WO2022170583A1 - Permission configuration method and apparatus in internet of things, device, and storage medium - Google Patents
Permission configuration method and apparatus in internet of things, device, and storage medium Download PDFInfo
- Publication number
- WO2022170583A1 WO2022170583A1 PCT/CN2021/076574 CN2021076574W WO2022170583A1 WO 2022170583 A1 WO2022170583 A1 WO 2022170583A1 CN 2021076574 W CN2021076574 W CN 2021076574W WO 2022170583 A1 WO2022170583 A1 WO 2022170583A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- client device
- information
- verification
- certificate
- configuration
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 117
- 238000003860 storage Methods 0.000 title claims abstract description 21
- 238000012795 verification Methods 0.000 claims abstract description 307
- 238000004590 computer program Methods 0.000 claims description 23
- 238000013475 authorization Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 description 23
- 230000004913 activation Effects 0.000 description 20
- 230000006870 function Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 238000004891 communication Methods 0.000 description 6
- 101150053844 APP1 gene Proteins 0.000 description 5
- 101100189105 Homo sapiens PABPC4 gene Proteins 0.000 description 5
- 102100039424 Polyadenylate-binding protein 4 Human genes 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 2
- 240000007594 Oryza sativa Species 0.000 description 1
- 235000007164 Oryza sativa Nutrition 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 235000009566 rice Nutrition 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/77—Graphical identity
Definitions
- the present application relates to the technical field of the Internet of Things, and in particular, to a method, apparatus, device, and storage medium for rights configuration in the Internet of Things.
- the user can remotely control the functional operation of the server device through the client device.
- IOT Internet of Things
- the administrator of the server device can share the access control authority of the server device to other users.
- the process of sharing the access control authority of the server device is as follows: the client device of the manager of the server device generates an activation token, and provides the activation token to the server device and the client device of the shareee respectively; After the client device of the shareee and the server device are authenticated through the activation token and a secure connection is established, the access control authority of the client device of the shareee to the server device is configured.
- the server device will be controlled by the illegal client device, which affects the security of access control authority sharing of the server device.
- Embodiments of the present application provide a method, apparatus, device, and storage medium for rights configuration in the Internet of Things.
- the technical solution is as follows:
- an embodiment of the present application provides a method for configuring rights in the Internet of Things, where the method is executed by a first client device, and the first client device has management rights of a server device; the method includes:
- the first verification information is generated based on the first random value
- an embodiment of the present application provides a method for configuring rights in the Internet of Things, the method is executed by a second client device, and the method includes:
- the first client device has the management authority of the server device;
- Two client devices open permissions; the first verification information is generated based on the first random value.
- an embodiment of the present application provides a method for configuring rights in the Internet of Things, the method is executed by a server device, and the method includes:
- Receive configuration trigger information sent by a first client device is that the first client device sends a first verification request containing a first random value to a second client device, and receives the second client device
- the permission is opened to the second client device.
- an embodiment of the present application provides an apparatus for configuring rights in the Internet of Things, the apparatus is used in a first client device, and the first client device has management rights of a server device; the apparatus include:
- a first verification request sending module configured to send a first verification request to the second client device, where the first verification request includes a first random value
- a first verification information receiving module configured to receive the first verification information sent by the second client device; the first verification information is generated based on the first random value;
- a first verification module configured to verify the first verification information
- a configuration triggering module is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.
- an embodiment of the present application provides an apparatus for configuring rights in the Internet of Things, where the apparatus is used in a second client device, and the apparatus includes:
- a first verification request receiving module configured to receive a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the administrative rights;
- a first verification information sending module configured to send first verification information to the first client device, so that the first client device can configure trigger information after passing the verification of the first verification information triggering the server device to open permissions to the second client device; the first verification information is generated based on the first random value.
- an embodiment of the present application provides an apparatus for configuring permissions in the Internet of Things, where the apparatus is used in a server device, and the apparatus includes:
- a configuration trigger information receiving module configured to receive the configuration trigger information sent by the first client device;
- the configuration trigger information is that the first client device sends a first check containing a first random value to the second client device request, receive the first verification information sent by the second client device, and send the first verification information after passing the verification; the first verification information is generated based on the first random value of;
- a rights opening module configured to open rights to the second client device according to the configuration trigger information.
- an embodiment of the present application provides an IoT device, the IoT device includes a processor, a memory, and a transceiver, the memory stores a computer program, and the computer program is configured to be executed by the processor , in order to realize the above-mentioned permission configuration method in the Internet of Things.
- an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above method for configuring rights in the Internet of Things.
- the present application also provides a chip, which is used to run in an IoT device, so that the IoT device executes the above-mentioned permission configuration method in the IoT.
- the present application provides a computer program product comprising computer instructions stored in a computer-readable storage medium.
- the processor of the Internet of Things device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the Internet of Things device executes the above-mentioned permission configuration method in the Internet of Things.
- the present application provides a computer program, the computer program being executed by a processor of an Internet of Things device, so as to implement the above method for configuring rights in the Internet of Things.
- the first client device Before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then verifies the verification information to verify the second client
- the legitimacy of the terminal device after verifying the legality of the second client device, share the authority of the server device with the second client device, so as to avoid sharing the access control authority of the server device to the illegal client device. situation, improve the security of the access control permission sharing of the server device.
- FIG. 1 is a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application.
- FIG. 2 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application
- FIG. 3 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application
- FIG. 4 is a schematic diagram of a permission sharing process flow of the server device involved in the embodiment shown in FIG. 3;
- FIG. 5 is a schematic diagram of a rights sharing process flow of the server device involved in the embodiment shown in FIG. 3;
- FIG. 6 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application
- Fig. 7 is a schematic diagram of a permission sharing process flow of the server device involved in the embodiment shown in Fig. 6;
- FIG. 8 is a block diagram of an apparatus for configuring rights in the Internet of Things provided by an embodiment of the present application.
- FIG. 9 is a block diagram of an apparatus for configuring rights in the Internet of Things provided by an embodiment of the present application.
- FIG. 10 is a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application.
- FIG. 11 is a schematic structural diagram of an Internet of Things device provided by an embodiment of the present application.
- the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application.
- the evolution of new business scenarios and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
- FIG. 1 shows a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application.
- the network architecture of the Internet of Things may include: a server device 110 and at least two client devices 120; optionally, the network architecture may further include a gateway device 130, a cloud server 140, and the like;
- the server device 110 may be a device for providing Internet of Things functional services.
- the server device 110 may be a smart home device, for example, a smart lamp, a smart TV, a smart air conditioner, a smart refrigerator, a smart microwave oven, a smart rice cooker, a cleaning robot, and the like.
- the server device 110 may be an industrial production device such as a lathe, an industrial robot, a solar panel, a wind turbine, and the like.
- the server device 110 may be a commercial service device, such as a vending machine or the like.
- the server device 110 may be an intelligent monitoring device, such as a monitoring camera, an infrared sensor, a sound sensor, a temperature sensor, and the like.
- the client device 120 is a terminal device on the user side.
- the client device may be a smart phone, a tablet computer, a smart watch, etc.; or, the client device may also be a personal computer, such as a desktop computer, a laptop computer, a personal workstation, and the like.
- the client device 120 is a client entity (which may be a virtual entity) running based on the terminal device.
- An application Application, APP
- An application that performs operations such as access, control, and management.
- At least one client device 120 has the management authority of the server device 110 .
- the gateway device 130 is a network device that realizes network interconnection above the network layer, and is also called an internet connection, a protocol converter, and the like.
- the gateway device 130 provides network connection services for the server device 110 .
- the gateway device 130 may be a professional gateway, such as a home gateway, or the gateway device 130 may also be an access device with a gateway function, such as a router with a gateway function.
- the cloud server 140 is a server deployed on the network side.
- the above-mentioned server device 110, client device 120, gateway device 130, and cloud server 140 may be IoT devices that meet industry standards, for example, may be IoT devices that meet the requirements of the Open Connectivity Foundation (OCF). ) specification for IoT devices.
- OCF Open Connectivity Foundation
- the server device 110 and the gateway device 130 are connected through a wired or wireless network, and the cloud server 140 is respectively connected with the gateway device 130 and the client device 120 through a wired or wireless network.
- the above wired or wireless network uses standard communication technologies and/or protocols.
- the above wired or wireless network may be a communication network based on the IoT protocol of the Internet of Things.
- different client devices may be in different Internet Ecosystems.
- the ecological environment of a smart home refers to a collection of devices that have the same trust center and can communicate with each other; Certificates between devices can be exchanged for device control; devices in manufacturer A's Internet ecological environment issue certificates through manufacturer A's platform.
- the device with the certificate of the platform of manufacturer A and the device with the certificate of the platform of manufacturer B cannot communicate with each other even if they are connected to the same local area network, that is, the two belong to different Internet ecological environments.
- the process can be as follows:
- the APP installed in Alice's smartphone that is, the APP of the A ecology generates an activation token (Onboarding Token, OT).
- a ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the activation token OT.
- a ecological APP shares OT to the application installed in Bob's smartphone, namely B ecological APP, through out-of-band methods such as email and voice.
- the B ecology APP creates a fabric ID (fabricID) for the home network.
- the B ecological APP sends the CSR.bulb and fabricID to the B ecological certification center (Certificate Authority, CA) to request the device certificate.
- CA Certificate Authority
- the device certificate B.OC.bulb is generated and returned to the B ecological APP.
- the device certificate is also called the device operation credential (Operational Credential, OC).
- the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb. That is, add ACL.Bulb.B.APP1 to Bulb's Access Control List (ACL).
- ACL Access Control List
- FIG. 2 shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application.
- the method can be executed interactively between a first client device, a second client device, and a server device.
- the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1
- the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
- Step 201 the first client device sends a first verification request to the second client device, where the first verification request includes a first random value; correspondingly, the second client device receives the first random value.
- the first client device may be a client device having the management authority of the server device.
- Step 202 the second client device sends first verification information to the first client device, where the first verification information is generated based on the first random value.
- Step 203 the first client device verifies the first verification information.
- Step 204 when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
- Step 205 The server device receives the configuration trigger information sent by the first client device, and opens the authority to the second client device according to the configuration trigger information.
- the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
- a channel for validating the root certificate of the second client device can be provided for the first client device.
- FIG. 3 shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application.
- the method can be executed interactively between a first client device, a second client device, and a server device.
- the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1
- the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
- Step 301 Establish a first secure connection between the first client device and the second client device.
- a secure connection with the second client device may be established first.
- a direct secure connection may be established between the first client device and the second client device.
- the second client device may display a two-dimensional code, which carries the connection establishment information of the second client device; the first client device scans the two-dimensional code displayed by the second client device to obtain connection establishment information of the second client device; after that, the first client device and the second client device establish a first secure connection between the first client device and the second client device according to the connection establishment information .
- a secure connection may be established between the first client device and the second client device through a cloud server, for example, a secure connection may be established through a server of an instant messaging platform.
- a secure connection may be established between the first client device and the second client device through a local area network device, for example, a secure connection may be established through a routing device in the local area network.
- the first client device and the second client device belong to different IoT ecosystems respectively.
- the above-mentioned first client device and the second client device belong to the same IoT ecosystem.
- Step 302 the first client device sends a first verification request to the second client device, and the first verification request includes a first random value; correspondingly, the second client device receives the first verification request including the first random value. Verify the request.
- the first client device may be a client device having the management authority of the server device.
- the first client device may send a first verification request including the first random value to the second client device through the first secure connection with the second client device.
- Step 303 the second client device sends the first verification information to the first client device, and accordingly, the first client device receives the first verification information;
- the first verification information includes the first signature information, the first verification information, and the first verification information.
- the first signature information is obtained by signing the target data with the first private key of the second client device;
- the target data includes a first random Value; the first operational credential is issued through the first root certificate.
- the target data further includes at least one of a first root certificate and a first operation certificate.
- the first client device may use the first private key to sign the first random value (optionally including the first root certificate and/or the first operation certificate) to obtain the above-mentioned first signature information .
- the above-mentioned first private key may be a private key used for operation in the second client device.
- the first operation credential is issued by a second private key of the second client device; wherein, the second private key may be the private key of the root certificate of the second client device.
- the second client device is provided with a first private key and a first public key for operation.
- the root certificate of the second client device also corresponds to a pair of public and private keys, namely the second private key and second public key.
- the second client device receives the first verification request containing the first random value sent by the first client device, and can use the first private key to sign the target data. For example, the second client device can verify the first random value. Hash calculation is performed on the value of the first random value to obtain the hash value of the first random value, and then the first private key is used to encrypt the hash value of the first random value to obtain the first signature information.
- the above-mentioned first operation credential may be issued by a cloud platform (such as a certification center) corresponding to the second client device based on the root certificate.
- a cloud platform such as a certification center
- the second client device opens the APP for the first time, it can apply for an APP certificate (ie, the above-mentioned first operation certificate) to the corresponding cloud platform, and the cloud platform issues the APP certificate for the second client device according to the root certificate.
- the process of verifying the first verification information reference may be made to subsequent steps 304 to 306 .
- Step 304 the first client device performs a legality query on the first root certificate, and obtains a legality authentication result of the first root certificate.
- the root certificates of each IoT ecological environment are stored in a common blockchain (Ledger).
- the root certificates of each IoT ecosystem are stored on a common server, and the server takes security measures so that the stored root certificates can only be queried and cannot be tampered with; or, the root certificates of each IoT ecosystem are stored on their own servers.
- the server takes security measures so that the stored root certificate can only be queried and cannot be tampered with.
- the APP in each client device stores the root certificate of each IoT ecological environment, and ensures that the stored root certificate is safe and tamper-proof.
- the above-mentioned method of performing a legality query on the first root certificate and obtaining the legality authentication result of the first root certificate may include:
- the first client device when the root certificates of each IoT ecological environment are uniformly stored on the blockchain, the first client device can query the blockchain for the first root certificate to obtain the legality of the first root certificate Sexual certification results.
- the first client device may send the first root certificate to the blockchain, and the blockchain returns the validity authentication result of the first root certificate.
- the first client device when the root certificates of each IoT ecological environment are uniformly stored in the server, the first client device stores the preset address of the server, and the first client device can, according to the preset address, The server is queried for the first root certificate, and the validity authentication result of the first root certificate is obtained.
- the server corresponding to the query address for the first root certificate Querying the server corresponding to the query address for the first root certificate, and obtaining the validity authentication result of the first root certificate; wherein, the first verification information also includes the query address.
- the first verification information returned by the second client device when the root certificates of each IoT ecological environment are stored in their respective servers, the first verification information returned by the second client device also carries the object where the second client device is located.
- the first client device can query the server for the first root certificate according to the query address carried in the first verification information to obtain the legality authentication of the first root certificate. result.
- the first client device can query the first root certificate locally, so as to obtain the legality of the first root certificate. For example, the first client device inquires whether the first root certificate has been stored locally, and if so, confirms that the first root certificate is valid, otherwise, confirms that the first root certificate is invalid.
- Step 305 when the validity authentication result indicates that the first root certificate is valid, the first client device verifies the first operation certificate according to the first root certificate.
- the above-mentioned step of verifying the first operation credential according to the first root certificate may include:
- the first operation credential is verified according to the second public key of the second client device carried in the first root certificate.
- the first root certificate may include the public key of the root certificate of the second client device (that is, the second public key). After confirming that the first root certificate is legal, the first client device may Obtain the second public key from the first root certificate, and use the second public key to verify the first operation credential.
- the first client device can decrypt the signature in the APP certificate (that is, the first operation certificate) by using the second public key to obtain the hash value of the APP certificate.
- the first client device uses the same hash algorithm to Hash the signed APP certificate to obtain a hash value, and then compare the above two hash values. If they are the same, it is determined that the verification of the first operation credential passes, otherwise, it is determined that the verification of the first operation credential fails.
- Step 306 when the first operation credential passes the verification, the first client device verifies the first signature information according to the first operation credential.
- the above-mentioned step of verifying the first signature information according to the first operation credential includes:
- the first signature information is verified according to the first public key of the second client device carried in the first operation certificate.
- the above-mentioned APP certificate carries a first public key (also referred to as an APP public key) corresponding to the first private key.
- the first client device may The first public key is obtained from the APP certificate, and then the first signature information is verified by using the first public key.
- the first client device decrypts the first signature information (signature) by using the APP public key to obtain a hash value of the first random value, and in addition, uses the same hash algorithm to hash the first random value to obtain Hash value, compare the above two hash values, if they are the same, it is determined that the verification of the first signature information passes, otherwise, it is determined that the verification of the first signature information fails.
- the first client device may also independently verify the first operation credential or the first signature information after the first root certificate passes the legality authentication; After the authentication, the first operation certificate is verified according to the first root certificate, or the first operation certificate is directly verified according to the first root certificate. If the first operation certificate passes the verification, it is considered that the first verification The information has passed the verification; or, the first client device may verify the first signature information directly according to the first operation credential after the first root certificate has passed the legality verification. If the verification is passed, it can be considered that the first verification information has passed the verification.
- the first client device verifies the first operation credential and the first signature information after the first root certificate passes the validity authentication, or directly verifies the first operation credential and the first signature information.
- the verification result of the user determines whether the first verification information passes the verification.
- the first client device may verify the first operation credential according to the first root certificate, and at the same time, verify the first signature information according to the first operation credential. Once the signature information passes the verification, it is considered that the first verification information passes the verification.
- Step 307 when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
- the first client device when the first verification information passes the verification, the first client device can trigger configuration interaction between the server device and the second client device through the configuration trigger information, so that the server device can send the 2.
- Client device open permissions.
- Step 308 the server device receives the configuration trigger information sent by the first client device, and opens permissions to the second client device according to the configuration trigger information.
- the first client device when it sends the configuration trigger information, it may send the first configuration trigger information to the second client device, and send the second configuration trigger information to the server device; wherein, The first configuration trigger information includes the activation token; the second configuration trigger information includes the activation token and the first operation credential.
- the first client device may generate an activation token OT, and based on the activation token OT, send configuration trigger information to the server device and the second client device respectively, so as to trigger the server device to send the The process of opening permissions by the second client device.
- the process could be as follows:
- the second client device receives the first configuration trigger information sent by the first client device.
- S308a2 The server device receives the second configuration trigger information sent by the first client device.
- the second client device and the server device establish a second secure connection between the second client device and the server device according to the activation token.
- the server device sends a second verification request to the second client device, where the second verification request includes the second random value, and accordingly, the second client device receives the second random value sent by the server device and includes the second random value A second verification request for the value.
- the server device may send a second verification request including a second random value to the second client device through the above-mentioned second secure connection.
- the second client device sends second verification information to the server device, and accordingly, the server device receives the second verification information;
- the second verification information includes the first operation certificate and the fourth signature information, the fourth signature information is obtained by signing the second random value with the first private key.
- the server device verifies the second verification information according to the first operation credential included in the second configuration trigger information.
- the above-mentioned verification of the second verification information according to the first operation credential included in the second configuration trigger information includes:
- the second signature information is verified according to the first operation certificate.
- the server device may first compare the first operation certificate in the second verification information by using the first operation certificate notified by the first client device, If the two are consistent, the second signature information is verified through the first operation certificate.
- the verification of the second signature information according to the first operation credential includes:
- the second signature information is verified according to the first public key of the second client device carried in the first operation certificate.
- the server device decrypts the second signature information through the APP public key to obtain a hash value of the second random value, and in addition, uses the same hash algorithm to hash the second random value to obtain a hash value, and compare If the above two hash values are the same, it is determined that the verification of the second signature information passes, otherwise, it is determined that the verification of the second signature information fails.
- S308a7 After the second verification information passes the verification, the server device sends a certificate signing request to the second client device, and correspondingly, the second client device receives the certificate signing request sent by the server device.
- the server device may send a certificate signing request to the second client device through the second secure connection.
- the second client device performs rights configuration in the server device according to the certificate signing request.
- the process of performing rights configuration in the server device by the second client device may include:
- the access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, and an entity that has the right to access the accessible data. , and authorized access methods.
- the second client device when the first client device and the second client device belong to different IoT ecosystems, the second client device needs to request the authentication center in the IoT ecosystem where it is located to assign a device certificate , and configure the device certificate, the first root certificate and the access control authority information to the server device, so as to obtain the access control capability of the server device.
- the server device receives the device certificate configured by the second client device, the first root certificate of the second client device, and the access control authority information.
- FIG. 4 shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application.
- a ecological APP be the administrator of the lamp device Bulb
- the process of adding B ecological APP as the administrator of Bulb is as follows:
- a ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce (ie, the above-mentioned first random value).
- the B ecological APP signs the nonce with the (operational) private key (ie, the above-mentioned first private key), and returns the root certificate RC.B, the APP certificate OC.B.APP and the signature Signature to the A ecological APP.
- the APP certificate is issued by the root certificate and is used to establish a control connection between the APP and the controlled device.
- a ecological APP uses OC.B.APP to further verify the signature Signature, that is, using the APP (operation) public key in OC.B.APP (that is, the above-mentioned first public key) Verify signature.
- a ecological APP generates a configuration token OT.
- a ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and OC.B.APP.
- the B ecological APP generates a fabricID, and sends CSR.bulb and fabricID to the B ecological CA to request a device certificate.
- the device certificate B.OC.bulb is generated and returned to the B ecological APP.
- the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb.
- the first client device when the first client device triggers the server device to open permissions to the second client device through the configuration trigger information, it sends third configuration trigger information to the server device; the second configuration trigger information contains the activation token and the first public key of the second client device.
- the first client device may also send configuration trigger information to the server device based on the activation token OT, so as to trigger the process of the server device opening permissions to the second client device.
