问存储器304存储的程序指令和数据,并且执行程序指令以对要处理的数据进行操作。存储器304可以包括易失性存储装置或非易失性存储装置。在一些实施例中,存储器304可以包括随机访问存储器(RAM)、只读存储器(ROM)、光盘、磁盘、硬盘、固态硬盘(SSD)、闪存、存储棒等。
网络模块306可以配置为经由网络向计算机设备300提供与其他外部设备的通信。该网络可以是能够传输和接收数据的任何有线或无线的网络。例如,该网络可以是有线网络、本地无线网络(例如,蓝牙、WiFi、近场通信(NFC)等)、蜂窝网络、因特网、或上述的组合。网络的类型不限于上述示例。
外围接口308可以配置为将计算机设备300与一个或多个外围装置连接,以实现信息输入及输出。例如,外围装置可以包括键盘、鼠标、触摸板、触摸屏、麦克风、各类传感器等输入设备以及显示器、扬声器、振动器、指示灯等输出设备。
总线310可以被配置为在计算机设备300的各个组件(例如处理器302、存储器304、网络模块306和外围接口308)之间传输信息,诸如内部总线(例如,处理器-存储器总线)、外部总线(USB端口、PCI-E总线)等。
尽管上述计算机设备300的架构仅示出了处理器302、存储器304、网络模块306、外围接口308和总线310,但是在实施过程中,该计算机设备300的架构还可以包括实现正常运行所必需的其他组件。此外,上述计算机设备300的架构中也可以仅包含实现本公开实施例方案所必需的组件,而不必包含图中所示的全部组件。
与上述任意实施例方法相对应的,本公开还提供了一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行如上任一实施例所述的方法200。
本实施例的计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。
上述实施例的存储介质存储的计算机指令用于使所述计算机执行如上任一实施例所述的方法200,并且具有相应的方法实施例的有益效果,在此不再赘述。
与上述任意实施例方法200相对应的,本公开还提供了一种计算机程序产品,其包括计算机程序。在一些实施例中,所述计算机程序由一个或多个处理器可执行以使得所述处理器执行所述的方法200。对应于方法200各实施例中各步骤对应的执行主体,执行相应步骤的处理器可以是属于相应执行主体的。
上述实施例的计算机程序产品用于使处理器执行如上任一实施例所述的方法200,并且具有相应的方法实施例的有益效果,在此不再赘述。
所属领域的普通技术人员应当理解:以上任何实施例的讨论仅为示例性的,并非旨在 暗示本公开的范围(包括权利要求)被限于这些例子;在本公开的思路下,以上实施例或者不同实施例中的技术特征之间也可以进行组合,步骤可以以任意顺序实现,并存在如上所述的本公开实施例的不同方面的许多其它变化,为了简明它们没有在细节中提供。
另外,为简化说明和讨论,并且为了不会使本公开实施例难以理解,在所提供的附图中可以示出或可以不示出与集成电路(IC)芯片和其它部件的公知的电源/接地连接。此外,可以以框图的形式示出装置,以便避免使本公开实施例难以理解,并且这也考虑了以下事实,即关于这些框图装置的实施方式的细节是高度取决于将要实施本公开实施例的平台的(即,这些细节应当完全处于本领域技术人员的理解范围内)。在阐述了细节(例如,电路)以描述本公开的示例性实施例的情况下,对本领域技术人员来说显而易见的是,可以在没有这些细节的情况下或者这些细节有变化的情况下实施本公开实施例。因此,这些描述应被认为是说明性的而不是限制性的。
尽管已经结合了本公开的实施例对本公开进行了描述,但是根据前面的描述,这些实施例的很多替换、修改和变型对本领域普通技术人员来说将是显而易见的。例如,其它存储器架构(例如,动态RAM(DRAM))可以使用所讨论的实施例。
本公开实施例旨在涵盖落入所附权利要求的宽泛范围之内的所有这样的替换、修改和变型。因此,凡在本公开实施例的精神和原则之内,所做的任何省略、修改、等同替换、改进等,均应包含在本公开的保护范围之内。

Claims (20)