- the process could be as follows:
- the server device receives the third configuration trigger information sent by the first client device.
- the server device encrypts the activation token according to the first public key, and obtains the encrypted activation token.
- the server device sends the encrypted activation token to the second client device.
- the second client device receives the encrypted activation token sent by the server device.
- the second client device decrypts the encrypted activation token according to the first public key to obtain the activation token.
- the second client device and the server device establish a third secure connection between the second client device and the server device according to the activation token.
- the server device sends a certificate signing request to the second client device, and correspondingly, the second client device receives the certificate signing request sent by the server device.
- the second client device performs rights configuration in the server device according to the certificate signing request.
- FIG. 5 shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application.
- a ecological APP is the administrator of Bulb
- B ecological APP is as follows:
- a ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce.
- the B ecological APP signs the nonce with the (operation) private key, and returns the root certificate RC.B, the APP certificate OC.B.APP and the signature Signature to the A ecological APP.
- the APP certificate is issued by the root certificate and is used to establish a control connection between the APP and the controlled device.
- a ecological APP uses RC.B to verify OC.B.APP, that is, the signature of the APP certificate OC.B.APP is verified with the public key of the root certificate.
- a ecological APP generates a configuration token OT.
- a ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and the (operational) public key PuK.B.APP of B ecological APP.
- B ecological APP decrypts the (operation) private key to obtain OT, and both parties use OT to establish a secure connection.
- B ecological APP sends CSR.bulb and fabricID to B ecological CA to request a device certificate. After B ecological CA certification, the device certificate B.OC.bulb is generated and returned to B ecological APP.
- the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb.
- the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
- the first client device and the second client device may be uniformly authenticated through a unified platform, and authentication information may be issued respectively.
- FIG. 6 shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application.
- the method can be executed interactively between a first client device, a second client device, and a server device.
- the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1
- the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
- Step 601 Establish a first secure connection between the first client device and the second client device.
- the APP of each IoT ecological environment has a pair of public and private keys for authentication and a pair of public and private keys for operation. After being certified by the unified certification platform, the APP of each IoT ecological environment will obtain the corresponding certification certificate DAC.B.APP and/or certification statement CD.B.APP. DAC.B.APP contains the public key used for authentication (ie, the subsequent second public key). DAC.B.APP or CD.B.APP can be used to verify the legitimacy of the APP.
- Step 602 the first client device sends a first verification request to the second client device, where the first verification request includes a first random value; correspondingly, the second client device receives a verification request including the first random value. The first verification request.
- Step 603 the second client device sends first verification information to the first client device, and accordingly, the first client device receives the first verification information;
- the first verification information includes the second client device The first root certificate, the first operation certificate, the first authentication information, the second signature information and the third signature information;
- the first operation certificate is issued by the first root certificate;
- the first authentication information is issued by the unified authentication
- the platform is issued after the second client device is authenticated, and the unified authentication platform is used to authenticate the first client device and the second client device;
- the second signature information is passed through the second client device.
- a private key is obtained by signing the first root certificate, the first operation certificate, and the unified authentication information;
- the third signature is obtained by signing the first root certificate, the first root certificate, the first The operation certificate, the unified authentication information, and the second signature information are obtained by signing.
- the above-mentioned first private key may be a private key used for operation in the second client device.
- the above-mentioned second private key may be the private key of the root certificate of the second client device.
- the first operation credential is issued through the second private key of the second client device.
- the above-mentioned unified authentication platform is used to provide unified authentication for client devices in various IoT ecological environments, and return the authentication information to the corresponding client devices.
- the unified authentication platform can send One client device provides a service of querying the validity of the authentication information of another client device.
- Step 604 the first client device performs validity verification on the first authentication information.
- the first client device may query the unified authentication platform for the first authentication information to obtain the validity verification result of the first authentication information.
- the first client device may also verify the validity of the first authentication information in other ways. For example, the first client device queries the unified authentication platform for the authentication information of the second client device, and receives the unified authentication platform. The returned authentication information of the second client device is compared, and the authentication information returned by the unified authentication platform is compared with the above-mentioned first authentication information. If the two are consistent, it is confirmed that the first authentication information has passed the validity check.
- Step 605 After the first authentication information passes the validity check, the first client device verifies the fourth signature information through the second public key corresponding to the second private key; the second public key carries in the first authentication information.
- the first client device can obtain the second public key from the first authentication information, and use the second public key to perform verification on the fourth signature information. check.
- Step 606 after the fourth signature information passes the verification, the first client device verifies the third signature information through the first public key corresponding to the first private key; the first public key is carried in the in the first operation certificate.
- the first client device may obtain the first public key from the first operation certificate, and perform a verification process on the third signature information by using the first public key. check.
- Step 607 when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
- Step 608 The server device receives the configuration trigger information sent by the first client device, and opens the authority to the second client device according to the configuration trigger information.
- FIG. 7 shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application.
- a ecological APP is the administrator of Bulb
- B ecological APP is as follows:
- the B ecological APP generates a QR code for pairing, and announces its existence in the network.
- a ecological APP obtains the two-dimensional code information of B ecological APP by scanning the code, searches for B ecological APP on the network, and uses the information in the two-dimensional code to establish a secure connection.
- a ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce.
- the ecological APP A uses the public key in OC.B.APP to verify the signature Signature1, that is, the signature is verified using the APP public key in OC.B.APP.
- a ecological APP generates a configuration token OT.
- a ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and the public key of B ecological APP PuK.B.APP.
- B ecological APP decrypts the OT with the private key, and the two parties use the OT to establish a secure connection.
- the B ecological APP sends the CSR.bulb and fabricID to the B ecological CA to request the device certificate. After the B ecological CA is certified, the device certificate B.OC.bulb is generated and returned to the B ecological APP.
- B ecological APP configures the device certificate B.OC.bulb, and access control authority ACL.Bulb.B.APP1 to Bulb.
- the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
- the above solution of the present application can solve the problem that the legality of the added control terminal APP cannot be confirmed during the process of adding the second ecological APP. Identity confirmation and legality verification.
- FIG. 8 shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application.
- the device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware.
- the apparatus may be the first client device described above, or may be set in the first client device.
- the above-mentioned first client device has the management authority of the server device.
- the apparatus may include:
- a first verification request sending module 801, configured to send a first verification request to the second client device, where the first verification request includes a first random value
- a first verification information receiving module 802 configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;
- a first verification module 803, configured to verify the first verification information
- a configuration triggering module 804 is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.
- the first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation certificate;
- the first signature The information is obtained by signing the target data with the first private key of the second client device;
- the target data includes the first random value;
- the first operation credential is issued by the first root certificate of.
- the target data further includes at least one of the first root certificate and the first operation certificate.
- the first verification module 803 is configured to, when the first verification information includes the first signature information, the first root certificate and the first operation certificate hour,
- the first signature information is verified according to the first operation certificate.
- the first verification module 803 is configured to perform the first operation on the first operation according to the second public key of the second client device carried in the first root certificate. Credentials are verified.
- the first verification module 803 is configured to sign the first signature according to the first public key of the second client device carried in the first operation credential information for verification.
- the first verification module 803 is configured to:
- the first verification information further includes a query address
- the first verification module 803 is configured to query the server corresponding to the query address for the first root certificate, and obtain the validity verification result of the first root certificate.
- the first verification information includes a first root certificate, a first operation credential, first authentication information, second signature information, and third signature information of the second client device;
- the first operation certificate is issued through the first root certificate;
- the first authentication information is issued after the second client device is authenticated by the unified authentication platform, and the unified authentication platform is used to authenticate the second client device.
- the first client device and the second client device are authenticated;
- the second signature information is a pair of the first root certificate and the first operation credential through the first private key of the second client , the unified authentication information is signed;
- the third signature is obtained by using the second private key of the second client to sign the first root certificate, the first operation certificate, the unified authentication information, the obtained by signing the second signature information.
- the first verification module 803 is configured to:
- the third signature information is verified by using the second public key corresponding to the second private key; the second public key is carried in the second public key. 1.
- the authentication information In the authentication information;
- the second signature information is verified by using the first public key corresponding to the first private key; the first public key is carried in the first operation in the certificate.
- the configuration triggering module 804 is configured to:
- the first configuration trigger information includes the configuration token
- the second configuration trigger information includes the configuration token and the first operation credential.
- the configuration triggering module 804 is configured to send third configuration trigger information to the server device; the third configuration trigger information includes the configuration token and the second configuration trigger The first public key of the client device.
- the first client device and the second client device respectively belong to different IoT ecosystems.
- the apparatus further includes:
- a scanning module configured to scan the two-dimensional code displayed by the second client device to obtain connection establishment information of the second client device
- a first connection establishment module configured to establish a first secure connection with the second client device according to the connection establishment information.
- the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
- FIG. 9 shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application.
- the device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware.
- the apparatus may be the second client device described above, or may be set in the second client device. As shown in Figure 9, the apparatus may include:
- the first random value receiving module 901 is configured to receive a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the administrative rights;
- the first verification information sending module 902 is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration triggers The information triggers the server device to open permissions to the second client device; the first verification information is generated based on the first random value.
- the first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation certificate;
- the first signature The information is obtained by signing the target data with the first private key of the second client device;
- the target data includes the first random value;
- the first operation credential is issued by the first root certificate of.
- the target data further includes at least one of the first root certificate and the first operation certificate.
- the first verification information includes a first root certificate, a first operation credential, first authentication information, second signature information, and third signature information of the second client device;
- the first operation certificate is issued through the first root certificate;
- the first authentication information is issued after the second client device is authenticated by the unified authentication platform, and the unified authentication platform is used to authenticate the second client device.
- the first client device and the second client device are authenticated;
- the second signature information is a pair of the first root certificate and the first operation credential through the first private key of the second client , the unified authentication information is signed;
- the third signature is obtained by using the second private key of the second client to sign the first root certificate, the first operation certificate, the unified authentication information, the obtained by signing the second signature information.
- the apparatus further includes:
- a first configuration trigger information receiving module configured to receive first configuration trigger information sent by the first client device, where the first configuration trigger information includes a configuration token
- a second connection establishment module configured to establish a second secure connection with the server device according to the configuration token
- a second verification request receiving module configured to receive a second verification request including a second random value sent by the server device
- a second verification information sending module configured to send second verification information to the server device, where the second verification information includes the first operation certificate and fourth signature information, the fourth signature information is obtained by signing the second random value with the first private key;
- a certificate request receiving module configured to receive a device certificate request sent by the server device, where the device certificate request is sent after the server device passes the verification of the second verification information
- a rights configuration module configured to perform rights configuration in the server device according to the device certificate request.
- the apparatus further includes:
- an encrypted token receiving module configured to receive the encrypted configuration token sent by the server device
- a decryption module configured to decrypt the encrypted configuration token according to the first public key of the second client device to obtain the configuration token
- a third connection establishment module configured to establish a third secure connection with the server device according to the configuration token
- a certificate request receiving module configured to receive a device certificate request sent by the server device
- a rights configuration module configured to perform rights configuration in the server device according to the device certificate request.
- the permission configuration module is used to:
- the access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
- the first client device and the second client device respectively belong to different IoT ecosystems.
- the apparatus further includes:
- a two-dimensional code display module used for displaying a two-dimensional code, the two-dimensional code carries the connection establishment information of the second client device;
- a first connection establishment module configured to establish a first secure connection with the first client device according to the connection establishment information.
- the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
- FIG. 10 shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application.
- the device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware.
- the device can be the server device described above, or can be set in the server device.
- the apparatus may include:
- a configuration trigger information receiving module 1001 is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification message containing a first random value to a second client device.
- a verification request receiving the first verification information sent by the second client device, and sending the verification after passing the verification of the first verification information; the first verification information is based on the first random value Generated;
- the authority opening module 1002 is configured to open authority to the second client device according to the configuration trigger information.
- the configuration trigger information is second configuration trigger information including a configuration token and the first operation credential
- the permission opening module 1002 is used to:
- a device certificate request is sent to the second client device, so that the second client device can perform authorization in the server device according to the device certificate request. configuration.
- the permission opening module 1002 is configured to:
- the permission opening module 1002 is configured to, according to the first public key of the second client device carried in the first operation credential, perform an operation on the second signature information. check.
- the configuration trigger information is third configuration trigger information including a configuration token and a first public key of the second client device;
- the permission opening module 1002 is used to:
- a device certificate request is sent to the second client device, so that the second client device performs rights configuration in the server device according to the device certificate request.
- the apparatus further includes:
- a certificate and information receiving module configured to receive a device certificate configured by the second client device, a first root certificate of the second client device, and access control authority information;
- the access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
- the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
- the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.
- FIG. 11 shows a schematic structural diagram of an IoT device 1100 provided by an embodiment of the present application.
- the IoT device 1100 may include: a processor 1101 , a receiver 1102 , a transmitter 1103 , a memory 1104 and a bus 1105 .
- the processor 1101 includes one or more processing cores, and the processor 1101 executes various functional applications and information processing by running software programs and modules.
- the receiver 1102 and the transmitter 1103 may be implemented as a communication component, which may be a communication chip.
- the communication chip may also be referred to as a transceiver.
- the memory 1104 is connected to the processor 1101 through the bus 1105 .
- the memory 1104 can be used to store a computer program, and the processor 1101 is used to execute the computer program, so as to implement various steps performed by the terminal in the above method embodiments.
- memory 1104 may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable and programmable Read Only Memory, Erasable Programmable Read Only Memory, Static Anytime Access Memory, Read Only Memory, Magnetic Memory, Flash Memory, Programmable Read Only Memory.
- the IoT device includes a processor, a memory, and a transceiver (the transceiver may include a receiver and a transmitter, the receiver for receiving information and the transmitter for transmitting information);
- the IoT device When the IoT device is implemented as the first client device,
- the transceiver configured to send a first verification request to the second client device, where the first verification request includes a first random value
- the transceiver configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;
- the processor configured to verify the first verification information
- the transceiver is configured to trigger the server device to open permissions to the second client device by configuring trigger information when the first verification information passes the verification.
- the IoT device When the IoT device is implemented as a second client device,
- the transceiver is configured to receive a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;
- the transceiver is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration trigger information is used to trigger the
- the server device opens permissions to the second client device; the first verification information is generated based on the first random value.
- the IoT device involved in this embodiment of the present application can execute all the functions performed by the second client device in the permission configuration method in the IoT shown in FIG. 2 , FIG. 3 , or FIG. 6 above. Or some steps will not be repeated here.
- the IoT device When the IoT device is implemented as a server device,
- the transceiver is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification request including a first random value to a second client device , receive the first verification information sent by the second client device, and send the verification information after passing the verification of the first verification information; the first verification information is generated based on the first random value ;
- the processor is configured to open a permission to the second client device according to the configuration trigger information.
- the IoT device involved in the embodiment of the present application is implemented as a server device, all or part of the steps performed by the server device in the permission configuration method in the IoT shown in FIG. 2 , FIG. 3 or FIG. 6 may be performed, It will not be repeated here.
- Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above-mentioned thing shown in FIG. 2 , FIG. 3 or FIG. 6 .
- the internal latter part of the steps are performed by the first client device, the second client device or the server device.
- the present application also provides a chip, which is used to run in an Internet of Things device, so that the Internet of Things device executes the permission configuration method in the Internet of Things.
- the first client device, the second client device or the service The internal latter part of the steps performed by the end device.
- the application also provides a computer program product, the computer program product or computer program comprising computer instructions stored in a computer-readable storage medium.
- the processor of the Internet of Things device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the Internet of Things device executes the permission configuration method in the Internet of Things.
- the internal latter part of the steps performed by the client device or the server device.
- the present application also provides a computer program, the computer program is executed by the processor of the Internet of Things device, so as to realize that in the above-mentioned rights configuration method in the Internet of Things, the first client device, the second client device or the server device The internal latter part of the steps are performed.
- Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
- a storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present application belongs to the technical field of Internet of Things. Disclosed are a permission configuration method and apparatus in the Internet of Things, a device, and a storage medium. Said method is executed by a first client device, and the first client device has a management permission for a server device. Said method comprises: sending to a second client device a first verification request comprising a first random value; receiving first verification information sent by the second client device, wherein the first verification information is generated on the basis of the first random value; verifying the first verification information; and when the first verification information passes the verification, triggering, by means of configuration triggering information, the server device to open a permission to the second client device. This solution can avoid a situation in which an access control permission for a server device is shared with an invalid client device, improving the security of access control permission sharing of the server device.
Description
本申请涉及物联网技术领域,特别涉及一种物联网中的权限配置方法、装置、设备及存储介质。The present application relates to the technical field of the Internet of Things, and in particular, to a method, apparatus, device, and storage medium for rights configuration in the Internet of Things.
在物联网(Internet of Things,IOT)中,用户可以通过客户端设备远程控制服务端设备的功能操作。In the Internet of Things (IOT), the user can remotely control the functional operation of the server device through the client device.
在相关技术中,服务端设备的管理者可以将服务端设备的访问控制权限分享给其他用户。其中,服务端设备的访问控制权限分享的流程为:服务端设备的管理者的客户端设备生成一个激活令牌,并将激活令牌分别提供给服务端设备和被分享者的客户端设备;被分享者的客户端设备和服务端设备之间通过激活令牌进行验证并建立安全连接后,配置被分享者的客户端设备对服务端设备的访问控制权限。In the related art, the administrator of the server device can share the access control authority of the server device to other users. The process of sharing the access control authority of the server device is as follows: the client device of the manager of the server device generates an activation token, and provides the activation token to the server device and the client device of the shareee respectively; After the client device of the shareee and the server device are authenticated through the activation token and a secure connection is established, the access control authority of the client device of the shareee to the server device is configured.
然而在相关技术中,如果激活令牌被发送给不合法的客户端设备,则会导致服务端设备被不合法的客户端设备控制,影响服务端设备的访问控制权限分享的安全性。However, in the related art, if the activation token is sent to an illegal client device, the server device will be controlled by the illegal client device, which affects the security of access control authority sharing of the server device.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供了一种物联网中的权限配置方法、装置、设备及存储介质。所述技术方案如下:Embodiments of the present application provide a method, apparatus, device, and storage medium for rights configuration in the Internet of Things. The technical solution is as follows:
一方面,本申请实施例提供了一种物联网中的权限配置方法,所述方法由第一客户端设备执行,所述第一客户端设备具有服务端设备的管理权限;所述方法包括:On the one hand, an embodiment of the present application provides a method for configuring rights in the Internet of Things, where the method is executed by a first client device, and the first client device has management rights of a server device; the method includes:
向第二客户端设备发送第一校验请求,所述第一校验请求中包含第一随机值;sending a first verification request to the second client device, where the first verification request includes a first random value;
接收所述第二客户端设备发送的第一校验信息;所述第一校验信息是基于所述第一随机值生成的;receiving first verification information sent by the second client device; the first verification information is generated based on the first random value;
对所述第一校验信息进行校验;verifying the first verification information;
当所述第一校验信息通过校验时,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限。When the first verification information passes the verification, triggering the server device to open permissions to the second client device by configuring trigger information.
一方面,本申请实施例提供了一种物联网中的权限配置方法,所述方法由第二客户端设备执行,所述方法包括:On the one hand, an embodiment of the present application provides a method for configuring rights in the Internet of Things, the method is executed by a second client device, and the method includes:
接收第一客户端设备发送的第一校验请求,所述第一校验请求中包含第一随机值;所述第一客户端设备具有服务端设备的管理权限;receiving a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the management authority of the server device;
向所述第一客户端设备发送第一校验信息,以便所述第一客户端设备对所述第一校验信息校验通过后,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限;所述第一校验信息是基于所述第一随机值生成的。Send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, trigger the server device to send the first verification information to the first client device by configuring the trigger information. Two client devices open permissions; the first verification information is generated based on the first random value.
一方面,本申请实施例提供了一种物联网中的权限配置方法,所述方法由服务端设备执行,所述方法包括:On the one hand, an embodiment of the present application provides a method for configuring rights in the Internet of Things, the method is executed by a server device, and the method includes:
接收第一客户端设备发送的配置触发信息;所述配置触发信息是所述第一客户端设备向第二客户端设备发送包含第一随机值的第一校验请求,接收所述第二客户端设备发送的第一校验信息,并对所述第一校验信息校验通过后发送的;所述第一校验信息是基于所述第一随机值生成的;Receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification request containing a first random value to a second client device, and receives the second client device The first verification information sent by the terminal device, and sent after the verification of the first verification information is passed; the first verification information is generated based on the first random value;
根据所述配置触发信息,向所述第二客户端设备开放权限。According to the configuration trigger information, the permission is opened to the second client device.
另一方面,本申请实施例提供了一种物联网中的权限配置装置,所述装置用于第一客户端设备中,所述第一客户端设备具有服务端设备的管理权限;所述装置包括:On the other hand, an embodiment of the present application provides an apparatus for configuring rights in the Internet of Things, the apparatus is used in a first client device, and the first client device has management rights of a server device; the apparatus include:
第一校验请求发送模块,用于向第二客户端设备发送第一校验请求,所述第一校验请求中包含第一随机值;a first verification request sending module, configured to send a first verification request to the second client device, where the first verification request includes a first random value;
第一校验信息接收模块,用于接收所述第二客户端设备发送的第一校验信息;所述第一校验信息是基于所述第一随机值生成的;a first verification information receiving module, configured to receive the first verification information sent by the second client device; the first verification information is generated based on the first random value;
第一校验模块,用于对所述第一校验信息进行校验;a first verification module, configured to verify the first verification information;
配置触发模块,用于当所述第一校验信息通过校验时,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限。A configuration triggering module is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.
另一方面,本申请实施例提供了一种物联网中的权限配置装置,所述装置用于第二客户端设备中,所述装置包括:On the other hand, an embodiment of the present application provides an apparatus for configuring rights in the Internet of Things, where the apparatus is used in a second client device, and the apparatus includes:
第一校验请求接收模块,用于接收第一客户端设备发送的第一校验请求,所述第一校验请求中包含第一随机值;所述第一客户端设备具有服务端设备的管理权限;A first verification request receiving module, configured to receive a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the administrative rights;
第一校验信息发送模块,用于向所述第一客户端设备发送第一校验信息,以便所述第一客户端设备对 所述第一校验信息校验通过后,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限;所述第一校验信息是基于所述第一随机值生成的。A first verification information sending module, configured to send first verification information to the first client device, so that the first client device can configure trigger information after passing the verification of the first verification information triggering the server device to open permissions to the second client device; the first verification information is generated based on the first random value.
另一方面,本申请实施例提供了一种物联网中的权限配置装置,所述装置用于服务端设备中,所述装置包括:On the other hand, an embodiment of the present application provides an apparatus for configuring permissions in the Internet of Things, where the apparatus is used in a server device, and the apparatus includes:
配置触发信息接收模块,用于接收第一客户端设备发送的配置触发信息;所述配置触发信息是所述第一客户端设备向第二客户端设备发送包含第一随机值的第一校验请求,接收所述第二客户端设备发送的第一校验信息,并对所述第一校验信息校验通过后发送的;所述第一校验信息是基于所述第一随机值生成的;a configuration trigger information receiving module, configured to receive the configuration trigger information sent by the first client device; the configuration trigger information is that the first client device sends a first check containing a first random value to the second client device request, receive the first verification information sent by the second client device, and send the first verification information after passing the verification; the first verification information is generated based on the first random value of;
权限开放模块,用于根据所述配置触发信息,向所述第二客户端设备开放权限。A rights opening module, configured to open rights to the second client device according to the configuration trigger information.
再一方面,本申请实施例提供了一种物联网设备,所述物联网设备包括处理器、存储器和收发器,所述存储器存储有计算机程序,所述计算机程序用于被所述处理器执行,以实现上述物联网中的权限配置方法。In another aspect, an embodiment of the present application provides an IoT device, the IoT device includes a processor, a memory, and a transceiver, the memory stores a computer program, and the computer program is configured to be executed by the processor , in order to realize the above-mentioned permission configuration method in the Internet of Things.
又一方面,本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序由处理器加载并执行以实现上述物联网中的权限配置方法。In another aspect, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above method for configuring rights in the Internet of Things.
又一方面,本申请还提供了一种芯片,所述芯片用于在物联网设备中运行,以使得所述物联网设备执行上述物联网中的权限配置方法。In another aspect, the present application also provides a chip, which is used to run in an IoT device, so that the IoT device executes the above-mentioned permission configuration method in the IoT.
又一方面,本申请提供了一种计算机程序产品,该计算机程序产品包括计算机指令,该计算机指令存储在计算机可读存储介质中。物联网设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该物联网设备执行上述物联网中的权限配置方法。In yet another aspect, the present application provides a computer program product comprising computer instructions stored in a computer-readable storage medium. The processor of the Internet of Things device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the Internet of Things device executes the above-mentioned permission configuration method in the Internet of Things.
又一方面,本申请提供了一种计算机程序,该计算机程序由物联网设备的处理器执行,以实现上述物联网中的权限配置方法。In another aspect, the present application provides a computer program, the computer program being executed by a processor of an Internet of Things device, so as to implement the above method for configuring rights in the Internet of Things.
本申请实施例提供的技术方案可以带来如下有益效果:The technical solutions provided in the embodiments of the present application can bring the following beneficial effects:
第一客户端设备向第二客户端设备分享服务端设备的权限之前,首先通过第一随机值触发第二客户端设备返回校验信息,然后对校验信息进行校验,以验证第二客户端设备的合法性,当验证第二客户端设备合法后,向第二客户端设备分享对服务端设备的权限,从而可以避免将服务端设备的访问控制权限分享给不合法的客户端设备的情况,提高服务端设备的访问控制权限分享的安全性。Before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then verifies the verification information to verify the second client The legitimacy of the terminal device, after verifying the legality of the second client device, share the authority of the server device with the second client device, so as to avoid sharing the access control authority of the server device to the illegal client device. situation, improve the security of the access control permission sharing of the server device.
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.
图1是本申请一个实施例提供的物联网的网络架构的示意图;1 is a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application;
图2是本申请一个实施例提供的物联网中的权限配置方法的流程图;2 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application;
图3是本申请一个实施例提供的物联网中的权限配置方法的流程图;3 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application;
图4是图3所示实施例涉及的服务端设备的权限分享流程示意图;FIG. 4 is a schematic diagram of a permission sharing process flow of the server device involved in the embodiment shown in FIG. 3;
图5是图3所示实施例涉及的服务端设备的权限分享流程示意图;FIG. 5 is a schematic diagram of a rights sharing process flow of the server device involved in the embodiment shown in FIG. 3;
图6是本申请一个实施例提供的物联网中的权限配置方法的流程图;6 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application;
图7是图6所示实施例涉及的服务端设备的权限分享流程示意图;Fig. 7 is a schematic diagram of a permission sharing process flow of the server device involved in the embodiment shown in Fig. 6;
图8是本申请一个实施例提供的物联网中的权限配置装置的框图;8 is a block diagram of an apparatus for configuring rights in the Internet of Things provided by an embodiment of the present application;
图9是本申请一个实施例提供的物联网中的权限配置装置的框图;9 is a block diagram of an apparatus for configuring rights in the Internet of Things provided by an embodiment of the present application;
图10是本申请一个实施例提供的物联网中的权限配置装置的框图;10 is a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application;
图11是本申请一个实施例提供的物联网设备的结构示意图。FIG. 11 is a schematic structural diagram of an Internet of Things device provided by an embodiment of the present application.
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.
本申请实施例描述的网络架构以及业务场景是为了更加清楚地说明本申请实施例的技术方案,并不构成对本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。The network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. The evolution of new business scenarios and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
请参考图1,其示出了本申请一个实施例提供的物联网的网络架构的示意图。该物联网的网络架构可以包括:服务端设备110、至少两个客户端设备120;可选的,该网络架构还可以包括网关设备130、云端服务器140等等;Please refer to FIG. 1 , which shows a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application. The network architecture of the Internet of Things may include: a server device 110 and at least two client devices 120; optionally, the network architecture may further include a gateway device 130, a cloud server 140, and the like;
服务端设备110可以是用于提供物联网功能服务的设备。The server device 110 may be a device for providing Internet of Things functional services.
比如,服务端设备110可以是智能家居设备,例如,智能灯具、智能电视、智能空调、智能冰箱、智能微波炉、智能电饭煲、扫地机器人等等。For example, the server device 110 may be a smart home device, for example, a smart lamp, a smart TV, a smart air conditioner, a smart refrigerator, a smart microwave oven, a smart rice cooker, a cleaning robot, and the like.
或者,服务端设备110可以是工业生产设备,例如,车床、工业机器人、太阳能面板、风力发电机等等。Alternatively, the server device 110 may be an industrial production device such as a lathe, an industrial robot, a solar panel, a wind turbine, and the like.
或者,服务端设备110可以是商业服务设备,例如,无人售货机等等。Alternatively, the server device 110 may be a commercial service device, such as a vending machine or the like.
或者,服务端设备110可以是智能监控设备,例如,监控摄像头、红外传感器、声音传感器、温度传感器等等。Alternatively, the server device 110 may be an intelligent monitoring device, such as a monitoring camera, an infrared sensor, a sound sensor, a temperature sensor, and the like.
在一种可能的实现方式中,客户端设备120是用户侧的终端设备。比如,客户端设备可以是智能手机、平板电脑、智能手表等等;或者,客户端设备也可以是个人电脑,比如台式电脑、便携式计算机、个人工作站等等。In a possible implementation manner, the client device 120 is a terminal device on the user side. For example, the client device may be a smart phone, a tablet computer, a smart watch, etc.; or, the client device may also be a personal computer, such as a desktop computer, a laptop computer, a personal workstation, and the like.
在另一种可能的实现方式中,客户端设备120是基于终端设备运行的客户端实体(可以是虚拟实体),例如,客户端设备120可以是运行在终端设备中,用于对服务端设备进行访问、控制、以及管理等操作的应用程序(Application,APP)。In another possible implementation manner, the client device 120 is a client entity (which may be a virtual entity) running based on the terminal device. An application (Application, APP) that performs operations such as access, control, and management.
在至少两个客户端设备120中,存在至少一个客户端设备120具有服务端设备110的管理权限。Among the at least two client devices 120 , at least one client device 120 has the management authority of the server device 110 .
网关设备130是在网络层以上实现网络互连的网络设备,又称网间连接器、协议转换器等等。网关设备130为服务端设备110提供网络连接服务。The gateway device 130 is a network device that realizes network interconnection above the network layer, and is also called an internet connection, a protocol converter, and the like. The gateway device 130 provides network connection services for the server device 110 .
网关设备130可以是专业的网关,比如家庭网关,或者,网关设备130也可以是具有网关功能的接入设备,比如,具有网关功能的路由器。The gateway device 130 may be a professional gateway, such as a home gateway, or the gateway device 130 may also be an access device with a gateway function, such as a router with a gateway function.
云端服务器140是部署在网络侧的服务器。The cloud server 140 is a server deployed on the network side.
在本申请实施例中,上述服务端设备110、客户端设备120、网关设备130、云端服务器140可以是满足业内规范的物联网设备,比如,可以是满足开放连接基金会(Open Connectivity Foundation,OCF)规范的物联网设备。In this embodiment of the present application, the above-mentioned server device 110, client device 120, gateway device 130, and cloud server 140 may be IoT devices that meet industry standards, for example, may be IoT devices that meet the requirements of the Open Connectivity Foundation (OCF). ) specification for IoT devices.
服务端设备110与网关设备130之间通过有线或者无线网络相连,云端服务器140分别与网关设备130和客户端设备120之间通过有线或者无线网络相连。The server device 110 and the gateway device 130 are connected through a wired or wireless network, and the cloud server 140 is respectively connected with the gateway device 130 and the client device 120 through a wired or wireless network.
可选的,上述的有线或者无线网络使用标准通信技术和/或协议。比如,上述有线或者无线网络可以是基于物联网IoT协议的通信网络。Optionally, the above wired or wireless network uses standard communication technologies and/or protocols. For example, the above wired or wireless network may be a communication network based on the IoT protocol of the Internet of Things.
在物联网中,不同的客户端设备可能处于不同的互联网生态环境(Ecosystem)。例如,以智能家居场景的物联网为例,智能家居的生态环境是指具有相同的信任中心,能够互联互通的设备集合;比如厂商A的互联网生态环境中的设备通过厂商A的平台发放证书,设备间的证书可以互通,以进行设备控制;厂商A的互联网生态环境中的设备通过厂商A的平台发放证书。但具有厂商A的平台的证书的设备,与具有厂商B的平台的证书的设备,即使连接到同一个局域网中也不能互通,即两者属于不同的互联网生态环境。In the Internet of Things, different client devices may be in different Internet Ecosystems. For example, taking the Internet of Things in a smart home scenario as an example, the ecological environment of a smart home refers to a collection of devices that have the same trust center and can communicate with each other; Certificates between devices can be exchanged for device control; devices in manufacturer A's Internet ecological environment issue certificates through manufacturer A's platform. However, the device with the certificate of the platform of manufacturer A and the device with the certificate of the platform of manufacturer B cannot communicate with each other even if they are connected to the same local area network, that is, the two belong to different Internet ecological environments.
以属于不同的互联网生态环境的两个客户端设备之间分享对服务端设备的访问控制权限为例,该过程可以如下:Taking the sharing of access control rights to the server device between two client devices belonging to different Internet ecological environments as an example, the process can be as follows:
S1,用户爱丽丝(Alice)触发开启灯具设备(Bulb)的配置模式。S1, user Alice (Alice) triggers to turn on the configuration mode of the lamp device (Bulb).
S2,爱丽丝的智能手机中安装的APP,即A生态的APP产生激活令牌(Onboarding Token,OT)。S2, the APP installed in Alice's smartphone, that is, the APP of the A ecology generates an activation token (Onboarding Token, OT).
S3,A生态APP向Bulb发送开启配置的指令,指令携带激活令牌OT。S3, A ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the activation token OT.
S4,Bulb收到指令后,进入到配置发现模式。S4, after receiving the instruction, Bulb enters the configuration discovery mode.
S5,A生态APP通过邮件、语音等带外方式将OT分享给鲍勃的智能手机中安装的应用程序,即B生态APP。S5, A ecological APP shares OT to the application installed in Bob's smartphone, namely B ecological APP, through out-of-band methods such as email and voice.
S6,B生态APP发现Bulb,使用OT建立安全连接,并认证Bulb的认证声明(Certification Declaration,CD)。S6, B ecological APP discovers Bulb, uses OT to establish a secure connection, and certifies Bulb's Certification Declaration (CD).
S7,若B生态未在家庭网络中使用过,则B生态APP为家庭网络创建结构标识(fabricID)。S7, if the B ecology has not been used in the home network, the B ecology APP creates a fabric ID (fabricID) for the home network.
S8,Bulb向B生态APP发送证书签名请求(Certificate Signing Request,CSR),记为CSR.bulb。S8, Bulb sends a certificate signing request (Certificate Signing Request, CSR) to B ecological APP, which is recorded as CSR.bulb.
S9,B生态APP将CSR.bulb和fabricID发送到B生态的认证中心(Certificate Authority,CA)请求设备证书。S9, the B ecological APP sends the CSR.bulb and fabricID to the B ecological certification center (Certificate Authority, CA) to request the device certificate.
S10,B生态CA认证后,产生设备证书B.OC.bulb,并返回给B生态APP。设备证书也称为设备操作凭证(Operational Credential,OC)。S10, after the B ecological CA certification, the device certificate B.OC.bulb is generated and returned to the B ecological APP. The device certificate is also called the device operation credential (Operational Credential, OC).
S11,B生态APP将设备证书B.OC.bulb和访问控制权限ACL.Bulb.B.APP1配置到Bulb。也就是,将ACL.Bulb.B.APP1添加到Bulb的访问控制列表(Access Control List,ACL)。S11, the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb. That is, add ACL.Bulb.B.APP1 to Bulb's Access Control List (ACL).
在上述方案中,A生态APP通过带外机制将OT分享给B生态APP,但无法保证B生态APP具有合法的身份,可能引入非法控制设备。此外,上述方案也无法保证B生态APP使用OT配置被控设备,而不是将OT进一步分享给C生态APP,或者,也可能发生B生态APP没有及时配置设备而导致OT泄露的 情况。In the above scheme, A ecological APP shares OT to B ecological APP through an out-of-band mechanism, but there is no guarantee that B ecological APP has a legal identity, and illegal control equipment may be introduced. In addition, the above solutions cannot guarantee that the B ecological APP uses the OT to configure the controlled device, instead of further sharing the OT with the C ecological APP, or it may happen that the B ecological APP does not configure the device in time, resulting in the leakage of the OT.
请参考图2,其示出了本申请一个实施例提供的物联网中的权限配置方法的流程图,该方法可以由第一客户端设备、第二客户端设备以及服务端设备之间交互执行,比如,该第一客户端设备和第二客户端设备可以是图1所示的网络架构的客户端设备120,服务端设备可以是图1所示的网络架构的服务端设备110;该方法可以包括如下几个步骤:Please refer to FIG. 2 , which shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application. The method can be executed interactively between a first client device, a second client device, and a server device. For example, the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1, and the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
步骤201,第一客户端设备向第二客户端设备发送第一校验请求,该第一校验请求中包含第一随机值;相应的,第二客户端设备接收该第一随机值。Step 201, the first client device sends a first verification request to the second client device, where the first verification request includes a first random value; correspondingly, the second client device receives the first random value.
在一种可能的实现方式中,该第一客户端设备可以是具有服务端设备的管理权限的客户端设备。In a possible implementation manner, the first client device may be a client device having the management authority of the server device.
步骤202,第二客户端设备向第一客户端设备发送第一校验信息,该第一校验信息是基于第一随机值生成的。Step 202, the second client device sends first verification information to the first client device, where the first verification information is generated based on the first random value.
步骤203,第一客户端设备对第一校验信息进行校验。Step 203, the first client device verifies the first verification information.
步骤204,当第一校验信息通过校验时,第一客户端设备通过配置触发信息触发服务端设备向第二客户端设备开放权限。Step 204 , when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
步骤205,服务端设备接收第一客户端设备发送的配置触发信息,并根据配置触发信息,向第二客户端设备开放权限。Step 205: The server device receives the configuration trigger information sent by the first client device, and opens the authority to the second client device according to the configuration trigger information.
综上所述,在本申请实施例中,第一客户端设备向第二客户端设备分享服务端设备的权限之前,首先通过第一随机值触发第二客户端设备返回校验信息,然后对校验信息进行校验,以验证第二客户端设备的合法性,当验证第二客户端设备合法后,向第二客户端设备分享对服务端设备的权限,从而可以避免将服务端设备的访问控制权限分享给不合法的客户端设备的情况,提高服务端设备的访问控制权限分享的安全性。To sum up, in this embodiment of the present application, before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
在本申请上述图2所示实施例公开的方案中,可以为第一客户端设备提供对第二客户端设备的根证书进行合法性验证的渠道。In the solution disclosed in the above-mentioned embodiment shown in FIG. 2 of the present application, a channel for validating the root certificate of the second client device can be provided for the first client device.
请参考图3,其示出了本申请一个实施例提供的物联网中的权限配置方法的流程图,该方法可以由第一客户端设备、第二客户端设备以及服务端设备之间交互执行,比如,该第一客户端设备和第二客户端设备可以是图1所示的网络架构的客户端设备120,服务端设备可以是图1所示的网络架构的服务端设备110;该方法可以包括如下几个步骤:Please refer to FIG. 3 , which shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application. The method can be executed interactively between a first client device, a second client device, and a server device. For example, the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1, and the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
步骤301,第一客户端设备和第二客户端设备之间建立第一安全连接。Step 301: Establish a first secure connection between the first client device and the second client device.
在本申请实施例中,第一客户端设备将服务端设备的访问控制权限分享给第二客户端设备之前,可以先建立与第二客户端设备之间的安全连接。In this embodiment of the present application, before the first client device shares the access control authority of the server device to the second client device, a secure connection with the second client device may be established first.
在一种可能的实现方式中,第一客户端设备和第二客户端设备之间可以建立直接的安全连接。In a possible implementation manner, a direct secure connection may be established between the first client device and the second client device.
例如,第二客户端设备可以展示二维码,该二维码中携带有该第二客户端设备的连接建立信息;第一客户端设备扫描该第二客户端设备展示的二维码,获得该第二客户端设备的连接建立信息;之后,第一客户端设备和第二客户端设备根据该连接建立信息,建立第一客户端设备与该第二客户端设备之间的第一安全连接。For example, the second client device may display a two-dimensional code, which carries the connection establishment information of the second client device; the first client device scans the two-dimensional code displayed by the second client device to obtain connection establishment information of the second client device; after that, the first client device and the second client device establish a first secure connection between the first client device and the second client device according to the connection establishment information .
在一种可能的实现方式中,第一客户端设备和第二客户端设备之间可以通过云端服务器建立安全连接,比如,通过即时通讯平台的服务器建立安全连接。In a possible implementation manner, a secure connection may be established between the first client device and the second client device through a cloud server, for example, a secure connection may be established through a server of an instant messaging platform.
或者,在另一种可能的实现方式中第一客户端设备和第二客户端设备之间可以通过局域网设备建立安全连接,比如,通过局域网中的路由设备建立安全连接。Alternatively, in another possible implementation manner, a secure connection may be established between the first client device and the second client device through a local area network device, for example, a secure connection may be established through a routing device in the local area network.
在一种可能的实现方式中,该第一客户端设备和该第二客户端设备分别属于不同的物联网生态系统。或者,上述第一客户端设备和第二客户端设备属于同一个物联网生态系统。In a possible implementation manner, the first client device and the second client device belong to different IoT ecosystems respectively. Alternatively, the above-mentioned first client device and the second client device belong to the same IoT ecosystem.
步骤302,第一客户端设备向第二客户端设备发送第一校验请求,第一校验请求中包含第一随机值;相应的,第二客户端设备接收包含第一随机值的第一校验请求。Step 302, the first client device sends a first verification request to the second client device, and the first verification request includes a first random value; correspondingly, the second client device receives the first verification request including the first random value. Verify the request.
在一种可能的实现方式中,该第一客户端设备可以是具有服务端设备的管理权限的客户端设备。In a possible implementation manner, the first client device may be a client device having the management authority of the server device.
在本申请实施例中,第一客户端设备可以通过与第二客户端设备之间的第一安全连接,向第二客户端设备发送包含第一随机值的第一校验请求。In this embodiment of the present application, the first client device may send a first verification request including the first random value to the second client device through the first secure connection with the second client device.
步骤303,第二客户端设备向第一客户端设备发送第一校验信息,相应的,第一客户端设备接收该第一校验信息;该第一校验信息包括第一签名信息、第二客户端设备的第一根证书和第一操作凭证中的至少一种;第一签名信息是通过第二客户端设备的第一私钥对目标数据进行签名得到的;目标数据包括第一随机值;第一操作凭证是通过第一根证书签发的。Step 303, the second client device sends the first verification information to the first client device, and accordingly, the first client device receives the first verification information; the first verification information includes the first signature information, the first verification information, and the first verification information. At least one of the first root certificate and the first operation certificate of the second client device; the first signature information is obtained by signing the target data with the first private key of the second client device; the target data includes a first random Value; the first operational credential is issued through the first root certificate.