  1. 一种物联网系统,包括:
    物联网终端,被配置为:利用所述物联网终端的连接证书与代理服务器建立连接,并向所述代理服务器发送所述物联网终端的设备信息和认证标识;
    代理服务器,被配置为:接收所述设备信息和所述认证标识,并将所述设备信息和所述认证标识发送到物联网平台;
    物联网平台,被配置为:接收所述设备信息和所述认证标识,并根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;响应于所述身份验证通过,向所述代理服务器返回验证成功消息;
    所述代理服务器,还被配置为:响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
  2. 如权利要求1所述的物联网系统,其中,所述物联网平台包括设备管理服务和身份认证服务;
    所述设备管理服务,被配置为:根据所述设备信息验证所述物联网终端的可用性,响应于确定所述物联网终端可用,将所述设备信息和所述认证标识发送给所述身份认证服务;
    所述身份认证服务,被配置为:根据所述设备信息和所述认证标识对所述物联网终端进行身份验证。
  3. 如权利要求2所述的物联网系统,其中,
    所述物联网终端,还被配置为:向所述物联网平台发送身份认证请求,所述身份认证请求包括所述设备信息和所述物联网终端的身份证书;
    所述设备管理服务,被配置为:根据所述设备信息验证所述物联网终端的可用性,响应于确定所述物联网终端可用,将所述设备信息和所述身份证书发送给所述身份认证服务;
    所述身份认证服务,被配置为:根据所述设备信息和所述身份证书对所述物联网终端进行身份验证,响应于所述身份验证通过,生成所述物联网终端对应的挑战码,并将所述挑战码发送给所述物联网终端。
  4. 如权利要求3所述的物联网系统,其中,所述物联网终端,还被配置为:利用所述身份证书的秘钥对所述挑战码和所述设备信息进行签名,得到所述认证标识。
  5. 如权利要求4所述的物联网系统,其中,所述身份认证服务,还被配置为:
    利用所述设备信息查找所述物联网终端对应的身份证书和挑战码;
    利用查找得到的身份证书和挑战码以及所述设备信息,验证所述认证标识;
    响应于所述认证标识被验证通过,向所述代理服务器返回所述验证成功消息。
  6. 如权利要求5所述的物联网系统,其中,所述身份认证服务,还被配置为:响应于所述认证标识未被验证通过,向所述代理服务器返回验证失败消息;
    所述代理服务器,还被配置为:响应于接收到所述验证失败消息,向所述物联网终端反馈所述验证失败消息,和/或,断开与所述物联网终端的连接。
  7. 如权利要求1-6任一项所述的物联网系统,其中,所述物联网终端,还被配置为:
    利用所述连接证书与所述代理服务器建立TLS连接;
    其中,所述设备信息作为所述TLS连接的用户名,所述认证标识作为所述TLS连接的密码。
  8. 一种物联网系统的认证与通信方法,包括:
    物联网终端利用连接证书与代理服务器建立连接,并向所述代理服务器发送所述物联网终端的设备信息和认证标识;
    代理服务器接收所述设备信息和所述认证标识,并将所述设备信息和所述认证标识发送到物联网平台;
    物联网平台接收所述设备信息和所述认证标识,并根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;
    所述物联网平台响应于所述身份验证通过,向所述代理服务器返回验证成功消息;
    所述代理服务器响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
  9. 如权利要求8所述的方法,其中,所述物联网平台包括设备管理服务和身份认证服务;物联网平台接收所述设备信息和所述认证标识,并根据所述设备信息和所述认证标识对所述物联网终端进行身份验证,包括:
    所述设备管理服务根据所述设备信息验证所述物联网终端的可用性,响应于确定所述物联网终端可用,将所述设备信息和所述认证标识发送给所述身份认证服务;
    所述身份认证服务根据所述设备信息和所述认证标识对所述物联网终端进行身份验证。
  10. 如权利要求9所述的方法,还包括:
    所述物联网终端向所述物联网平台发送身份认证请求,所述身份认证请求包括所述设备信息和所述物联网终端的身份证书;
    所述设备管理服务根据所述设备信息验证所述物联网终端的可用性,响应于确定所述物联网终端可用,将所述设备信息和所述身份证书发送给所述身份认证服务;
    所述身份认证服务根据所述设备信息和所述身份证书对所述物联网终端进行身份验证,响应于所述身份验证通过,生成所述物联网终端对应的挑战码,并将所述挑战码发送给所述物联网终端。
  11. 如权利要求10所述的方法,还包括:
    所述物联网终端利用所述身份证书的秘钥对所述挑战码和所述设备信息进行签名,得到所述认证标识。
  12. 如权利要求11所述的方法,其中,所述身份认证服务根据所述设备信息和所述身份证书对所述物联网终端进行身份验证,包括:
    利用所述设备信息查找所述物联网终端对应的身份证书和挑战码;
    利用查找得到的身份证书和挑战码以及所述设备信息,验证所述认证标识。
  13. 如权利要求12所述的方法,还包括:
    所述身份认证服务响应于所述认证标识未被验证通过,向所述代理服务器返回验证失败消息;
    所述代理服务器响应于接收到所述验证失败消息,向所述物联网终端反馈所述验证失败消息,和/或,断开与所述物联网终端的连接。
  14. 如权利要求8-13任一项所述的方法,其中,物联网终端利用连接证书与代理服务器建立连接,包括:
    利用所述连接证书与所述代理服务器建立TLS连接;
    其中,所述设备信息作为所述TLS连接的用户名,所述认证标识作为所述TLS连接的密码。
  15. 一种物联网系统的认证与通信方法,应用于物联网终端,包括:
    利用所述物联网终端的连接证书与代理服务器建立连接,并向所述代理服务器发送所述物联网终端的设备信息和认证标识,以供所述代理服务器将所述设备信息和所述认证标识发送到物联网平台,以及在身份验证通过后,所述代理服务器与所述物联网终端建立通信连接。
  16. 一种物联网系统的认证与通信方法,应用于代理服务器,包括:
    接收物联网终端发送的设备信息和认证标识,并将所述设备信息和所述认证标识发送到物联网平台,以供所述物联网平台根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;以及响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
  17. 一种物联网系统的认证与通信方法,应用于物联网平台,包括:
    接收代理服务器转发的物联网终端发送的设备信息和认证标识,并根据所述设备信息和所述认证标识对所述物联网终端进行身份验证;响应于所述身份验证通过,向所述代理服务器返回验证成功消息,以供所述代理服务器响应于接收到所述验证成功消息,与所述物联网终端建立通信连接。
  18. 一种计算机设备,包括至少一个处理器;以及存储有可在处理器运行的计算机程序的存储器;其中所述处理器执行所述程序时实现如权利要求8-13、15-17任一项所述的方法的指令。
  19. 一种包含计算机程序的非易失性计算机可读存储介质,当所述计算机程序被一个或多个处理器执行时,使得所述处理器执行权利要求8-13、15-17任一项所述的方法。
  20. 一种计算机程序产品,包括计算机程序指令,当所述计算机程序指令在计算机上运行时,使得计算机执行如权利要求8-13、15-17中任一项所述的方法。
PCT/CN2023/096285 2022-06-17 2023-05-25 物联网系统及其认证与通信方法、相关设备 WO2023241331A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210692570.6A CN115065703B (zh) 2022-06-17 2022-06-17 物联网系统及其认证与通信方法、相关设备
CN202210692570.6 2022-06-17