在一种可能的实现方式中,该目标数据还包括第一根证书和第一操作凭证中的至少一种。In a possible implementation manner, the target data further includes at least one of a first root certificate and a first operation certificate.
在本申请实施例中,第一客户端设备可以通过第一私钥,对第一随机值(可选还包括第一根证书和/ 或第一操作凭证)进行签名,得到上述第一签名信息。In this embodiment of the present application, the first client device may use the first private key to sign the first random value (optionally including the first root certificate and/or the first operation certificate) to obtain the above-mentioned first signature information .
在一种可能的实现方式中,上述第一私钥可以是第二客户端设备中,用于操作的私钥。In a possible implementation manner, the above-mentioned first private key may be a private key used for operation in the second client device.
在一种可能的实现方式中,第一操作凭证是通过第二客户端设备的第二私钥签发的;其中,该第二私钥可以是第二客户端设备的根证书的私钥。In a possible implementation manner, the first operation credential is issued by a second private key of the second client device; wherein, the second private key may be the private key of the root certificate of the second client device.
在本申请实施例中,第二客户端设备中设置有用于操作的第一私钥和第一公钥,此外,第二客户端设备的根证书还对应有个一对公私钥,即第二私钥和第二公钥。In this embodiment of the present application, the second client device is provided with a first private key and a first public key for operation. In addition, the root certificate of the second client device also corresponds to a pair of public and private keys, namely the second private key and second public key.
第二客户端设备接收到第一客户端设备发送的包含第一随机值的第一校验请求,可以使用第一私钥对目标数据进行签名,例如,第二客户端设备可以对第一随机值进行哈希计算,获得第一随机值的哈希值,然后使用第一私钥对第一随机值的哈希值进行加密,获得第一签名信息。The second client device receives the first verification request containing the first random value sent by the first client device, and can use the first private key to sign the target data. For example, the second client device can verify the first random value. Hash calculation is performed on the value of the first random value to obtain the hash value of the first random value, and then the first private key is used to encrypt the hash value of the first random value to obtain the first signature information.
在一种可能的实现方式中,上述的第一操作凭证可以由第二客户端设备对应的云平台(比如认证中心)基于根证书进行签发。例如第二客户端设备首次打开APP时,可以向对应的云平台申请APP证书(即上述第一操作凭证),由云平台根据根证书为该第二客户端设备签发APP证书。In a possible implementation manner, the above-mentioned first operation credential may be issued by a cloud platform (such as a certification center) corresponding to the second client device based on the root certificate. For example, when the second client device opens the APP for the first time, it can apply for an APP certificate (ie, the above-mentioned first operation certificate) to the corresponding cloud platform, and the cloud platform issues the APP certificate for the second client device according to the root certificate.
以第一校验信息包括第一签名信息、第一根证书和第一操作凭证为例,对第一校验信息进行校验的过程可以参考后续步骤304至306。Taking the first verification information including the first signature information, the first root certificate and the first operation credential as an example, for the process of verifying the first verification information, reference may be made to subsequent steps 304 to 306 .
步骤304,第一客户端设备对该第一根证书进行合法性查询,获得该第一根证书的合法性认证结果。Step 304, the first client device performs a legality query on the first root certificate, and obtains a legality authentication result of the first root certificate.
在一种可能的实现方式中,各物联网生态环境的根证书存放在共同的区块链(Ledger)中。或者,各物联网生态环境的根证书存放在共同的服务器上,服务器采取安全措施使得存放的根证书只能被查询,无法被篡改;或者,各物联网生态环境的根证书存放在各自的服务器上,服务器采取安全措施使得存放的根证书只能被查询,无法被篡改。另一可选方案为,每个客户端设备中的APP都存储各物联网生态环境的根证书,并保证存储的根证书安全防篡改。In a possible implementation, the root certificates of each IoT ecological environment are stored in a common blockchain (Ledger). Alternatively, the root certificates of each IoT ecosystem are stored on a common server, and the server takes security measures so that the stored root certificates can only be queried and cannot be tampered with; or, the root certificates of each IoT ecosystem are stored on their own servers. On the server, the server takes security measures so that the stored root certificate can only be queried and cannot be tampered with. Another optional solution is that the APP in each client device stores the root certificate of each IoT ecological environment, and ensures that the stored root certificate is safe and tamper-proof.
在一种可能的实现方式中,上述对该第一根证书进行合法性查询,获得该第一根证书的合法性认证结果的方式可以包括:In a possible implementation manner, the above-mentioned method of performing a legality query on the first root certificate and obtaining the legality authentication result of the first root certificate may include:
1)向区块链查询该第一根证书,获得该第一根证书的合法性认证结果。1) Query the first root certificate to the blockchain, and obtain the legality authentication result of the first root certificate.
在本申请实施例中,当各物联网生态环境的根证书统一存储在区块链上时,第一客户端设备可以向区块链查询该第一根证书,得到该第一根证书的合法性认证结果。In the embodiment of the present application, when the root certificates of each IoT ecological environment are uniformly stored on the blockchain, the first client device can query the blockchain for the first root certificate to obtain the legality of the first root certificate Sexual certification results.
例如,第一客户端设备可以向区块链发送该第一根证书,由区块链返回第一根证书的合法性认证结果。For example, the first client device may send the first root certificate to the blockchain, and the blockchain returns the validity authentication result of the first root certificate.
2)向预设地址对应的服务器查询该第一根证书,获得该第一根证书的合法性认证结果。2) Querying the server corresponding to the preset address for the first root certificate, and obtaining the validity authentication result of the first root certificate.
在本申请实施例中,当各物联网生态环境的根证书统一存储在服务器中时,第一客户端设备中存储有该服务器的预设地址,第一客户端设备可以根据该预设地址,向该服务器查询第一根证书,获得第一根证书的合法性认证结果。In the embodiment of the present application, when the root certificates of each IoT ecological environment are uniformly stored in the server, the first client device stores the preset address of the server, and the first client device can, according to the preset address, The server is queried for the first root certificate, and the validity authentication result of the first root certificate is obtained.
3)向查询地址对应的服务器查询第一根证书,获得第一根证书的合法性认证结果;其中,该第一校验信息中还包含查询地址。3) Querying the server corresponding to the query address for the first root certificate, and obtaining the validity authentication result of the first root certificate; wherein, the first verification information also includes the query address.
在本申请实施例中,当各物联网生态环境的根证书分别存储在各自的服务器中时,上述第二客户端设备返回的第一校验信息中还携带有第二客户端设备所在的物联网生态环境对应的根证书存储服务器的查询地址,第一客户端设备可以根据该第一校验信息中携带的查询地址,向该服务器查询第一根证书,获得第一根证书的合法性认证结果。In the embodiment of the present application, when the root certificates of each IoT ecological environment are stored in their respective servers, the first verification information returned by the second client device also carries the object where the second client device is located. The query address of the root certificate storage server corresponding to the networking ecological environment. The first client device can query the server for the first root certificate according to the query address carried in the first verification information to obtain the legality authentication of the first root certificate. result.
4)在该第一客户端中查询该第一根证书,获得该第一根证书的合法性认证结果。4) Query the first root certificate in the first client to obtain the validity authentication result of the first root certificate.
在本申请实施例中,若每个客户端设备中的APP都存储各物联网生态环境的根证书,则第一客户端设备可以在本地查询第一根证书,从而得到第一根证书的合法性认证结果,例如,第一客户端设备查询本地是否已经存储有该第一根证书,若是,则确认第一根证书合法,否则,确认第一根证书不合法。In the embodiment of the present application, if the APP in each client device stores the root certificate of each IoT ecological environment, the first client device can query the first root certificate locally, so as to obtain the legality of the first root certificate. For example, the first client device inquires whether the first root certificate has been stored locally, and if so, confirms that the first root certificate is valid, otherwise, confirms that the first root certificate is invalid.
步骤305,当该合法性认证结果指示该第一根证书合法时,第一客户端设备根据该第一根证书对该第一操作凭证进行校验。Step 305, when the validity authentication result indicates that the first root certificate is valid, the first client device verifies the first operation certificate according to the first root certificate.
在一种可能的实现方式中,上述根据该第一根证书对该第一操作凭证进行校验的步骤可以包括:In a possible implementation manner, the above-mentioned step of verifying the first operation credential according to the first root certificate may include:
根据该第一根证书中携带的,该第二客户端设备的第二公钥,对该第一操作凭证进行校验。The first operation credential is verified according to the second public key of the second client device carried in the first root certificate.
在本申请实施例中,上述第一根证书中可以包含第二客户端设备的根证书的公钥(即上述第二公钥),第一客户端设备在确认第一根证书合法后,可以从第一根证书中获取第二公钥,并使用第二公钥对第一操作凭证进行校验。In this embodiment of the present application, the first root certificate may include the public key of the root certificate of the second client device (that is, the second public key). After confirming that the first root certificate is legal, the first client device may Obtain the second public key from the first root certificate, and use the second public key to verify the first operation credential.
例如,第一客户端设备可以通过第二公钥对APP证书(即第一操作凭证)中的签名进行解密,得到APP证书的哈希值,另外第一客户端设备用相同的哈希算法对去掉签名的APP证书做哈希,得到哈希值,然后,比较上述两个哈希值,若相同,则确定第一操作凭证校验通过,否则确定第一操作凭证校验不通过。For example, the first client device can decrypt the signature in the APP certificate (that is, the first operation certificate) by using the second public key to obtain the hash value of the APP certificate. In addition, the first client device uses the same hash algorithm to Hash the signed APP certificate to obtain a hash value, and then compare the above two hash values. If they are the same, it is determined that the verification of the first operation credential passes, otherwise, it is determined that the verification of the first operation credential fails.
步骤306,当该第一操作凭证通过校验时,第一客户端设备根据该第一操作凭证对该第一签名信息进行校验。Step 306, when the first operation credential passes the verification, the first client device verifies the first signature information according to the first operation credential.
在一种可能的实现方式中,上述根据该第一操作凭证对该第一签名信息进行校验的步骤包括:In a possible implementation manner, the above-mentioned step of verifying the first signature information according to the first operation credential includes:
根据该第一操作凭证中携带的,该第二客户端设备的第一公钥,对该第一签名信息进行校验。The first signature information is verified according to the first public key of the second client device carried in the first operation certificate.
在本申请实施例中,上述APP证书中携带有与第一私钥对应的第一公钥(也可以称为APP公钥),第一客户端设备在确认APP证书校验通过后,可以从APP证书中获取第一公钥,然后通过该第一公钥对第一签名信息进行校验。In this embodiment of the present application, the above-mentioned APP certificate carries a first public key (also referred to as an APP public key) corresponding to the first private key. After confirming that the APP certificate has passed the verification, the first client device may The first public key is obtained from the APP certificate, and then the first signature information is verified by using the first public key.
例如,第一客户端设备通过APP公钥对第一签名信息(signature)进行解密,得到第一随机值的哈希值,另外,用相同的哈希算法对第一随机值做哈希,得到哈希值,比较上述两个哈希值,若相同,则确定第一签名信息校验通过,否则确定第一签名信息校验不通过。For example, the first client device decrypts the first signature information (signature) by using the APP public key to obtain a hash value of the first random value, and in addition, uses the same hash algorithm to hash the first random value to obtain Hash value, compare the above two hash values, if they are the same, it is determined that the verification of the first signature information passes, otherwise, it is determined that the verification of the first signature information fails.
在本申请实施例中,当上述步骤306中对第一签名信息校验通过时,可以认为第一校验信息通过校验。In this embodiment of the present application, when the verification of the first signature information in the foregoing step 306 passes, it may be considered that the first verification information has passed the verification.
本申请上述步骤304至步骤306以在第一根证书通过合法性认证后,先后对第一操作凭证和第一签名信息进行验证为例进行说明。The foregoing steps 304 to 306 in this application are described by taking an example of successively verifying the first operation certificate and the first signature information after the first root certificate has passed the validity authentication.
可选的,第一客户端设备也可以在第一根证书通过合法性认证后单独对第一操作凭证或者第一签名信息进行验证;例如,第一客户端设备可以在第一根证书通过合法性认证后,根据第一根证书对第一操作凭证进行校验,或者,直接根据第一根证书对第一操作凭证进行校验,若第一操作凭证通过校验,则认为第一校验信息通过校验;或者,第一客户端设备可以在第一根证书通过合法性认证后,或者,直接根据该第一操作凭证对该第一签名信息进行校验,若对第一签名信息校验通过,可以认为第一校验信息通过校验。Optionally, the first client device may also independently verify the first operation credential or the first signature information after the first root certificate passes the legality authentication; After the authentication, the first operation certificate is verified according to the first root certificate, or the first operation certificate is directly verified according to the first root certificate. If the first operation certificate passes the verification, it is considered that the first verification The information has passed the verification; or, the first client device may verify the first signature information directly according to the first operation credential after the first root certificate has passed the legality verification. If the verification is passed, it can be considered that the first verification information has passed the verification.
可选的,第一客户端设备在第一根证书通过合法性认证后对第一操作凭证和第一签名信息进行验证,或者,直接对第一操作凭证和第一签名信息进行验证,根据两者的验证结果确定第一校验信息是否通过校验。例如,第一客户端设备可以根据第一根证书对第一操作凭证进行校验,同时,根据第一操作凭证对该第一签名信息进行校验,若第一操作凭证通过校验,并且第一签名信息通过校验,则认为第一校验信息通过校验。Optionally, the first client device verifies the first operation credential and the first signature information after the first root certificate passes the validity authentication, or directly verifies the first operation credential and the first signature information. The verification result of the user determines whether the first verification information passes the verification. For example, the first client device may verify the first operation credential according to the first root certificate, and at the same time, verify the first signature information according to the first operation credential. Once the signature information passes the verification, it is considered that the first verification information passes the verification.
步骤307,当第一校验信息通过校验时,第一客户端设备通过配置触发信息触发服务端设备向第二客户端设备开放权限。Step 307 , when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
在本申请实施例中,当第一校验信息通过校验,第一客户端设备可以通过配置触发信息触发服务端设备和第二客户端设备之间进行配置交互,以使得服务端设备向第二客户端设备开放权限。In this embodiment of the present application, when the first verification information passes the verification, the first client device can trigger configuration interaction between the server device and the second client device through the configuration trigger information, so that the server device can send the 2. Client device open permissions.
步骤308,服务端设备接收第一客户端设备发送的配置触发信息,并根据配置触发信息,向第二客户端设备开放权限。Step 308 , the server device receives the configuration trigger information sent by the first client device, and opens permissions to the second client device according to the configuration trigger information.
在一种可能的实现方式中,第一客户端设备发送配置触发信息时,可以向该第二客户端设备发送第一配置触发信息,并向该服务端设备发送第二配置触发信息;其中,该第一配置触发信息中包含该激活令牌;该第二配置触发信息中包含该激活令牌和该第一操作凭证。In a possible implementation manner, when the first client device sends the configuration trigger information, it may send the first configuration trigger information to the second client device, and send the second configuration trigger information to the server device; wherein, The first configuration trigger information includes the activation token; the second configuration trigger information includes the activation token and the first operation credential.
在本申请实施例中,第一客户端设备可以生成一个激活令牌OT,并基于该激活令牌OT,分别向服务端设备和第二客户端设备发送配置触发信息,以触发服务端设备向第二客户端设备开放权限的过程。在一种可能的实现方式中,该过程可以如下:In this embodiment of the present application, the first client device may generate an activation token OT, and based on the activation token OT, send configuration trigger information to the server device and the second client device respectively, so as to trigger the server device to send the The process of opening permissions by the second client device. In one possible implementation, the process could be as follows:
S308a1,第二客户端设备接收该第一客户端设备发送的第一配置触发信息。S308a1, the second client device receives the first configuration trigger information sent by the first client device.
S308a2,服务端设备接收该第一客户端设备发送的第二配置触发信息。S308a2: The server device receives the second configuration trigger information sent by the first client device.
S308a3,第二客户端设备和服务端设备根据该激活令牌,建立第二客户端设备与该服务端设备之间的第二安全连接。S308a3, the second client device and the server device establish a second secure connection between the second client device and the server device according to the activation token.
S308a4,服务端设备向该第二客户端设备发送第二校验请求,第二校验请求中包含第二随机值,相应的,第二客户端设备接收该服务端设备发送的包含第二随机值的第二校验请求。S308a4, the server device sends a second verification request to the second client device, where the second verification request includes the second random value, and accordingly, the second client device receives the second random value sent by the server device and includes the second random value A second verification request for the value.
其中,服务端设备可以通过上述第二安全连接,向该第二客户端设备发送包含第二随机值的第二校验请求。The server device may send a second verification request including a second random value to the second client device through the above-mentioned second secure connection.
S308a5,第二客户端设备向该服务端设备发送第二校验信息,相应的,服务端设备接收该第二校验信息;该第二校验信息中包含该第一操作凭证以及第四签名信息,该第四签名信息是通过该第一私钥对该第二随机值进行签名得到的。S308a5, the second client device sends second verification information to the server device, and accordingly, the server device receives the second verification information; the second verification information includes the first operation certificate and the fourth signature information, the fourth signature information is obtained by signing the second random value with the first private key.
S308a6,服务端设备根据该第二配置触发信息中包含的该第一操作凭证,对该第二校验信息进行校验。S308a6, the server device verifies the second verification information according to the first operation credential included in the second configuration trigger information.
在一种可能的实现方式中,上述根据该第二配置触发信息中包含的该第一操作凭证,对该第二校验信息进行校验,包括:In a possible implementation manner, the above-mentioned verification of the second verification information according to the first operation credential included in the second configuration trigger information includes:
对该第二配置触发信息中包含的该第一操作凭证,与该第二校验信息包含的该第一操作凭证进行比对;Compare the first operation credential contained in the second configuration trigger information with the first operation credential contained in the second verification information;
当该第二配置触发信息中包含的该第一操作凭证,与该第二校验信息包含的该第一操作凭证一致时,根据该第一操作凭证,对该第二签名信息进行校验。When the first operation certificate included in the second configuration trigger information is consistent with the first operation certificate included in the second verification information, the second signature information is verified according to the first operation certificate.
在本申请实施例中,服务端设备接收到第二校验信息后,可以首先通过第一客户端设备通知的第一操作凭证,对第二校验信息中的第一操作凭证进行比对,若两者一致,再通过第一操作凭证对第二签名信息进行校验。In this embodiment of the present application, after receiving the second verification information, the server device may first compare the first operation certificate in the second verification information by using the first operation certificate notified by the first client device, If the two are consistent, the second signature information is verified through the first operation certificate.
在一种可能的实现方式中,该根据该第一操作凭证,对该第二签名信息进行校验,包括:In a possible implementation manner, the verification of the second signature information according to the first operation credential includes:
根据该第一操作凭证中携带的,该第二客户端设备的第一公钥,对该第二签名信息进行校验。The second signature information is verified according to the first public key of the second client device carried in the first operation certificate.
例如,服务端设备通过APP公钥对第二签名信息进行解密,得到第二随机值的哈希值,另外,用相同的哈希算法对第二随机值做哈希,得到哈希值,比较上述两个哈希值,若相同,则确定第二签名信息校验通过,否则确定第二签名信息校验不通过。For example, the server device decrypts the second signature information through the APP public key to obtain a hash value of the second random value, and in addition, uses the same hash algorithm to hash the second random value to obtain a hash value, and compare If the above two hash values are the same, it is determined that the verification of the second signature information passes, otherwise, it is determined that the verification of the second signature information fails.
当第二签名信息校验通过时,即可以认为第二校验信息通过校验。When the verification of the second signature information passes, it can be considered that the second verification information has passed the verification.
S308a7,当该第二校验信息通过校验后,服务端设备向该第二客户端设备发送证书签名请求,相应的,第二客户端设备接收该服务端设备发送的证书签名请求。S308a7: After the second verification information passes the verification, the server device sends a certificate signing request to the second client device, and correspondingly, the second client device receives the certificate signing request sent by the server device.
其中,服务端设备可以通过上述第二安全连接,向该第二客户端设备发送证书签名请求。The server device may send a certificate signing request to the second client device through the second secure connection.
S308a8,第二客户端设备根据该证书签名请求,在该服务端设备中进行权限配置。S308a8, the second client device performs rights configuration in the server device according to the certificate signing request.
其中,第二客户端设备在服务端设备中进行权限配置的过程可以包括:Wherein, the process of performing rights configuration in the server device by the second client device may include:
将该设备证书请求,以及该服务端设备对应网络的网络标识发送给认证中心设备;Send the device certificate request and the network identifier of the network corresponding to the server device to the authentication center device;
接收该认证中心设备返回的设备证书;Receive the device certificate returned by the certification center device;
将该设备证书、该第一根证书以及访问控制权限信息配置到该服务端设备;Configure the device certificate, the first root certificate and the access control authority information to the server device;
其中,该访问控制权限信息配置在该服务端设备的访问控制列表ACL中,且该访问控制权限信息包括访问控制条目、该访问控制条目对应的可访问数据、有权访问该可访问数据的实体、以及授权的访问方式。The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, and an entity that has the right to access the accessible data. , and authorized access methods.
在本申请实施例中的,当第一客户端设备和第二客户端设备属于不同的物联网生态环境时,第二客户端设备需要请求其所在的物联网生态环境中的认证中心分配设备证书,并将设备证书、第一根证书以及访问控制权限信息配置到服务端设备,从而获取对服务端设备的访问控制能力。In this embodiment of the present application, when the first client device and the second client device belong to different IoT ecosystems, the second client device needs to request the authentication center in the IoT ecosystem where it is located to assign a device certificate , and configure the device certificate, the first root certificate and the access control authority information to the server device, so as to obtain the access control capability of the server device.
相应的,服务端设备接收该第二客户端设备配置的设备证书、该第二客户端设备的第一根证书以及访问控制权限信息。Correspondingly, the server device receives the device certificate configured by the second client device, the first root certificate of the second client device, and the access control authority information.
请参考图4,其示出了本申请实施例涉及的一种服务端设备的权限分享流程示意图。如图4所示,设A生态APP是灯具设备Bulb的管理员,其添加B生态APP为Bulb的管理员的流程如下:Please refer to FIG. 4 , which shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application. As shown in Figure 4, let A ecological APP be the administrator of the lamp device Bulb, and the process of adding B ecological APP as the administrator of Bulb is as follows:
S41,A生态APP向B生态APP发送校验请求,请求中携带随机值nonce(即上述第一随机值)。S41, A ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce (ie, the above-mentioned first random value).
S42,B生态APP用(操作)私钥(即上述第一私钥)签名nonce,将根证书RC.B、APP证书OC.B.APP和签名Signature返回A生态APP。其中,APP证书是由根证书签发的,用于APP与被控设备建立控制连接的证书。S42 , the B ecological APP signs the nonce with the (operational) private key (ie, the above-mentioned first private key), and returns the root certificate RC.B, the APP certificate OC.B.APP and the signature Signature to the A ecological APP. Among them, the APP certificate is issued by the root certificate and is used to establish a control connection between the APP and the controlled device.
S43,A生态APP收到后,向区块链查询RC.B(或者向服务器查询RC.B,如APP存储根证书则向自身查询RC.B),得到RC.B的合法性认证结果。S43, after receiving the ecological APP, A, query RC.B from the blockchain (or query RC.B from the server, if the APP stores the root certificate, query RC.B from itself), and obtain the legality authentication result of RC.B.
S44,A生态APP用RC.B校验OC.B.APP,即用根证书的公钥(即上述第二公钥)验证APP证书OC.B.APP的签名。S44 , the ecological APP of A verifies the OC.B.APP with RC.B, that is, the signature of the APP certificate OC.B.APP is verified with the public key of the root certificate (ie, the above-mentioned second public key).
S45,OC.B.APP通过校验后,A生态APP用OC.B.APP进一步校验签名Signature,即用OC.B.APP中的APP(操作)公钥(即上述第一公钥)验证签名。S45, after OC.B.APP passes the verification, A ecological APP uses OC.B.APP to further verify the signature Signature, that is, using the APP (operation) public key in OC.B.APP (that is, the above-mentioned first public key) Verify signature.
S46,签名通过校验后,A生态APP通知用户Alice,指示该B生态APP是合法的。S46, after the signature is verified, the ecological APP A notifies the user Alice, indicating that the ecological APP B is legal.
S47,用户Alice触发开启设备Bulb的配置模式。S47, the user Alice triggers to start the configuration mode of the device Bulb.
S48,A生态APP产生配置令牌OT。S48, A ecological APP generates a configuration token OT.
S49,A生态APP向Bulb发送开启配置的指令,该指令携带配置令牌OT和OC.B.APP。S49, A ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and OC.B.APP.
S410,Bulb收到指令后,进入到配置发现模式。S410, after receiving the instruction, Bulb enters the configuration discovery mode.
S411,A生态APP将OT分享给B生态APP。S411, A ecological APP shares OT to B ecological APP.
S412,B生态APP发现Bulb,使用OT建立安全连接,并认证Bulb的CD。S412, B ecological APP discovers Bulb, uses OT to establish a secure connection, and authenticates Bulb's CD.
S413,Bulb向B生态APP发送校验请求,请求中携带随机值nonce2(即上述第二随机值)。S413, Bulb sends a verification request to the ecological APP B, and the request carries a random value nonce2 (ie, the second random value above).
S414,B生态APP用私钥(第一私钥)签名nonce2,将APP证书OC.B.APP和签名Signature2返回Bulb。S414, the B ecological APP signs the nonce2 with the private key (the first private key), and returns the APP certificate OC.B.APP and the signature Signature2 to Bulb.
S415,Bulb确认接收到的OC.B.APP与前述A生态APP发来的OC.B.APP是否一致。S415, Bulb confirms whether the received OC.B.APP is consistent with the OC.B.APP sent by the aforementioned A ecological APP.
S416,若两者一致,Bulb用OC.B.APP进一步校验签名Signature2,即用OC.B.APP中的APP(操作)公钥验证签名。S416, if the two are consistent, Bulb further verifies the signature Signature2 with OC.B.APP, that is, verifies the signature with the APP (operation) public key in OC.B.APP.
S417,签名Signature2通过校验后,Bulb向B生态APP发送设备证书请求CSR.bulb。S417, after the signature Signature2 passes the verification, Bulb sends the device certificate request CSR.bulb to the B ecological APP.
S418,B生态APP产生fabricID,并将CSR.bulb和fabricID发送到B生态CA请求设备证书,B生态CA认证后,产生设备证书B.OC.bulb返回B生态APP。S418 , the B ecological APP generates a fabricID, and sends CSR.bulb and fabricID to the B ecological CA to request a device certificate. After the B ecological CA authenticates, the device certificate B.OC.bulb is generated and returned to the B ecological APP.
S419,B生态APP将设备证书B.OC.bulb和访问控制权限ACL.Bulb.B.APP1配置到Bulb。S419, the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb.
在一种可能的实现方式中,第一客户端设备通过配置触发信息触发服务端设备向第二客户端设备开放权限时,向该服务端设备发送第三配置触发信息;该第二配置触发信息中包含该激活令牌和该第二客户端 设备的第一公钥。In a possible implementation manner, when the first client device triggers the server device to open permissions to the second client device through the configuration trigger information, it sends third configuration trigger information to the server device; the second configuration trigger information contains the activation token and the first public key of the second client device.
在本申请实施例中,第一客户端设备也可以基于该激活令牌OT,向服务端设备发送配置触发信息,以触发服务端设备向第二客户端设备开放权限的过程。在一种可能的实现方式中,该过程可以如下:In this embodiment of the present application, the first client device may also send configuration trigger information to the server device based on the activation token OT, so as to trigger the process of the server device opening permissions to the second client device. In one possible implementation, the process could be as follows:
S308b1,服务端设备接收该第一客户端设备发送的第三配置触发信息。S308b1, the server device receives the third configuration trigger information sent by the first client device.
S308b2,服务端设备根据该第一公钥对该激活令牌进行加密,获得加密后该激活令牌。S308b2, the server device encrypts the activation token according to the first public key, and obtains the encrypted activation token.
S308b3,服务端设备向该第二客户端设备发送加密后的该激活令牌相应的,第二客户端设备接收该服务端设备发送的加密后的激活令牌。S308b3, the server device sends the encrypted activation token to the second client device. Correspondingly, the second client device receives the encrypted activation token sent by the server device.
S308b4,第二客户端设备根据第一公钥,对该加密后的该激活令牌进行解密,获得该激活令牌。S308b4, the second client device decrypts the encrypted activation token according to the first public key to obtain the activation token.
S308b5,第二客户端设备和服务端设备根据该激活令牌,建立第二客户端设备与该服务端设备之间的第三安全连接。S308b5, the second client device and the server device establish a third secure connection between the second client device and the server device according to the activation token.
S308b6,服务端设备向该第二客户端设备发送证书签名请求,相应的,第二客户端设备接收该服务端设备发送的证书签名请求。S308b6, the server device sends a certificate signing request to the second client device, and correspondingly, the second client device receives the certificate signing request sent by the server device.
S308a8,第二客户端设备根据该证书签名请求,在该服务端设备中进行权限配置。S308a8, the second client device performs rights configuration in the server device according to the certificate signing request.
请参考图5,其示出了本申请实施例涉及的一种服务端设备的权限分享流程示意图。如图5所示,设A生态APP是Bulb的管理员,其添加B生态APP为Bulb的管理员的流程如下:Please refer to FIG. 5 , which shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application. As shown in Figure 5, suppose A ecological APP is the administrator of Bulb, and the process of adding B ecological APP as the administrator of Bulb is as follows:
S51,A生态APP向B生态APP发送校验请求,请求中携带随机值nonce。S51, A ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce.
S52,B生态APP用(操作)私钥签名nonce,将根证书RC.B、APP证书OC.B.APP和签名Signature返回A生态APP。其中,APP证书是由根证书签发的,用于APP与被控设备建立控制连接的证书。S52, the B ecological APP signs the nonce with the (operation) private key, and returns the root certificate RC.B, the APP certificate OC.B.APP and the signature Signature to the A ecological APP. Among them, the APP certificate is issued by the root certificate and is used to establish a control connection between the APP and the controlled device.
S53,A生态APP收到后,向区块链查询RC.B,得到RC.B的合法性认证结果。S53, after the ecological APP A receives it, it queries the blockchain for RC.B, and obtains the legality certification result of RC.B.
S54,A生态APP用RC.B校验OC.B.APP,即用根证书的公钥验证APP证书OC.B.APP的签名。S54, A ecological APP uses RC.B to verify OC.B.APP, that is, the signature of the APP certificate OC.B.APP is verified with the public key of the root certificate.
S55,通过后,A生态APP用OC.B.APP进一步校验签名Signature,即用OC.B.APP中的APP(操作)公钥验证签名。S55, after passing, the ecological APP of A uses OC.B.APP to further verify the signature Signature, that is, to verify the signature with the APP (operation) public key in OC.B.APP.
S56,通过后,A生态APP通知用户Alice B生态APP是合法的。S56, after passing, the ecological APP A informs the user Alice that the ecological APP is legal.
S57,用户Alice触发开启设备Bulb的配置模式。S57, the user Alice triggers to start the configuration mode of the device Bulb.
S58,A生态APP产生配置令牌OT。S58, A ecological APP generates a configuration token OT.
S59,A生态APP向Bulb发送开启配置的指令,指令携带配置令牌OT和B生态APP的(操作)公钥PuK.B.APP。S59, A ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and the (operational) public key PuK.B.APP of B ecological APP.
S510,B生态APP发现Bulb,建立连接,开始安全协商。S510, B ecological APP discovers Bulb, establishes a connection, and starts security negotiation.
S511,Bulb用B生态APP的(操作)公钥PuK.B.APP加密OT,发送给B生态APP。S511, Bulb encrypts OT with the (operation) public key PuK.B.APP of B ecological APP, and sends it to B ecological APP.
S512,B生态APP用(操作)私钥解密得到OT,双方用OT建立安全连接。S512, B ecological APP decrypts the (operation) private key to obtain OT, and both parties use OT to establish a secure connection.
S513,B生态APP认证Bulb的CD,通过后,产生fabricID。S513, B ecological APP authenticates Bulb's CD, after passing, the fabricID is generated.
S514,Bulb向B生态APP发送设备证书请求CSR.bulb。S514, Bulb sends a device certificate request CSR.bulb to B ecological APP.
S515,B生态APP将CSR.bulb和fabricID发送到B生态CA,以请求设备证书,B生态CA认证后,产生设备证书B.OC.bulb返回B生态APP。S515, B ecological APP sends CSR.bulb and fabricID to B ecological CA to request a device certificate. After B ecological CA certification, the device certificate B.OC.bulb is generated and returned to B ecological APP.
S516,B生态APP将设备证书B.OC.bulb,以及访问控制权限ACL.Bulb.B.APP1配置到Bulb。S516, the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb.
综上所述,在本申请实施例中,第一客户端设备向第二客户端设备分享服务端设备的权限之前,首先通过第一随机值触发第二客户端设备返回校验信息,然后对校验信息进行校验,以验证第二客户端设备的合法性,当验证第二客户端设备合法后,向第二客户端设备分享对服务端设备的权限,从而可以避免将服务端设备的访问控制权限分享给不合法的客户端设备的情况,提高服务端设备的访问控制权限分享的安全性。To sum up, in this embodiment of the present application, before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
在本申请上述图2所示实施例公开的方案中,可以通过统一的平台为第一客户端设备和第二客户端设备统一认证并分别颁发认证信息。In the solution disclosed in the above-mentioned embodiment shown in FIG. 2 of the present application, the first client device and the second client device may be uniformly authenticated through a unified platform, and authentication information may be issued respectively.
请参考图6,其示出了本申请一个实施例提供的物联网中的权限配置方法的流程图,该方法可以由第一客户端设备、第二客户端设备以及服务端设备之间交互执行,比如,该第一客户端设备和第二客户端设备可以是图1所示的网络架构的客户端设备120,服务端设备可以是图1所示的网络架构的服务端设备110;该方法可以包括如下几个步骤:Please refer to FIG. 6 , which shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application. The method can be executed interactively between a first client device, a second client device, and a server device. For example, the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1, and the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
步骤601,第一客户端设备和第二客户端设备之间建立第一安全连接。Step 601: Establish a first secure connection between the first client device and the second client device.
在一种可能的实现方式中,各物联网生态环境的APP都有一对用于认证的公私钥以及一对用于操作的公私钥。经过统一认证平台的认证后,各物联网生态环境的APP获得对应颁发的认证证书DAC.B.APP和/或认证声明CD.B.APP。DAC.B.APP中包含用于认证的公钥(即后续的第二公钥)。DAC.B.APP或者CD.B.APP可用于认证APP的合法性。In a possible implementation manner, the APP of each IoT ecological environment has a pair of public and private keys for authentication and a pair of public and private keys for operation. After being certified by the unified certification platform, the APP of each IoT ecological environment will obtain the corresponding certification certificate DAC.B.APP and/or certification statement CD.B.APP. DAC.B.APP contains the public key used for authentication (ie, the subsequent second public key). DAC.B.APP or CD.B.APP can be used to verify the legitimacy of the APP.
步骤602,第一客户端设备向第二客户端设备发送第一校验请求,该第一校验请求中包含第一随机值; 相应的,第二客户端设备接收包含该第一随机值的第一校验请求。Step 602, the first client device sends a first verification request to the second client device, where the first verification request includes a first random value; correspondingly, the second client device receives a verification request including the first random value. The first verification request.
其中,上述步骤601和步骤602的实现过程可以参考上述图3所示实施例中的步骤301和步骤302的实现过程,此处不再赘述。For the implementation process of the above steps 601 and 602, reference may be made to the implementation process of the steps 301 and 302 in the embodiment shown in FIG. 3 , which will not be repeated here.
步骤603,第二客户端设备向第一客户端设备发送第一校验信息,相应的,第一客户端设备接收该第一校验信息;该第一校验信息包括该第二客户端设备的第一根证书、第一操作凭证、第一认证信息、第二签名信息和第三签名信息;该第一操作凭证是通过该第一根证书签发的;该第一认证信息是由统一认证平台对该第二客户端设备进行认证后颁发的,该统一认证平台用于对该第一客户端设备和该第二客户端设备进行认证;该第二签名信息是通过该第二客户端的第一私钥对该第一根证书、该第一操作凭证、该统一认证信息进行签名得到的;该第三签名是通过该第二客户端的第二私钥对该第一根证书、该第一操作凭证、该统一认证信息、该第二签名信息进行签名得到的。Step 603, the second client device sends first verification information to the first client device, and accordingly, the first client device receives the first verification information; the first verification information includes the second client device The first root certificate, the first operation certificate, the first authentication information, the second signature information and the third signature information; the first operation certificate is issued by the first root certificate; the first authentication information is issued by the unified authentication The platform is issued after the second client device is authenticated, and the unified authentication platform is used to authenticate the first client device and the second client device; the second signature information is passed through the second client device. A private key is obtained by signing the first root certificate, the first operation certificate, and the unified authentication information; the third signature is obtained by signing the first root certificate, the first root certificate, the first The operation certificate, the unified authentication information, and the second signature information are obtained by signing.
在一种可能的实现方式中,上述第一私钥可以是第二客户端设备中,用于操作的私钥。In a possible implementation manner, the above-mentioned first private key may be a private key used for operation in the second client device.
在一种可能的实现方式中,上述第二私钥可以是第二客户端设备的根证书的私钥。In a possible implementation manner, the above-mentioned second private key may be the private key of the root certificate of the second client device.
在一种可能的实现方式中,第一操作凭证是通过第二客户端设备的第二私钥签发的。In a possible implementation manner, the first operation credential is issued through the second private key of the second client device.
在一种可能的实现方式中,上述统一认证平台用于对各物联网生态环境的客户端设备提供统一的认证,并将认证信息返回给相应的客户端设备,相应的,统一认证平台可以向一个客户端设备提供对另一客户端设备的认证信息的合法性进行查询的服务。In a possible implementation manner, the above-mentioned unified authentication platform is used to provide unified authentication for client devices in various IoT ecological environments, and return the authentication information to the corresponding client devices. Correspondingly, the unified authentication platform can send One client device provides a service of querying the validity of the authentication information of another client device.
步骤604,第一客户端设备对该第一认证信息进行合法性校验。Step 604, the first client device performs validity verification on the first authentication information.
在一种可能的实现方式中,第一客户端设备可以向统一认证平台查询该第一认证信息,以获得该第一认证信息的合法性验证结果。In a possible implementation manner, the first client device may query the unified authentication platform for the first authentication information to obtain the validity verification result of the first authentication information.
或者,第一客户端设备也可以通过其它方式对第一认证信息进行合法性校验,例如,第一客户端设备向统一认证平台查询该第二客户端设备的认证信息,并接收统一认证平台返回的第二客户端设备的认证信息,并将统一认证平台返回的认证信息与上述第一认证信息进行比对,若两者一致,则确认第一认证信息通过合法性校验。Alternatively, the first client device may also verify the validity of the first authentication information in other ways. For example, the first client device queries the unified authentication platform for the authentication information of the second client device, and receives the unified authentication platform. The returned authentication information of the second client device is compared, and the authentication information returned by the unified authentication platform is compared with the above-mentioned first authentication information. If the two are consistent, it is confirmed that the first authentication information has passed the validity check.
步骤605,当该第一认证信息通过合法性校验后,第一客户端设备通过该第二私钥对应的第二公钥,对该第四签名信息进行校验;该第二公钥携带于该第一认证信息中。Step 605: After the first authentication information passes the validity check, the first client device verifies the fourth signature information through the second public key corresponding to the second private key; the second public key carries in the first authentication information.
在本申请实施例中,当该第一认证信息通过合法性校验后,第一客户端设备可以从第一认证信息中获取第二公钥,并通过第二公钥对第四签名信息进行校验。In this embodiment of the present application, after the first authentication information passes the validity check, the first client device can obtain the second public key from the first authentication information, and use the second public key to perform verification on the fourth signature information. check.
步骤606,当该第四签名信息通过校验后,第一客户端设备通过该第一私钥对应的第一公钥,对该第三签名信息进行校验;该第一公钥携带于该第一操作凭证中。Step 606, after the fourth signature information passes the verification, the first client device verifies the third signature information through the first public key corresponding to the first private key; the first public key is carried in the in the first operation certificate.
在本申请实施例中,当该第四签名信息通过合法性校验后,第一客户端设备可以从第一操作凭证中获取第一公钥,并通过第一公钥对第三签名信息进行校验。In this embodiment of the present application, after the fourth signature information passes the validity check, the first client device may obtain the first public key from the first operation certificate, and perform a verification process on the third signature information by using the first public key. check.
步骤607,当第一校验信息通过校验时,第一客户端设备通过配置触发信息触发服务端设备向第二客户端设备开放权限。Step 607 , when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
步骤608,服务端设备接收第一客户端设备发送的配置触发信息,并根据配置触发信息,向第二客户端设备开放权限。Step 608: The server device receives the configuration trigger information sent by the first client device, and opens the authority to the second client device according to the configuration trigger information.
其中,上述步骤607和步骤608的实现过程可以参考上述图3所示实施例中的步骤307和步骤308的实现过程,此处不再赘述。Wherein, for the implementation process of the above steps 607 and 608, reference may be made to the implementation process of the steps 307 and 308 in the above-mentioned embodiment shown in FIG. 3 , and details are not repeated here.
请参考图7,其示出了本申请实施例涉及的一种服务端设备的权限分享流程示意图。如图7所示,设A生态APP是Bulb的管理员,其添加B生态APP为Bulb的管理员的流程如下:Please refer to FIG. 7 , which shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application. As shown in Figure 7, suppose A ecological APP is the administrator of Bulb, and the process of adding B ecological APP as the administrator of Bulb is as follows:
S71,Bob触发B生态APP加入到家庭网络。S71, Bob triggers the B ecological APP to join the home network.
S72,B生态APP生成用于配对的二维码,并在网络中宣告自身存在。S72, the B ecological APP generates a QR code for pairing, and announces its existence in the network.
S73,A生态APP通过扫码获得B生态APP的二维码信息,在网络中查找B生态APP,使用二维码中的信息建立安全连接。S73, A ecological APP obtains the two-dimensional code information of B ecological APP by scanning the code, searches for B ecological APP on the network, and uses the information in the two-dimensional code to establish a secure connection.
S74,A生态APP向B生态APP发送校验请求,请求中携带随机值nonce。S74, A ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce.
S75,B生态APP用(操作)私钥签名nonce,OC.B.APP,RC.B,DAC.B.APP,CD.B.APP,得到Signature1。S75, B ecological APP signs nonce with (operation) private key, OC.B.APP, RC.B, DAC.B.APP, CD.B.APP, and obtains Signature1.