Publications (1)

Publication Number Publication Date
WO2023241331A1 true WO2023241331A1 (zh) 2023-12-21

Family

ID=83202871

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/096285 WO2023241331A1 (zh) 2022-06-17 2023-05-25 物联网系统及其认证与通信方法、相关设备

Country Status (2)

Country Link
CN (1) CN115065703B (zh)
WO (1) WO2023241331A1 (zh)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115065703B (zh) * 2022-06-17 2024-07-16 京东方科技集团股份有限公司 物联网系统及其认证与通信方法、相关设备
WO2024138322A1 (zh) * 2022-12-26 2024-07-04 京东方科技集团股份有限公司 一种处理器、信息认证系统和信息认证方法
CN118300832B (zh) * 2024-03-28 2024-10-11 广州市平可捷信息科技有限公司 一种多设备接入平台处理方法及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180338242A1 (en) * 2017-05-17 2018-11-22 Verizon Patent And Licensing Inc. HARDWARE IDENTIFICATION-BASED SECURITY AUTHENTICATION SERVICE FOR IoT DEVICES
CN113098863A (zh) * 2021-03-31 2021-07-09 郑州信大捷安信息技术股份有限公司 一种基于tls+mqtt协议的物联网双认证方法和系统
CN113794729A (zh) * 2021-09-17 2021-12-14 上海仙塔智能科技有限公司 针对avp设备的通信处理方法、装置、电子设备与介质
CN114124451A (zh) * 2021-10-15 2022-03-01 杭州安恒信息技术股份有限公司 一种物联网设备数据处理方法、系统及计算机存储介质
CN115065703A (zh) * 2022-06-17 2022-09-16 京东方科技集团股份有限公司 物联网系统及其认证与通信方法、相关设备