S76,B生态APP用(认证)私钥签名nonce,OC.B.APP,RC.B,DAC.B.APP,CD.B.APP和Signature1,得到Signature2。S76, B ecological APP signs nonce, OC.B.APP, RC.B, DAC.B.APP, CD.B.APP and Signature1 with the (authentication) private key to obtain Signature2.
S77,B生态APP将nonce,OC.B.APP,RC.B,DAC.B.APP,CD.B.APP和签名Signature1,Signature2返回A生态APP。S77, B ecological APP will return nonce, OC.B.APP, RC.B, DAC.B.APP, CD.B.APP and signature Signature1, Signature2 to A ecological APP.
S78,A生态APP收到后,检验DAC.B.APP和CD.B.APP的合法性,并使用DAC.B.APP中的认证公钥验证Signature2。S78, after receiving the ecological APP A, verify the legitimacy of DAC.B.APP and CD.B.APP, and use the authentication public key in DAC.B.APP to verify Signature2.
S79,通过后,A生态APP用OC.B.APP中的公钥校验签名Signature1,即用OC.B.APP中的APP公钥验证签名。S79, after passing, the ecological APP A uses the public key in OC.B.APP to verify the signature Signature1, that is, the signature is verified using the APP public key in OC.B.APP.
S710,通过后,A生态APP通知用户Alice,指示B生态APP是合法的。S710, after passing, the ecological APP A notifies the user Alice, indicating that the ecological APP B is legal.
S711,用户Alice触发开启设备Bulb的配置模式。S711, the user Alice triggers to start the configuration mode of the device Bulb.
S712,A生态APP产生配置令牌OT。S712, A ecological APP generates a configuration token OT.
S713,A生态APP向Bulb发送开启配置的指令,指令携带配置令牌OT和B生态APP的公钥PuK.B.APP。S713, A ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and the public key of B ecological APP PuK.B.APP.
S714,B生态APP发现Bulb,建立连接,开始安全协商。S714, B ecological APP discovers Bulb, establishes a connection, and starts security negotiation.
S715,Bulb用B生态APP的公钥PuK.B.APP加密OT,发送给B生态APP。S715, Bulb encrypts OT with the public key PuK.B.APP of B ecological APP and sends it to B ecological APP.
S716,B生态APP用私钥解密得到OT,双方用OT建立安全连接。S716, B ecological APP decrypts the OT with the private key, and the two parties use the OT to establish a secure connection.
S717,B生态APP认证Bulb的CD,通过后,产生fabricID。S717, B ecological APP authenticates Bulb's CD. After passing, fabricID is generated.
S718,Bulb向B生态APP发送设备证书请求CSR.bulb。S718, Bulb sends a device certificate request CSR.bulb to B ecological APP.
S719,B生态APP将CSR.bulb和fabricID发送到B生态的CA,以请求设备证书,B生态CA认证后,产生设备证书B.OC.bulb返回B生态APP。S719, the B ecological APP sends the CSR.bulb and fabricID to the B ecological CA to request the device certificate. After the B ecological CA is certified, the device certificate B.OC.bulb is generated and returned to the B ecological APP.
S720,B生态APP将设备证书B.OC.bulb,以及和访问控制权限ACL.Bulb.B.APP1配置到Bulb。S720, B ecological APP configures the device certificate B.OC.bulb, and access control authority ACL.Bulb.B.APP1 to Bulb.
综上所述,在本申请实施例中,第一客户端设备向第二客户端设备分享服务端设备的权限之前,首先通过第一随机值触发第二客户端设备返回校验信息,然后对校验信息进行校验,以验证第二客户端设备的合法性,当验证第二客户端设备合法后,向第二客户端设备分享对服务端设备的权限,从而可以避免将服务端设备的访问控制权限分享给不合法的客户端设备的情况,提高服务端设备的访问控制权限分享的安全性。To sum up, in this embodiment of the present application, before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
通过本申请上述方案可以解决在添加第二生态APP过程中无法确认被添加的控制端APP合法性的问题,通过添加前和配置中对第二生态APP进行认证,实现对添加的控制端APP的身份确认及合法性认证。The above solution of the present application can solve the problem that the legality of the added control terminal APP cannot be confirmed during the process of adding the second ecological APP. Identity confirmation and legality verification.
下述为本申请装置实施例,可以用于执行本申请方法实施例。对于本申请装置实施例中未披露的细节,请参照本申请方法实施例。The following are apparatus embodiments of the present application, which can be used to execute the method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.
请参考图8,其示出了本申请一个实施例提供的物联网中的权限配置装置的框图。该装置具有实现上述物联网中的权限配置方法示例的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该装置可以是上文介绍的第一客户端设备,也可以设置第一客户端设备中。上述第一客户端设备具有服务端设备的管理权限。如图8所示,该装置可以包括:Please refer to FIG. 8 , which shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application. The device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware. The apparatus may be the first client device described above, or may be set in the first client device. The above-mentioned first client device has the management authority of the server device. As shown in Figure 8, the apparatus may include:
第一校验请求发送模块801,用于向第二客户端设备发送第一校验请求,所述第一校验请求中包含第一随机值;A first verification request sending module 801, configured to send a first verification request to the second client device, where the first verification request includes a first random value;
第一校验信息接收模块802,用于接收所述第二客户端设备发送的第一校验信息;所述第一校验信息是基于所述第一随机值生成的;a first verification information receiving module 802, configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;
第一校验模块803,用于对所述第一校验信息进行校验;a first verification module 803, configured to verify the first verification information;
配置触发模块804,用于当所述第一校验信息通过校验时,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限。A configuration triggering module 804 is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.
在一种可能的实现方式中,所述第一校验信息包括第一签名信息、所述第二客户端设备的第一根证书和第一操作凭证中的至少一种;所述第一签名信息是通过所述第二客户端设备的第一私钥对目标数据进行签名得到的;所述目标数据包括所述第一随机值;所述第一操作凭证是通过所述第一根证书签发的。In a possible implementation manner, the first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation certificate; the first signature The information is obtained by signing the target data with the first private key of the second client device; the target data includes the first random value; the first operation credential is issued by the first root certificate of.
在一种可能的实现方式中,所述目标数据还包括所述第一根证书和所述第一操作凭证中的至少一种。In a possible implementation manner, the target data further includes at least one of the first root certificate and the first operation certificate.
在一种可能的实现方式中,所述第一校验模块803,用于,当所述第一校验信息包括所述第一签名信息、所述第一根证书和所述第一操作凭证时,In a possible implementation manner, the first verification module 803 is configured to, when the first verification information includes the first signature information, the first root certificate and the first operation certificate hour,
对所述第一根证书进行合法性查询,获得所述第一根证书的合法性认证结果;Performing a legality query on the first root certificate to obtain a legality authentication result of the first root certificate;
当所述合法性认证结果指示所述第一根证书合法时,根据所述第一根证书对所述第一操作凭证进行校验;When the validity authentication result indicates that the first root certificate is valid, verifying the first operation certificate according to the first root certificate;
当所述第一操作凭证通过校验时,根据所述第一操作凭证对所述第一签名信息进行校验。When the first operation certificate passes the verification, the first signature information is verified according to the first operation certificate.
在一种可能的实现方式中,所述第一校验模块803,用于根据所述第一根证书中携带的,所述第二客户端设备的第二公钥,对所述第一操作凭证进行校验。In a possible implementation manner, the first verification module 803 is configured to perform the first operation on the first operation according to the second public key of the second client device carried in the first root certificate. Credentials are verified.
在一种可能的实现方式中,所述第一校验模块803,用于根据所述第一操作凭证中携带的,所述第二客户端设备的第一公钥,对所述第一签名信息进行校验。In a possible implementation manner, the first verification module 803 is configured to sign the first signature according to the first public key of the second client device carried in the first operation credential information for verification.
在一种可能的实现方式中,所述第一校验模块803,用于,In a possible implementation manner, the first verification module 803 is configured to:
向区块链查询所述第一根证书,获得所述第一根证书的合法性认证结果;Query the first root certificate from the blockchain, and obtain the legality authentication result of the first root certificate;
或者,向预设地址对应的服务器查询所述第一根证书,获得所述第一根证书的合法性认证结果;Or, query the server corresponding to the preset address for the first root certificate, and obtain the validity authentication result of the first root certificate;
或者,在所述第一客户端中查询所述第一根证书,获得所述第一根证书的合法性认证结果。Or, query the first root certificate in the first client to obtain the validity authentication result of the first root certificate.
在一种可能的实现方式中,所述第一校验信息中还包含查询地址;In a possible implementation manner, the first verification information further includes a query address;
所述第一校验模块803,用于向所述查询地址对应的服务器查询所述第一根证书,获得所述第一根证书的合法性认证结果。The first verification module 803 is configured to query the server corresponding to the query address for the first root certificate, and obtain the validity verification result of the first root certificate.
在一种可能的实现方式中,所述第一校验信息包括所述第二客户端设备的第一根证书、第一操作凭证、第一认证信息、第二签名信息和第三签名信息;所述第一操作凭证是通过所述第一根证书签发的;所述第一认证信息是由统一认证平台对所述第二客户端设备进行认证后颁发的,所述统一认证平台用于对所述第一客户端设备和所述第二客户端设备进行认证;所述第二签名信息是通过所述第二客户端的第一私钥对所述第一根证书、所述第一操作凭证、所述统一认证信息进行签名得到的;所述第三签名是通过所述第二客户端的第二私钥对所述第一根证书、所述第一操作凭证、所述统一认证信息、所述第二签名信息进行签名得到的。In a possible implementation manner, the first verification information includes a first root certificate, a first operation credential, first authentication information, second signature information, and third signature information of the second client device; The first operation certificate is issued through the first root certificate; the first authentication information is issued after the second client device is authenticated by the unified authentication platform, and the unified authentication platform is used to authenticate the second client device. The first client device and the second client device are authenticated; the second signature information is a pair of the first root certificate and the first operation credential through the first private key of the second client , the unified authentication information is signed; the third signature is obtained by using the second private key of the second client to sign the first root certificate, the first operation certificate, the unified authentication information, the obtained by signing the second signature information.
在一种可能的实现方式中,所述第一校验模块803,用于,In a possible implementation manner, the first verification module 803 is configured to:
对所述第一认证信息进行合法性校验;Verifying the validity of the first authentication information;
当所述第一认证信息通过合法性校验后,通过所述第二私钥对应的第二公钥,对所述第三签名信息进行校验;所述第二公钥携带于所述第一认证信息中;After the first authentication information passes the validity verification, the third signature information is verified by using the second public key corresponding to the second private key; the second public key is carried in the second public key. 1. In the authentication information;
当所述第三签名信息通过校验后,通过所述第一私钥对应的第一公钥,对所述第二签名信息进行校验;所述第一公钥携带于所述第一操作凭证中。After the third signature information is verified, the second signature information is verified by using the first public key corresponding to the first private key; the first public key is carried in the first operation in the certificate.
在一种可能的实现方式中,所述配置触发模块804,用于,In a possible implementation manner, the configuration triggering module 804 is configured to:
向所述第二客户端设备发送第一配置触发信息;所述第一配置触发信息中包含所述配置令牌;sending first configuration trigger information to the second client device; the first configuration trigger information includes the configuration token;
向所述服务端设备发送第二配置触发信息;所述第二配置触发信息中包含所述配置令牌和所述第一操作凭证。Send second configuration trigger information to the server device; the second configuration trigger information includes the configuration token and the first operation credential.
在一种可能的实现方式中,所述配置触发模块804,用于向所述服务端设备发送第三配置触发信息;所述第三配置触发信息中包含所述配置令牌和所述第二客户端设备的第一公钥。In a possible implementation manner, the configuration triggering module 804 is configured to send third configuration trigger information to the server device; the third configuration trigger information includes the configuration token and the second configuration trigger The first public key of the client device.
在一种可能的实现方式中,所述第一客户端设备和所述第二客户端设备分别属于不同的物联网生态系统。In a possible implementation manner, the first client device and the second client device respectively belong to different IoT ecosystems.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the apparatus further includes:
扫描模块,用于扫描所述第二客户端设备展示的二维码,获得所述第二客户端设备的连接建立信息;a scanning module, configured to scan the two-dimensional code displayed by the second client device to obtain connection establishment information of the second client device;
第一连接建立模块,用于根据所述连接建立信息,建立与所述第二客户端设备之间的第一安全连接。A first connection establishment module, configured to establish a first secure connection with the second client device according to the connection establishment information.
综上所述,在本申请实施例中,第一客户端设备向第二客户端设备分享服务端设备的权限之前,首先通过第一随机值触发第二客户端设备返回校验信息,然后对校验信息进行校验,以验证第二客户端设备的合法性,当验证第二客户端设备合法后,向第二客户端设备分享对服务端设备的权限,从而可以避免将服务端设备的访问控制权限分享给不合法的客户端设备的情况,提高服务端设备的访问控制权限分享的安全性。To sum up, in this embodiment of the present application, before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
请参考图9,其示出了本申请一个实施例提供的物联网中的权限配置装置的框图。该装置具有实现上述物联网中的权限配置方法示例的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该装置可以是上文介绍的第二客户端设备,也可以设置第二客户端设备中。如图9所示,该装置可以包括:Please refer to FIG. 9 , which shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application. The device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware. The apparatus may be the second client device described above, or may be set in the second client device. As shown in Figure 9, the apparatus may include:
第一随机值接收模块901,用于接收第一客户端设备发送的第一校验请求,所述第一校验请求中包含第一随机值;所述第一客户端设备具有服务端设备的管理权限;The first random value receiving module 901 is configured to receive a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the administrative rights;
第一校验信息发送模块902,用于向所述第一客户端设备发送第一校验信息,以便所述第一客户端设备对所述第一校验信息校验通过后,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限;所述第一校验信息是基于所述第一随机值生成的。The first verification information sending module 902 is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration triggers The information triggers the server device to open permissions to the second client device; the first verification information is generated based on the first random value.
在一种可能的实现方式中,所述第一校验信息包括第一签名信息、所述第二客户端设备的第一根证书和第一操作凭证中的至少一种;所述第一签名信息是通过所述第二客户端设备的第一私钥对目标数据进行签名得到的;所述目标数据包括所述第一随机值;所述第一操作凭证是通过所述第一根证书签发的。In a possible implementation manner, the first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation certificate; the first signature The information is obtained by signing the target data with the first private key of the second client device; the target data includes the first random value; the first operation credential is issued by the first root certificate of.
在一种可能的实现方式中,所述目标数据还包括所述第一根证书和所述第一操作凭证中的至少一种。In a possible implementation manner, the target data further includes at least one of the first root certificate and the first operation certificate.
在一种可能的实现方式中,所述第一校验信息包括所述第二客户端设备的第一根证书、第一操作凭证、第一认证信息、第二签名信息和第三签名信息;所述第一操作凭证是通过所述第一根证书签发的;所述第一认证信息是由统一认证平台对所述第二客户端设备进行认证后颁发的,所述统一认证平台用于对所述第一客户端设备和所述第二客户端设备进行认证;所述第二签名信息是通过所述第二客户端的第一私钥对所述第一根证书、所述第一操作凭证、所述统一认证信息进行签名得到的;所述第三签名是通过所述第二客户端的第二私钥对所述第一根证书、所述第一操作凭证、所述统一认证信息、所述第二签名信息进行签名得到的。In a possible implementation manner, the first verification information includes a first root certificate, a first operation credential, first authentication information, second signature information, and third signature information of the second client device; The first operation certificate is issued through the first root certificate; the first authentication information is issued after the second client device is authenticated by the unified authentication platform, and the unified authentication platform is used to authenticate the second client device. The first client device and the second client device are authenticated; the second signature information is a pair of the first root certificate and the first operation credential through the first private key of the second client , the unified authentication information is signed; the third signature is obtained by using the second private key of the second client to sign the first root certificate, the first operation certificate, the unified authentication information, the obtained by signing the second signature information.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the apparatus further includes:
第一配置触发信息接收模块,用于接收所述第一客户端设备发送的第一配置触发信息,所述第一配置触发信息中包含配置令牌;a first configuration trigger information receiving module, configured to receive first configuration trigger information sent by the first client device, where the first configuration trigger information includes a configuration token;
第二连接建立模块,用于根据所述配置令牌,建立与所述服务端设备之间的第二安全连接;A second connection establishment module, configured to establish a second secure connection with the server device according to the configuration token;
第二校验请求接收模块,用于接收所述服务端设备发送的包含第二随机值的第二校验请求;A second verification request receiving module, configured to receive a second verification request including a second random value sent by the server device;
第二校验信息发送模块,用于向所述服务端设备发送第二校验信息,所述第二校验信息中包含所述第一操作凭证以及第四签名信息,所述第四签名信息是通过所述第一私钥对所述第二随机值进行签名得到的;A second verification information sending module, configured to send second verification information to the server device, where the second verification information includes the first operation certificate and fourth signature information, the fourth signature information is obtained by signing the second random value with the first private key;
证书请求接收模块,用于接收所述服务端设备发送的设备证书请求,所述设备证书请求是所述服务端设备对所述第二校验信息验证通过后发送的;a certificate request receiving module, configured to receive a device certificate request sent by the server device, where the device certificate request is sent after the server device passes the verification of the second verification information;
权限配置模块,用于根据所述设备证书请求,在所述服务端设备中进行权限配置。A rights configuration module, configured to perform rights configuration in the server device according to the device certificate request.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the apparatus further includes:
加密令牌接收模块,用于接收所述服务端设备发送的加密后的配置令牌;an encrypted token receiving module, configured to receive the encrypted configuration token sent by the server device;
解密模块,用于根据所述第二客户端设备的第一公钥,对所述加密后的所述配置令牌进行解密,获得所述配置令牌;a decryption module, configured to decrypt the encrypted configuration token according to the first public key of the second client device to obtain the configuration token;
第三连接建立模块,用于根据所述配置令牌,建立与所述服务端设备之间的第三安全连接;A third connection establishment module, configured to establish a third secure connection with the server device according to the configuration token;
证书请求接收模块,用于接收所述服务端设备发送的设备证书请求;a certificate request receiving module, configured to receive a device certificate request sent by the server device;
权限配置模块,用于根据所述设备证书请求,在所述服务端设备中进行权限配置。A rights configuration module, configured to perform rights configuration in the server device according to the device certificate request.
在一种可能的实现方式中,所述权限配置模块,用于,In a possible implementation manner, the permission configuration module is used to:
将所述设备证书请求,以及所述服务端设备对应网络的网络标识发送给认证中心设备;sending the device certificate request and the network identifier of the network corresponding to the server device to the authentication center device;
接收所述认证中心设备返回的设备证书;receiving the device certificate returned by the certification center device;
将所述设备证书、所述第一根证书以及访问控制权限信息配置到所述服务端设备;Configuring the device certificate, the first root certificate and access control authority information to the server device;
其中,所述访问控制权限信息配置在所述服务端设备的访问控制列表ACL中,且所述访问控制权限信息包括访问控制条目、所述访问控制条目对应的可访问数据、有权访问所述可访问数据的实体、以及授权的访问方式。The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
在一种可能的实现方式中,所述第一客户端设备和所述第二客户端设备分别属于不同的物联网生态系统。In a possible implementation manner, the first client device and the second client device respectively belong to different IoT ecosystems.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the apparatus further includes:
二维码展示模块,用于展示二维码,所述二维码中携带有所述第二客户端设备的连接建立信息;A two-dimensional code display module, used for displaying a two-dimensional code, the two-dimensional code carries the connection establishment information of the second client device;
第一连接建立模块,用于根据所述连接建立信息,建立与所述第一客户端设备之间的第一安全连接。A first connection establishment module, configured to establish a first secure connection with the first client device according to the connection establishment information.
综上所述,在本申请实施例中,第一客户端设备向第二客户端设备分享服务端设备的权限之前,首先通过第一随机值触发第二客户端设备返回校验信息,然后对校验信息进行校验,以验证第二客户端设备的合法性,当验证第二客户端设备合法后,向第二客户端设备分享对服务端设备的权限,从而可以避免将服务端设备的访问控制权限分享给不合法的客户端设备的情况,提高服务端设备的访问控制权限分享的安全性。To sum up, in this embodiment of the present application, before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
请参考图10,其示出了本申请一个实施例提供的物联网中的权限配置装置的框图。该装置具有实现上述物联网中的权限配置方法示例的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该装置可以是上文介绍的服务端设备,也可以设置服务端设备中。如图10所示,该装置可以包括:Please refer to FIG. 10 , which shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application. The device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware. The device can be the server device described above, or can be set in the server device. As shown in Figure 10, the apparatus may include:
配置触发信息接收模块1001,用于接收第一客户端设备发送的配置触发信息;所述配置触发信息是所述第一客户端设备向第二客户端设备发送包含第一随机值的第一校验请求,接收所述第二客户端设备发送的第一校验信息,并对所述第一校验信息校验通过后发送的;所述第一校验信息是基于所述第一随机值生成的;A configuration trigger information receiving module 1001 is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification message containing a first random value to a second client device. A verification request, receiving the first verification information sent by the second client device, and sending the verification after passing the verification of the first verification information; the first verification information is based on the first random value Generated;
权限开放模块1002,用于根据所述配置触发信息,向所述第二客户端设备开放权限。The authority opening module 1002 is configured to open authority to the second client device according to the configuration trigger information.
在一种可能的实现方式中,所述配置触发信息是包含配置令牌和所述第一操作凭证的第二配置触发信息;In a possible implementation manner, the configuration trigger information is second configuration trigger information including a configuration token and the first operation credential;
所述权限开放模块1002,用于,The permission opening module 1002 is used to:
根据所述配置令牌,建立与所述第二客户端设备之间的第二安全连接;establishing a second secure connection with the second client device based on the configuration token;
向所述服务端设备发送包含第二随机值的第二校验请求;sending a second verification request including a second random value to the server device;
接收所述第二客户端设备发送的第二校验信息,所述第二校验信息中包含所述第一操作凭证以及第四签名信息,所述第四签名信息是通过所述第一私钥对所述第二随机值进行签名得到的;Receive second verification information sent by the second client device, where the second verification information includes the first operation credential and fourth signature information, and the fourth signature information is obtained through the first private key. obtained by signing the second random value with the key;
根据所述第二配置触发信息中包含的所述第一操作凭证,对所述第二校验信息进行校验;verifying the second verification information according to the first operation credential included in the second configuration trigger information;
当所述第二校验信息通过校验后,向所述第二客户端设备发送设备证书请求,以便所述第二客户端设备根据所述设备证书请求,在所述服务端设备中进行权限配置。After the second verification information passes the verification, a device certificate request is sent to the second client device, so that the second client device can perform authorization in the server device according to the device certificate request. configuration.
在一种可能的实现方式中,所述权限开放模块1002,用于,In a possible implementation manner, the permission opening module 1002 is configured to:
对所述第二配置触发信息中包含的所述第一操作凭证,与所述第二校验信息包含的所述第一操作凭证进行比对;Comparing the first operation credential included in the second configuration trigger information with the first operation credential included in the second verification information;
当所述第二配置触发信息中包含的所述第一操作凭证,与所述第二校验信息包含的所述第一操作凭证一致时,根据所述第一操作凭证,对所述第二签名信息进行校验。When the first operation credential included in the second configuration trigger information is consistent with the first operation credential included in the second verification information, according to the first operation credential, The signature information is verified.
在一种可能的实现方式中,所述权限开放模块1002,用于根据所述第一操作凭证中携带的,所述第二客户端设备的第一公钥,对所述第二签名信息进行校验。In a possible implementation manner, the permission opening module 1002 is configured to, according to the first public key of the second client device carried in the first operation credential, perform an operation on the second signature information. check.
在一种可能的实现方式中,所述配置触发信息是包含配置令牌和所述第二客户端设备的第一公钥的第三配置触发信息;In a possible implementation manner, the configuration trigger information is third configuration trigger information including a configuration token and a first public key of the second client device;
所述权限开放模块1002,用于,The permission opening module 1002 is used to:
根据所述第一公钥对所述配置令牌进行加密,获得加密后所述配置令牌;Encrypt the configuration token according to the first public key, and obtain the encrypted configuration token;
向所述第二客户端设备发送加密后的所述配置令牌;sending the encrypted configuration token to the second client device;
根据所述配置令牌,建立与所述服务端设备之间的第三安全连接;establishing a third secure connection with the server device according to the configuration token;
向所述第二客户端设备发送设备证书请求,以便所述第二客户端设备根据所述设备证书请求,在所述服务端设备中进行权限配置。A device certificate request is sent to the second client device, so that the second client device performs rights configuration in the server device according to the device certificate request.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the apparatus further includes:
证书及信息接收模块,用于接收所述第二客户端设备配置的设备证书、所述第二客户端设备的第一根证书以及访问控制权限信息;a certificate and information receiving module, configured to receive a device certificate configured by the second client device, a first root certificate of the second client device, and access control authority information;
其中,所述访问控制权限信息配置在所述服务端设备的访问控制列表ACL中,且所述访问控制权限信息包括访问控制条目、所述访问控制条目对应的可访问数据、有权访问所述可访问数据的实体、以及授权的访问方式。The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
综上所述,在本申请实施例中,第一客户端设备向第二客户端设备分享服务端设备的权限之前,首先通过第一随机值触发第二客户端设备返回校验信息,然后对校验信息进行校验,以验证第二客户端设备的合法性,当验证第二客户端设备合法后,向第二客户端设备分享对服务端设备的权限,从而可以避免将服务端设备的访问控制权限分享给不合法的客户端设备的情况,提高服务端设备的访问控制权限分享的安全性。To sum up, in this embodiment of the present application, before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
需要说明的一点是,上述实施例提供的装置在实现其功能时,仅以上述各个功能模块的划分进行举例说明,实际应用中,可以根据实际需要而将上述功能分配由不同的功能模块完成,即将设备的内容结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。It should be noted that, when the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Regarding the apparatus in the above-mentioned embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be described in detail here.
请参考图11,其示出了本申请一个实施例提供的物联网设备1100的结构示意图。该物联网设备1100可以包括:处理器1101、接收器1102、发射器1103、存储器1104和总线1105。Please refer to FIG. 11 , which shows a schematic structural diagram of an IoT device 1100 provided by an embodiment of the present application. The IoT device 1100 may include: a processor 1101 , a receiver 1102 , a transmitter 1103 , a memory 1104 and a bus 1105 .
处理器1101包括一个或者一个以上处理核心,处理器1101通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。The processor 1101 includes one or more processing cores, and the processor 1101 executes various functional applications and information processing by running software programs and modules.
接收器1102和发射器1103可以实现为一个通信组件,该通信组件可以是一块通信芯片。该通信芯片也可以称为收发器。The receiver 1102 and the transmitter 1103 may be implemented as a communication component, which may be a communication chip. The communication chip may also be referred to as a transceiver.
存储器1104通过总线1105与处理器1101相连。The memory 1104 is connected to the processor 1101 through the bus 1105 .
存储器1104可用于存储计算机程序,处理器1101用于执行该计算机程序,以实现上述方法实施例中的终端执行的各个步骤。The memory 1104 can be used to store a computer program, and the processor 1101 is used to execute the computer program, so as to implement various steps performed by the terminal in the above method embodiments.
此外,存储器1104可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,易失性或非易失性存储设备包括但不限于:磁盘或光盘,电可擦除可编程只读存储器,可擦除可编程只读存储器,静态随时存取存储器,只读存储器,磁存储器,快闪存储器,可编程只读存储器。Additionally, memory 1104 may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable and programmable Read Only Memory, Erasable Programmable Read Only Memory, Static Anytime Access Memory, Read Only Memory, Magnetic Memory, Flash Memory, Programmable Read Only Memory.
在示例性实施例中,所述物联网设备包括处理器、存储器和收发器(该收发器可以包括接收器和发射器,接收器用于接收信息,发射器用于发送信息);In an exemplary embodiment, the IoT device includes a processor, a memory, and a transceiver (the transceiver may include a receiver and a transmitter, the receiver for receiving information and the transmitter for transmitting information);
当所述物联网设备实现为第一客户端设备时,When the IoT device is implemented as the first client device,
所述收发器,用于向第二客户端设备发送第一校验请求,所述第一校验请求中包含第一随机值;the transceiver, configured to send a first verification request to the second client device, where the first verification request includes a first random value;
所述收发器,用于接收所述第二客户端设备发送的第一校验信息;所述第一校验信息是基于所述第一随机值生成的;the transceiver, configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;
所述处理器,用于对所述第一校验信息进行校验;the processor, configured to verify the first verification information;
所述收发器,用于当所述第一校验信息通过校验时,通过配置触发信息触发所述服务端设备向所述第 二客户端设备开放权限。The transceiver is configured to trigger the server device to open permissions to the second client device by configuring trigger information when the first verification information passes the verification.
本申请实施例涉及的物联网设备实现为第一客户端设备时,可以执行上述图2、图3或图6所示的物联网中的权限配置方法中,由第一客户端设备执行的全部或者部分步骤,此处不再赘述。When the IoT device involved in the embodiment of the present application is implemented as the first client device, all the permissions executed by the first client device in the above-mentioned rights configuration method in the IoT shown in FIG. 2 , FIG. 3 or FIG. 6 may be executed. Or some steps will not be repeated here.
当所述物联网设备实现为第二客户端设备时,When the IoT device is implemented as a second client device,
所述收发器,用于接收第一客户端设备发送的包含第一随机值的第一校验请求;所述第一客户端设备具有服务端设备的管理权限;The transceiver is configured to receive a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;
所述收发器,用于向所述第一客户端设备发送第一校验信息,以便所述第一客户端设备对所述第一校验信息校验通过后,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限;所述第一校验信息是基于所述第一随机值生成的。The transceiver is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration trigger information is used to trigger the The server device opens permissions to the second client device; the first verification information is generated based on the first random value.
本申请实施例涉及的物联网设备实现为第二客户端设备时,可以执行上述图2、图3或图6所示的物联网中的权限配置方法中,由第二客户端设备执行的全部或者部分步骤,此处不再赘述。When the IoT device involved in this embodiment of the present application is implemented as a second client device, it can execute all the functions performed by the second client device in the permission configuration method in the IoT shown in FIG. 2 , FIG. 3 , or FIG. 6 above. Or some steps will not be repeated here.
当所述物联网设备实现为服务端设备时,When the IoT device is implemented as a server device,
所述收发器,用于接收第一客户端设备发送的配置触发信息;所述配置触发信息是所述第一客户端设备向第二客户端设备发送包含第一随机值的第一校验请求,接收所述第二客户端设备发送的第一校验信息,并对所述第一校验信息校验通过后发送的;所述第一校验信息是基于所述第一随机值生成的;The transceiver is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification request including a first random value to a second client device , receive the first verification information sent by the second client device, and send the verification information after passing the verification of the first verification information; the first verification information is generated based on the first random value ;
所述处理器,用于根据所述配置触发信息,向所述第二客户端设备开放权限。The processor is configured to open a permission to the second client device according to the configuration trigger information.
本申请实施例涉及的物联网设备实现为服务端设备时,可以执行上述图2、图3或图6所示的物联网中的权限配置方法中,由服务端设备执行的全部或者部分步骤,此处不再赘述。When the IoT device involved in the embodiment of the present application is implemented as a server device, all or part of the steps performed by the server device in the permission configuration method in the IoT shown in FIG. 2 , FIG. 3 or FIG. 6 may be performed, It will not be repeated here.
本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序由处理器加载并执行以实现上述图2、图3或者图6所示的物联网中的权限配置方法中,由第一客户端设备、第二客户端设备或者服务端设备执行的内部后者部分步骤。Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above-mentioned thing shown in FIG. 2 , FIG. 3 or FIG. 6 . In the method for configuring rights in networking, the internal latter part of the steps are performed by the first client device, the second client device or the server device.
本申请还提供了一种芯片,该芯片用于在物联网设备中运行,以使得物联网设备执行上述物联网中的权限配置方法中,由第一客户端设备、第二客户端设备或者服务端设备执行的内部后者部分步骤。The present application also provides a chip, which is used to run in an Internet of Things device, so that the Internet of Things device executes the permission configuration method in the Internet of Things. The first client device, the second client device or the service The internal latter part of the steps performed by the end device.
本申请还提供了一种计算机程序产品,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。物联网设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得物联网设备执行上述物联网中的权限配置方法中,由第一客户端设备、第二客户端设备或者服务端设备执行的内部后者部分步骤。The application also provides a computer program product, the computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the Internet of Things device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the Internet of Things device executes the permission configuration method in the Internet of Things. The internal latter part of the steps performed by the client device or the server device.
本申请还提供了一种计算机程序,该计算机程序由物联网设备的处理器执行,以实现上述物联网中的权限配置方法中,由第一客户端设备、第二客户端设备或者服务端设备执行的内部后者部分步骤。The present application also provides a computer program, the computer program is executed by the processor of the Internet of Things device, so as to realize that in the above-mentioned rights configuration method in the Internet of Things, the first client device, the second client device or the server device The internal latter part of the steps are performed.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请实施例所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。Those skilled in the art should realize that, in one or more of the above examples, the functions described in the embodiments of the present application may be implemented by hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
以上所述仅为本申请的示例性实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only exemplary embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the protection of the present application. within the range.
Claims (39)
- 一种物联网中的权限配置方法,其特征在于,所述方法由第一客户端设备执行,所述第一客户端设备具有服务端设备的管理权限;所述方法包括:A permission configuration method in the Internet of Things, characterized in that the method is executed by a first client device, and the first client device has the management permission of a server device; the method comprises:向第二客户端设备发送第一校验请求,所述第一校验请求中包含第一随机值;sending a first verification request to the second client device, where the first verification request includes a first random value;接收所述第二客户端设备发送的第一校验信息;所述第一校验信息是基于所述第一随机值生成的;receiving first verification information sent by the second client device; the first verification information is generated based on the first random value;对所述第一校验信息进行校验;verifying the first verification information;当所述第一校验信息通过校验时,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限。When the first verification information passes the verification, triggering the server device to open permissions to the second client device by configuring trigger information.
- 根据权利要求1所述的方法,其特征在于,The method of claim 1, wherein:所述第一校验信息包括第一签名信息、所述第二客户端设备的第一根证书和第一操作凭证中的至少一种;所述第一签名信息是通过所述第二客户端设备的第一私钥对目标数据进行签名得到的;所述目标数据包括所述第一随机值;所述第一操作凭证是通过所述第一根证书签发的。The first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation credential; the first signature information is obtained by the second client The target data is obtained by signing the target data with the first private key of the device; the target data includes the first random value; and the first operation credential is issued by the first root certificate.
- 根据权利要求2所述的方法,其特征在于,The method of claim 2, wherein:所述目标数据还包括所述第一根证书和所述第一操作凭证中的至少一种。The target data further includes at least one of the first root certificate and the first operation certificate.
- 根据权利要求2所述的方法,其特征在于,当所述第一校验信息包括所述第一签名信息、所述第一根证书和所述第一操作凭证时,所述对所述第一校验信息进行校验,包括:The method according to claim 2, wherein when the first verification information includes the first signature information, the first root certificate and the first operation credential, the 1. The verification information is verified, including:对所述第一根证书进行合法性查询,获得所述第一根证书的合法性认证结果;Performing a legality query on the first root certificate to obtain a legality authentication result of the first root certificate;当所述合法性认证结果指示所述第一根证书合法时,根据所述第一根证书对所述第一操作凭证进行校验;When the validity authentication result indicates that the first root certificate is valid, verifying the first operation certificate according to the first root certificate;当所述第一操作凭证通过校验时,根据所述第一操作凭证对所述第一签名信息进行校验。When the first operation certificate passes the verification, the first signature information is verified according to the first operation certificate.
- 根据权利要求4所述的方法,其特征在于,所述根据所述第一根证书对所述第一操作凭证进行校验,包括:The method according to claim 4, wherein the verifying the first operation credential according to the first root certificate comprises:根据所述第一根证书中携带的,所述第二客户端设备的第二公钥,对所述第一操作凭证进行校验。The first operation credential is verified according to the second public key of the second client device carried in the first root certificate.
- 根据权利要求4所述的方法,其特征在于,所述根据所述第一操作凭证对所述第一签名信息进行校验,包括:The method according to claim 4, wherein the verifying the first signature information according to the first operation credential comprises:根据所述第一操作凭证中携带的,所述第二客户端设备的第一公钥,对所述第一签名信息进行校验。The first signature information is verified according to the first public key of the second client device carried in the first operation certificate.
- 根据权利要求4所述的方法,其特征在于,所述对所述第一根证书进行合法性查询,获得所述第一根证书的合法性认证结果,包括:The method according to claim 4, wherein the performing a legality query on the first root certificate to obtain a legality authentication result of the first root certificate, comprising:向区块链查询所述第一根证书,获得所述第一根证书的合法性认证结果;Query the first root certificate from the blockchain, and obtain the legality authentication result of the first root certificate;或者,向预设地址对应的服务器查询所述第一根证书,获得所述第一根证书的合法性认证结果;Or, query the server corresponding to the preset address for the first root certificate, and obtain the validity authentication result of the first root certificate;或者,在所述第一客户端中查询所述第一根证书,获得所述第一根证书的合法性认证结果。Or, query the first root certificate in the first client to obtain the validity authentication result of the first root certificate.
- 根据权利要求4所述的方法,其特征在于,所述第一校验信息中还包含查询地址;The method according to claim 4, wherein the first verification information further includes a query address;所述对所述第一根证书进行合法性查询,获得所述第一根证书的合法性认证结果,包括:The performing a legality query on the first root certificate to obtain a legality authentication result of the first root certificate, including:向所述查询地址对应的服务器查询所述第一根证书,获得所述第一根证书的合法性认证结果。The first root certificate is inquired from the server corresponding to the query address, and the validity authentication result of the first root certificate is obtained.
- 根据权利要求1所述的方法,其特征在于,The method of claim 1, wherein:所述第一校验信息包括所述第二客户端设备的第一根证书、第一操作凭证、第一认证信息、第二签名信息和第三签名信息;所述第一操作凭证是通过所述第一根证书签发的;所述第一认证信息是由统一认证平台对所述第二客户端设备进行认证后颁发的,所述统一认证平台用于对所述第一客户端设备和所述第二客户端设备进行认证;所述第二签名信息是通过所述第二客户端的第一私钥对所述第一根证书、所述第一操作凭证、所述统一认证信息进行签名得到的;所述第三签名是通过所述第二客户端的第二私钥对所述第一根证书、所述第一操作凭证、所述统一认证信息、所述第二签名信息进行签名得到的。The first verification information includes the first root certificate, the first operation certificate, the first authentication information, the second signature information and the third signature information of the second client device; the first operation certificate is obtained through all The first root certificate is issued; the first authentication information is issued after the second client device is authenticated by a unified authentication platform, and the unified authentication platform is used to authenticate the first client device and all The second client device performs authentication; the second signature information is obtained by signing the first root certificate, the first operation certificate, and the unified authentication information with the first private key of the second client The third signature is obtained by signing the first root certificate, the first operation certificate, the unified authentication information, and the second signature information through the second private key of the second client .
- 根据权利要求9所述的方法,其特征在于,所述对所述第一校验信息进行校验,包括:The method according to claim 9, wherein the verifying the first verification information comprises:对所述第一认证信息进行合法性校验;Verifying the validity of the first authentication information;当所述第一认证信息通过合法性校验后,通过所述第二私钥对应的第二公钥,对所述第三签名信息进行校验;所述第二公钥携带于所述第一认证信息中;After the first authentication information passes the validity verification, the third signature information is verified by using the second public key corresponding to the second private key; the second public key is carried in the second public key. 1. In the authentication information;当所述第三签名信息通过校验后,通过所述第一私钥对应的第一公钥,对所述第二签名信息进行校验;所述第一公钥携带于所述第一操作凭证中。After the third signature information is verified, the second signature information is verified by using the first public key corresponding to the first private key; the first public key is carried in the first operation in the certificate.
- 根据权利要求1所述的方法,其特征在于,所述通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限,包括:The method according to claim 1, wherein the triggering the server device to open permissions to the second client device by configuring trigger information comprises:向所述第二客户端设备发送第一配置触发信息;所述第一配置触发信息中包含所述配置令牌;sending first configuration trigger information to the second client device; the first configuration trigger information includes the configuration token;向所述服务端设备发送第二配置触发信息;所述第二配置触发信息中包含所述配置令牌和所述第一操作凭证。Send second configuration trigger information to the server device; the second configuration trigger information includes the configuration token and the first operation credential.
- 根据权利要求1所述的方法,其特征在于,所述通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限,包括:The method according to claim 1, wherein the triggering the server device to open permissions to the second client device by configuring trigger information comprises:向所述服务端设备发送第三配置触发信息;所述第三配置触发信息中包含所述配置令牌和所述第二客户端设备的第一公钥。Send third configuration trigger information to the server device; the third configuration trigger information includes the configuration token and the first public key of the second client device.
- 根据权利要求1所述的方法,其特征在于,所述第一客户端设备和所述第二客户端设备分别属于不同的物联网生态系统。The method of claim 1, wherein the first client device and the second client device belong to different IoT ecosystems, respectively.
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, wherein the method further comprises:扫描所述第二客户端设备展示的二维码,获得所述第二客户端设备的连接建立信息;Scan the QR code displayed by the second client device to obtain the connection establishment information of the second client device;根据所述连接建立信息,建立与所述第二客户端设备之间的第一安全连接。A first secure connection with the second client device is established according to the connection establishment information.
- 一种物联网中的权限配置方法,其特征在于,所述方法由第二客户端设备执行,所述方法包括:A method for configuring rights in the Internet of Things, characterized in that the method is executed by a second client device, and the method includes:接收第一客户端设备发送的包含第一随机值的第一校验请求;所述第一客户端设备具有服务端设备的管理权限;receiving a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;向所述第一客户端设备发送第一校验信息,以便所述第一客户端设备对所述第一校验信息校验通过后,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限;所述第一校验信息是基于所述第一随机值生成的。Send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, trigger the server device to send the first verification information to the first client device by configuring the trigger information. Two client devices open permissions; the first verification information is generated based on the first random value.
- 根据权利要求15所述的方法,其特征在于,The method of claim 15, wherein:所述第一校验信息包括第一签名信息、所述第二客户端设备的第一根证书和第一操作凭证中的至少一种;所述第一签名信息是通过所述第二客户端设备的第一私钥对目标数据进行签名得到的;所述目标数据包括所述第一随机值;所述第一操作凭证是通过所述第一根证书签发的。The first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation credential; the first signature information is obtained by the second client The target data is obtained by signing the target data with the first private key of the device; the target data includes the first random value; and the first operation credential is issued by the first root certificate.
- 根据权利要求16所述的方法,其特征在于,The method of claim 16, wherein:所述目标数据还包括所述第一根证书和所述第一操作凭证中的至少一种。The target data further includes at least one of the first root certificate and the first operation certificate.