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8091124B2 (en) * 2007-02-23 2012-01-03 Microsoft Corporation Caching public objects with private connections
US20090126001A1 (en) * 2007-11-08 2009-05-14 Microsoft Corporation Techniques to manage security certificates
MY166564A (en) * 2013-04-25 2018-07-16 Mimos Berhad A system and method for privacy management for internet of things services
KR102010488B1 (ko) * 2015-07-22 2019-08-13 주식회사 케이티 안전한 사물 인터넷 단말 원격 접속 시스템 및 그 방법, ip 주소 할당 방법
WO2017176051A1 (ko) * 2016-04-06 2017-10-12 (주)이스톰 모바일 기기를 이용하여 사물 인터넷 기기를 인증하는 방법 및 시스템
US10425395B2 (en) * 2016-04-25 2019-09-24 Unisys Corporation Single sign on system for secure networks
CN109756450B (zh) * 2017-11-03 2021-06-15 华为技术有限公司 一种物联网通信的方法、装置、系统和存储介质
US11632361B2 (en) * 2020-10-02 2023-04-18 Citrix Systems, Inc. Combined authentication and connection establishment for a communication channel

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180338242A1 (en) * 2017-05-17 2018-11-22 Verizon Patent And Licensing Inc. HARDWARE IDENTIFICATION-BASED SECURITY AUTHENTICATION SERVICE FOR IoT DEVICES
CN113098863A (zh) * 2021-03-31 2021-07-09 郑州信大捷安信息技术股份有限公司 一种基于tls+mqtt协议的物联网双认证方法和系统
CN113794729A (zh) * 2021-09-17 2021-12-14 上海仙塔智能科技有限公司 针对avp设备的通信处理方法、装置、电子设备与介质
CN114124451A (zh) * 2021-10-15 2022-03-01 杭州安恒信息技术股份有限公司 一种物联网设备数据处理方法、系统及计算机存储介质
CN115065703A (zh) * 2022-06-17 2022-09-16 京东方科技集团股份有限公司 物联网系统及其认证与通信方法、相关设备

Also Published As

Publication number Publication date
CN115065703A (zh) 2022-09-16
CN115065703B (zh) 2024-07-16

Similar Documents

Publication Publication Date Title
US11711219B1 (en) PKI-based user authentication for web services using blockchain
US11121873B2 (en) System and method for hardening security between web services using protected forwarded access tokens
WO2023241331A1 (zh) 物联网系统及其认证与通信方法、相关设备
US9787502B2 (en) Captive portal systems, methods, and devices
US10623272B2 (en) Authenticating connections and program identity in a messaging system
US9204301B2 (en) Deploying wireless docking as a service
WO2018121249A1 (zh) 一种基于ssl协议的访问控制方法及装置
WO2019114703A1 (zh) 一种安全通信的方法、装置和系统
US11277404B2 (en) System and data processing method
JP2010531516A (ja) 安全でないネットワークを介する装置のプロビジョニング及びドメイン加入エミュレーション
CN110365701B (zh) 客户终端设备的管理方法、装置、计算设备及存储介质
CN112352411B (zh) 利用不同的云服务网络的相同域的注册
US20140302779A1 (en) Method, device and system for establishing conversation relationship
KR20230029690A (ko) Vpn 통신 보안 방법 및 시스템
US20170244717A1 (en) Token-Based Routing for In-Network Authorization
CN114844663B (zh) 一种桌面共享方法、系统、存储介质及设备
CN114500082A (zh) 接入认证方法及装置、设备、服务器、存储介质和系统
WO2014177055A1 (zh) 移动设备与安全载体之间通信连接的建立
JP2015505626A (ja) サーバー・アプリケーションと多数の認証プロバイダーとの統合
WO2019184206A1 (zh) 身份认证方法及装置
US20230032867A1 (en) Certificate revocation at datacenters
JP2024530949A (ja) セキュアチャネルの確立方法およびその装置、関連機器、並びに記憶媒体
JP7458348B2 (ja) 通信システム、アクセスポイント装置、通信方法及びプログラム
US11520937B2 (en) NVMe over fabrics authentication system
CN115211076B (zh) 被存储在消息队列中的请求的完成

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23822901

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 18709826

Country of ref document: US