- 根据权利要求15所述的方法,其特征在于,The method of claim 15, wherein:所述第一校验信息包括所述第二客户端设备的第一根证书、第一操作凭证、第一认证信息、第二签名信息和第三签名信息;所述第一操作凭证是通过所述第一根证书签发的;所述第一认证信息是由统一认证平台对所述第二客户端设备进行认证后颁发的,所述统一认证平台用于对所述第一客户端设备和所述第二客户端设备进行认证;所述第二签名信息是通过所述第二客户端的第一私钥对所述第一根证书、所述第一操作凭证、所述统一认证信息进行签名得到的;所述第三签名是通过所述第二客户端的第二私钥对所述第一根证书、所述第一操作凭证、所述统一认证信息、所述第二签名信息进行签名得到的。The first verification information includes the first root certificate, the first operation certificate, the first authentication information, the second signature information and the third signature information of the second client device; the first operation certificate is obtained through all The first root certificate is issued; the first authentication information is issued after the second client device is authenticated by a unified authentication platform, and the unified authentication platform is used to authenticate the first client device and all The second client device performs authentication; the second signature information is obtained by signing the first root certificate, the first operation certificate, and the unified authentication information with the first private key of the second client The third signature is obtained by signing the first root certificate, the first operation certificate, the unified authentication information, and the second signature information through the second private key of the second client .
- 根据权利要求15所述的方法,其特征在于,所述方法还包括:The method of claim 15, wherein the method further comprises:接收所述第一客户端设备发送的第一配置触发信息,所述第一配置触发信息中包含配置令牌;receiving first configuration trigger information sent by the first client device, where the first configuration trigger information includes a configuration token;根据所述配置令牌,建立与所述服务端设备之间的第二安全连接;establishing a second secure connection with the server device according to the configuration token;接收所述服务端设备发送的包含第二随机值的第二校验请求;receiving a second verification request including a second random value sent by the server device;向所述服务端设备发送第二校验信息,所述第二校验信息中包含所述第一操作凭证以及第四签名信息,所述第四签名信息是通过所述第一私钥对所述第二随机值进行签名得到的;Send second verification information to the server device, where the second verification information includes the first operation credential and fourth signature information, and the fourth signature information is paired with the first private key. obtained by signing the second random value;接收所述服务端设备发送的设备证书请求,所述设备证书请求是所述服务端设备对所述第二校验信息验证通过后发送的;Receive a device certificate request sent by the server device, where the device certificate request is sent after the server device passes the verification of the second verification information;根据所述设备证书请求,在所述服务端设备中进行权限配置。Perform permission configuration in the server device according to the device certificate request.
- 根据权利要求15所述的方法,其特征在于,所述方法还包括:The method of claim 15, wherein the method further comprises:接收所述服务端设备发送的加密后的配置令牌;receiving the encrypted configuration token sent by the server device;根据所述第二客户端设备的第一公钥,对所述加密后的所述配置令牌进行解密,获得所述配置令牌;Decrypt the encrypted configuration token according to the first public key of the second client device to obtain the configuration token;根据所述配置令牌,建立与所述服务端设备之间的第三安全连接;establishing a third secure connection with the server device according to the configuration token;接收所述服务端设备发送的设备证书请求;receiving a device certificate request sent by the server device;根据所述设备证书请求,在所述服务端设备中进行权限配置。Perform permission configuration in the server device according to the device certificate request.
- 根据权利要求19或20所述的方法,其特征在于,所述根据所述设备证书请求,在所述服务端设备中进行权限配置,包括:The method according to claim 19 or 20, wherein the performing permission configuration in the server device according to the device certificate request comprises:将所述设备证书请求,以及所述服务端设备对应网络的网络标识发送给认证中心设备;sending the device certificate request and the network identifier of the network corresponding to the server device to the authentication center device;接收所述认证中心设备返回的设备证书;receiving the device certificate returned by the certification center device;将所述设备证书、所述第一根证书以及访问控制权限信息配置到所述服务端设备;Configuring the device certificate, the first root certificate and access control authority information to the server device;其中,所述访问控制权限信息配置在所述服务端设备的访问控制列表ACL中,且所述访问控制权限信息包括访问控制条目、所述访问控制条目对应的可访问数据、有权访问所述可访问数据的实体、以及授 权的访问方式。The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
- 根据权利要求15所述的方法,其特征在于,所述第一客户端设备和所述第二客户端设备分别属于不同的物联网生态系统。The method of claim 15, wherein the first client device and the second client device belong to different IoT ecosystems, respectively.
- 根据权利要求15所述的方法,其特征在于,所述方法还包括:The method of claim 15, wherein the method further comprises:展示二维码,所述二维码中携带有所述第二客户端设备的连接建立信息;displaying a two-dimensional code, where the two-dimensional code carries the connection establishment information of the second client device;根据所述连接建立信息,建立与所述第一客户端设备之间的第一安全连接。According to the connection establishment information, establish a first secure connection with the first client device.
- 一种物联网中的权限配置方法,其特征在于,所述方法由服务端设备执行,所述方法包括:A permission configuration method in the Internet of Things, characterized in that the method is executed by a server device, and the method includes:接收第一客户端设备发送的配置触发信息;所述配置触发信息是所述第一客户端设备向第二客户端设备发送的包含第一随机值的第一校验请求,接收所述第二客户端设备发送的第一校验信息,并对所述第一校验信息校验通过后发送的;所述第一校验信息是基于所述第一随机值生成的;Receive configuration trigger information sent by a first client device; the configuration trigger information is a first verification request containing a first random value sent by the first client device to a second client device, and receive the second The first verification information sent by the client device, and sent after passing the verification of the first verification information; the first verification information is generated based on the first random value;根据所述配置触发信息,向所述第二客户端设备开放权限。According to the configuration trigger information, the permission is opened to the second client device.
- 根据权利要求24所述的方法,其特征在于,所述配置触发信息是包含配置令牌和所述第一操作凭证的第二配置触发信息;The method of claim 24, wherein the configuration trigger information is second configuration trigger information including a configuration token and the first operation credential;所述根据所述配置触发信息,向所述第二客户端设备开放权限,包括:The opening a permission to the second client device according to the configuration trigger information includes:根据所述配置令牌,建立与所述第二客户端设备之间的第二安全连接;establishing a second secure connection with the second client device based on the configuration token;向所述服务端设备发送的第二校验请求,所述第二校验请求中包含第二随机值;a second verification request sent to the server device, where the second verification request includes a second random value;接收所述第二客户端设备发送的第二校验信息,所述第二校验信息中包含所述第一操作凭证以及第四签名信息,所述第四签名信息是通过所述第一私钥对所述第二随机值进行签名得到的;Receive second verification information sent by the second client device, where the second verification information includes the first operation credential and fourth signature information, and the fourth signature information is obtained through the first private key. obtained by signing the second random value with the key;根据所述第二配置触发信息中包含的所述第一操作凭证,对所述第二校验信息进行校验;verifying the second verification information according to the first operation credential included in the second configuration trigger information;当所述第二校验信息通过校验后,向所述第二客户端设备发送设备证书请求,以便所述第二客户端设备根据所述设备证书请求,在所述服务端设备中进行权限配置。After the second verification information passes the verification, a device certificate request is sent to the second client device, so that the second client device can perform authorization in the server device according to the device certificate request. configuration.
- 根据权利要求25所述的方法,其特征在于,所述根据所述第二配置触发信息中包含的所述第一操作凭证,对所述第二校验信息进行校验,包括:The method according to claim 25, wherein the verifying the second verification information according to the first operation credential included in the second configuration trigger information comprises:对所述第二配置触发信息中包含的所述第一操作凭证,与所述第二校验信息包含的所述第一操作凭证进行比对;Comparing the first operation credential included in the second configuration trigger information with the first operation credential included in the second verification information;当所述第二配置触发信息中包含的所述第一操作凭证,与所述第二校验信息包含的所述第一操作凭证一致时,根据所述第一操作凭证,对所述第二签名信息进行校验。When the first operation credential included in the second configuration trigger information is consistent with the first operation credential included in the second verification information, according to the first operation credential, The signature information is verified.
- 根据权利要求26所述的方法,其特征在于,所述根据所述第一操作凭证,对所述第二签名信息进行校验,包括:The method according to claim 26, wherein the verifying the second signature information according to the first operation credential comprises:根据所述第一操作凭证中携带的,所述第二客户端设备的第一公钥,对所述第二签名信息进行校验。The second signature information is verified according to the first public key of the second client device carried in the first operation certificate.
- 根据权利要求24所述的方法,其特征在于,所述配置触发信息是包含配置令牌和所述第二客户端设备的第一公钥的第三配置触发信息;The method of claim 24, wherein the configuration trigger information is third configuration trigger information including a configuration token and a first public key of the second client device;所述根据所述配置触发信息,向所述第二客户端设备开放权限,包括:The opening a permission to the second client device according to the configuration trigger information includes:根据所述第一公钥对所述配置令牌进行加密,获得加密后所述配置令牌;Encrypt the configuration token according to the first public key, and obtain the encrypted configuration token;向所述第二客户端设备发送加密后的所述配置令牌;sending the encrypted configuration token to the second client device;根据所述配置令牌,建立与所述服务端设备之间的第三安全连接;establishing a third secure connection with the server device according to the configuration token;向所述第二客户端设备发送设备证书请求,以便所述第二客户端设备根据所述设备证书请求,在所述服务端设备中进行权限配置。A device certificate request is sent to the second client device, so that the second client device performs rights configuration in the server device according to the device certificate request.
- 根据权利要求25至28任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 25 to 28, wherein the method further comprises:接收所述第二客户端设备配置的设备证书、所述第二客户端设备的第一根证书以及访问控制权限信息;receiving a device certificate configured by the second client device, a first root certificate of the second client device, and access control authority information;其中,所述访问控制权限信息配置在所述服务端设备的访问控制列表ACL中,且所述访问控制权限信息包括访问控制条目、所述访问控制条目对应的可访问数据、有权访问所述可访问数据的实体、以及授权的访问方式。The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
- 一种物联网中的权限配置装置,其特征在于,所述装置用于第一客户端设备中,所述第一客户端设备具有服务端设备的管理权限;所述装置包括:A permission configuration device in the Internet of Things, characterized in that the device is used in a first client device, and the first client device has the management permission of the server device; the device comprises:第一校验请求发送模块,用于向第二客户端设备发送第一校验请求,所述第一校验请求中包含第一随机值;a first verification request sending module, configured to send a first verification request to the second client device, where the first verification request includes a first random value;第一校验信息接收模块,用于接收所述第二客户端设备发送的第一校验信息;所述第一校验信息是基于所述第一随机值生成的;a first verification information receiving module, configured to receive the first verification information sent by the second client device; the first verification information is generated based on the first random value;第一校验模块,用于对所述第一校验信息进行校验;a first verification module, configured to verify the first verification information;配置触发模块,用于当所述第一校验信息通过校验时,通过配置触发信息触发所述服务端设备向所述 第二客户端设备开放权限。A configuration triggering module is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.
- 一种物联网中的权限配置装置,其特征在于,所述装置用于第二客户端设备中,所述装置包括:A permission configuration device in the Internet of Things, characterized in that the device is used in a second client device, and the device comprises:第一校验请求接收模块,用于接收第一客户端设备发送的包含第一随机值的第一校验请求;所述第一客户端设备具有服务端设备的管理权限;a first verification request receiving module, configured to receive a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;第一校验信息发送模块,用于向所述第一客户端设备发送第一校验信息,以便所述第一客户端设备对所述第一校验信息校验通过后,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限;所述第一校验信息是基于所述第一随机值生成的。A first verification information sending module, configured to send first verification information to the first client device, so that the first client device can configure trigger information after passing the verification of the first verification information triggering the server device to open permissions to the second client device; the first verification information is generated based on the first random value.
- 一种物联网中的权限配置装置,其特征在于,所述装置用于服务端设备中,所述装置包括:A permission configuration device in the Internet of Things, characterized in that, the device is used in a server device, and the device includes:配置触发信息接收模块,用于接收第一客户端设备发送的配置触发信息;所述配置触发信息是所述第一客户端设备向第二客户端设备发送包含第一随机值的第一校验请求,接收所述第二客户端设备发送的第一校验信息,并对所述第一校验信息校验通过后发送的;所述第一校验信息是基于所述第一随机值生成的;a configuration trigger information receiving module, configured to receive the configuration trigger information sent by the first client device; the configuration trigger information is that the first client device sends a first check containing a first random value to the second client device request, receive the first verification information sent by the second client device, and send the first verification information after passing the verification; the first verification information is generated based on the first random value of;权限开放模块,用于根据所述配置触发信息,向所述第二客户端设备开放权限。A rights opening module, configured to open rights to the second client device according to the configuration trigger information.
- 一种物联网设备,其特征在于,所述物联网设备实现为第一客户端设备,所述第一客户端设备具有服务端设备的管理权限;所述物联网设备包括处理器、存储器和收发器;An Internet of Things device, characterized in that the Internet of Things device is implemented as a first client device, and the first client device has the management authority of a server device; the Internet of Things device includes a processor, a memory, and a transceiver. device;所述收发器,用于向第二客户端设备发送第一校验请求,所述第一校验请求中包含第一随机值;the transceiver, configured to send a first verification request to the second client device, where the first verification request includes a first random value;所述收发器,用于接收所述第二客户端设备发送的第一校验信息;所述第一校验信息是基于所述第一随机值生成的;the transceiver, configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;所述处理器,用于对所述第一校验信息进行校验;the processor, configured to verify the first verification information;所述收发器,用于当所述第一校验信息通过校验时,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限。The transceiver is configured to trigger the server device to open permissions to the second client device by configuring trigger information when the first verification information passes the verification.
- 一种物联网设备,其特征在于,所述物联网设备实现为第二客户端设备,所述物联网设备包括处理器、存储器和收发器;An Internet of Things device, characterized in that the Internet of Things device is implemented as a second client device, and the Internet of Things device includes a processor, a memory, and a transceiver;所述收发器,用于接收第一客户端设备发送的包含第一随机值的第一校验请求;所述第一客户端设备具有服务端设备的管理权限;The transceiver is configured to receive a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;所述收发器,用于向所述第一客户端设备发送第一校验信息,以便所述第一客户端设备对所述第一校验信息校验通过后,通过配置触发信息触发所述服务端设备向所述第二客户端设备开放权限;所述第一校验信息是基于所述第一随机值生成的。The transceiver is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration trigger information is used to trigger the The server device opens permissions to the second client device; the first verification information is generated based on the first random value.
- 一种物联网设备,其特征在于,所述物联网设备实现为服务端设备,所述物联网设备包括处理器、存储器和收发器;An Internet of Things device, characterized in that the Internet of Things device is implemented as a server device, and the Internet of Things device includes a processor, a memory, and a transceiver;所述收发器,用于接收第一客户端设备发送的配置触发信息;所述配置触发信息是所述第一客户端设备向第二客户端设备发送包含第一随机值的第一校验请求,接收所述第二客户端设备发送的第一校验信息,并对所述第一校验信息校验通过后发送的;所述第一校验信息是基于所述第一随机值生成的;The transceiver is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification request including a first random value to a second client device , receive the first verification information sent by the second client device, and send the verification information after passing the verification of the first verification information; the first verification information is generated based on the first random value ;所述处理器,用于根据所述配置触发信息,向所述第二客户端设备开放权限。The processor is configured to open a permission to the second client device according to the configuration trigger information.
- 一种计算机可读存储介质,其特征在于,所述存储介质中存储有计算机程序,所述计算机程序用于被处理器执行,以实现如权利要求1至29任一项所述的物联网中的权限配置方法。A computer-readable storage medium, characterized in that a computer program is stored in the storage medium, and the computer program is used to be executed by a processor to implement the Internet of Things according to any one of claims 1 to 29. Permission configuration method.
- 一种芯片,其特征在于,所述芯片用于在物联网设备中运行,以使得所述物联网设备执行如权利要求1至29任一项所述的物联网中的权限配置方法。A chip, characterized in that the chip is used to run in an IoT device, so that the IoT device executes the permission configuration method in the IoT according to any one of claims 1 to 29.
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机指令,所述计算机指令存储在计算机可读存储介质中;物联网设备的处理器从所述计算机可读存储介质读取所述计算机指令,并执行所述计算机指令,使得所述物联网设备执行如权利要求1至29任一项所述的物联网中的权限配置方法。A computer program product, characterized in that the computer program product includes computer instructions, and the computer instructions are stored in a computer-readable storage medium; the processor of the Internet of Things device reads the computer-readable storage medium from the computer-readable storage medium. computer instructions, and executing the computer instructions causes the Internet of Things device to execute the method for configuring rights in the Internet of Things according to any one of claims 1 to 29.
- 一种计算机程序,其特征在于,所述计算机程序由物联网设备的处理器执行,以实现如权利要求1至29任一项所述的物联网中的权限配置方法。A computer program, characterized in that the computer program is executed by a processor of an Internet of Things device to implement the method for configuring rights in the Internet of Things according to any one of claims 1 to 29.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/076574 WO2022170583A1 (en) | 2021-02-10 | 2021-02-10 | Permission configuration method and apparatus in internet of things, device, and storage medium |
CN202180070751.9A CN116325661A (en) | 2021-02-10 | 2021-02-10 | Authority configuration method, device, equipment and storage medium in Internet of things |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/076574 WO2022170583A1 (en) | 2021-02-10 | 2021-02-10 | Permission configuration method and apparatus in internet of things, device, and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022170583A1 true WO2022170583A1 (en) | 2022-08-18 |
Family
ID=82838109
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/076574 WO2022170583A1 (en) | 2021-02-10 | 2021-02-10 | Permission configuration method and apparatus in internet of things, device, and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN116325661A (en) |
WO (1) | WO2022170583A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024138592A1 (en) * | 2022-12-30 | 2024-07-04 | Oppo广东移动通信有限公司 | Access control method, client device, and server device |
WO2024183048A1 (en) * | 2023-03-09 | 2024-09-12 | Oppo广东移动通信有限公司 | Connection establishment method and apparatus |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103916637A (en) * | 2014-04-15 | 2014-07-09 | 浙江宇视科技有限公司 | Method and device for safely sharing monitoring front end device |
CN106471784A (en) * | 2014-08-06 | 2017-03-01 | 谷歌公司 | Equipment access control |
KR101870786B1 (en) * | 2016-12-29 | 2018-06-26 | 금오공과대학교 산학협력단 | Method of providing internet of things services via social framework and server performing the same |
CN108616531A (en) * | 2018-04-26 | 2018-10-02 | 深圳市盛路物联通讯技术有限公司 | A kind of radiofrequency signal safety communicating method and system |
-
2021
- 2021-02-10 WO PCT/CN2021/076574 patent/WO2022170583A1/en active Application Filing
- 2021-02-10 CN CN202180070751.9A patent/CN116325661A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103916637A (en) * | 2014-04-15 | 2014-07-09 | 浙江宇视科技有限公司 | Method and device for safely sharing monitoring front end device |
CN106471784A (en) * | 2014-08-06 | 2017-03-01 | 谷歌公司 | Equipment access control |
KR101870786B1 (en) * | 2016-12-29 | 2018-06-26 | 금오공과대학교 산학협력단 | Method of providing internet of things services via social framework and server performing the same |
CN108616531A (en) * | 2018-04-26 | 2018-10-02 | 深圳市盛路物联通讯技术有限公司 | A kind of radiofrequency signal safety communicating method and system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024138592A1 (en) * | 2022-12-30 | 2024-07-04 | Oppo广东移动通信有限公司 | Access control method, client device, and server device |
WO2024183048A1 (en) * | 2023-03-09 | 2024-09-12 | Oppo广东移动通信有限公司 | Connection establishment method and apparatus |
Also Published As
Publication number | Publication date |
---|---|
CN116325661A (en) | 2023-06-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110770695B (en) | Internet of things (IOT) device management | |
JP6508688B2 (en) | End-to-end service layer authentication | |
JP6595631B2 (en) | Content security in the service layer | |
US10257161B2 (en) | Using neighbor discovery to create trust information for other applications | |
US8724515B2 (en) | Configuring a secure network | |
KR101038064B1 (en) | Authenticating an application | |
WO2019153701A1 (en) | Method and apparatus for obtaining device identification | |
TWI558253B (en) | A computer-implemented method for enabling authentication of a user and a method for enabling the use of a user identity for obtaining access to a service at a target domain | |
US11736304B2 (en) | Secure authentication of remote equipment | |
Xu et al. | BE-RAN: Blockchain-enabled open RAN with decentralized identity management and privacy-preserving communication | |
WO2022100356A1 (en) | Identity authentication system, method and apparatus, device, and computer readable storage medium | |
JP2016540462A (en) | Key configuration method, system, and apparatus | |
US9154483B1 (en) | Secure device configuration | |
JP2010158030A (en) | Method, computer program, and apparatus for initializing secure communication among and for exclusively pairing device | |
US20240323026A1 (en) | System and method for pre-shared key (psk) based supply chain tamper resistance | |
WO2022170583A1 (en) | Permission configuration method and apparatus in internet of things, device, and storage medium | |
WO2023083170A1 (en) | Key generation method and apparatus, terminal device, and server | |
US12015721B1 (en) | System and method for dynamic retrieval of certificates with remote lifecycle management | |
EP3340530B1 (en) | Transport layer security (tls) based method to generate and use a unique persistent node identity, and corresponding client and server | |
US20230107045A1 (en) | Method and system for self-onboarding of iot devices | |
CN117014844A (en) | Communication method, electronic device, and storage medium | |
Sivakumar | Analysis of Ad-Hoc Network Security using Zero knowledge Proof and Wi-Fi Protected Access 2 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21925245 Country of ref document: EP Kind code of ref document: A1 |