CN115884169A - Processing method, device, network equipment and storage medium of identity mark - Google Patents
Processing method, device, network equipment and storage medium of identity mark Download PDFInfo
- Publication number
- CN115884169A CN115884169A CN202111152658.0A CN202111152658A CN115884169A CN 115884169 A CN115884169 A CN 115884169A CN 202111152658 A CN202111152658 A CN 202111152658A CN 115884169 A CN115884169 A CN 115884169A
- Authority
- CN
- China
- Prior art keywords
- identity
- information
- terminal device
- chip
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请公开了一种身份标识的处理方法、装置、网络节点及存储介质,其中,第一网络设备包括第一芯片和运行于由所述第一芯片支持的境TEE中的第一服务端;所述第一芯片包括安全芯片或可信芯片;所述方法包括:所述第一服务端获取第一终端设备发送的第一请求;所述第一请求用于请求生成所述第一终端设备的身份标识;所述第一请求携带至少一个第一信息;所述第一信息表征用于描述所述第一终端设备的身份的信息;所述第一芯片对第二信息进行加密,得到所述第一终端设备的第一身份标识;所述第二信息表征所述至少一个第一信息对应的摘要;所述第一服务端将所述第一身份标识发送对所述第一终端设备。
The present application discloses an identity processing method, device, network node and storage medium, wherein the first network device includes a first chip and a first server running in an environment TEE supported by the first chip; The first chip includes a security chip or a trusted chip; the method includes: the first server acquires a first request sent by the first terminal device; the first request is used to request to generate the first terminal device the identity of the first request; the first request carries at least one first information; the first information represents information used to describe the identity of the first terminal device; the first chip encrypts the second information to obtain the The first identity of the first terminal device; the second information represents a digest corresponding to the at least one piece of first information; the first server sends the first identity to the first terminal device.
Description
技术领域technical field
本申请涉及物联网领域,尤其涉及一种身份标识的处理方法、装置、网络设备及存储介质。The present application relates to the field of the Internet of Things, and in particular to an identification processing method, device, network device and storage medium.
背景技术Background technique
在物联网系统感知控制域中,大多数的物联网终端,如感知终端、控制终端等,需要通过身份标识来进行安全防护。相关技术中,物联网终端的身份标识方法或容易导致身份标识被篡改或仿冒,或需要较高的软硬件成本,难以实现对物联网终端有效且低成本的安全防护。In the perception control domain of the IoT system, most IoT terminals, such as perception terminals and control terminals, need to be protected through identity identification. In related technologies, the identity identification method of the Internet of Things terminal may easily lead to tampering or counterfeiting of the identity, or requires high software and hardware costs, and it is difficult to achieve effective and low-cost security protection for the Internet of Things terminal.
发明内容Contents of the invention
为解决相关技术问题,本申请实施例提供一种身份标识的处理方法、装置、网络设备及存储介质。In order to solve related technical problems, the embodiments of the present application provide a method, device, network device, and storage medium for processing an identity mark.
本申请实施例的技术方案是这样实现的:The technical scheme of the embodiment of the application is realized in this way:
本申请实施例提供了一种身份标识的处理方法,应用于第一网络设备,所述第一网络设备包括第一芯片和运行于由所述第一芯片支持的可信执行环境(TEE,TrustedExecution Environment)中的第一服务端;所述第一芯片包括安全芯片或可信芯片;所述方法包括:An embodiment of the present application provides a method for processing identity identification, which is applied to a first network device, and the first network device includes a first chip and runs in a Trusted Execution Environment (TEE, Trusted Execution) supported by the first chip. Environment) in the first server; the first chip includes a security chip or a trusted chip; the method includes:
所述第一服务端获取第一终端设备发送的第一请求;所述第一请求用于请求生成所述第一终端设备的身份标识;所述第一请求携带至少一个第一信息;所述第一信息表征用于描述所述第一终端设备的身份的信息;The first server obtains a first request sent by the first terminal device; the first request is used to request to generate an identity of the first terminal device; the first request carries at least one piece of first information; the The first information represents information used to describe the identity of the first terminal device;
所述第一服务端获取所述第一终端设备的第一身份标识;所述第一身份标识通过对第二信息进行加密得到;所述第二信息表征所述至少一个第一信息对应的摘要信息;The first server acquires the first identity of the first terminal device; the first identity is obtained by encrypting second information; the second information represents a summary corresponding to the at least one first information information;
所述第一服务端将所述第一身份标识发送对所述第一终端设备。The first server sends the first identity to the first terminal device.
其中,上述方案中,所述至少一个第一信息包括所述第一终端设备的以下至少一项信息:Wherein, in the above solution, the at least one first piece of information includes at least one piece of the following piece of information about the first terminal device:
设备名称;device name;
设备序列号;devise serial number;
介质访问控制(MAC,Media Access Control)地址;Media Access Control (MAC, Media Access Control) address;
工作模式;Operating mode;
上行连接信息。Uplink connection information.
上述方案中,在所述第一服务端获取所述第一终端设备的第一身份标识之前,所述方法还包括:In the above solution, before the first server acquires the first identity of the first terminal device, the method further includes:
所述第一服务端或所述第一芯片对所述至少一个第一信息进行哈希运算,得到所述第二信息。The first server or the first chip performs a hash operation on the at least one piece of first information to obtain the second information.
上述方案中,所述第一服务端获取所述第一终端设备的第一身份标识,包括:In the above solution, the first server obtains the first identity of the first terminal device, including:
所述第一服务端向所述第一芯片发送第二请求;所述第二请求用于请求所述第一芯片加密所述第二信息;The first server sends a second request to the first chip; the second request is used to request the first chip to encrypt the second information;
所述第一服务端获取所述第一芯片基于所述第二请求返回的响应;所述响应中携带所述第一芯片基于第一密钥对中的私钥对所述第二信息加密得到的所述第一身份标识。The first server obtains the response returned by the first chip based on the second request; the response carries the encryption of the second information by the first chip based on the private key in the first key pair to obtain The first identity of .
上述方案中,所述网络设备还包括运行于所述TEE中的第一数据库;所述第一数据库中至少存储有由所述第一网络设备生成的至少一个终端设备的身份标识;所述第一服务端将所述第一身份标识发送对所述第一终端设备,包括:In the above solution, the network device further includes a first database running in the TEE; the first database stores at least the identity of at least one terminal device generated by the first network device; the first A server sends the first identity to the first terminal device, including:
在所述第一服务端查询到所述第一数据库中未存有所述第一身份标识的情况下,所述第一服务端将所述第一身份标识发送至所述第一终端设备。When the first server finds that the first identity is not stored in the first database, the first server sends the first identity to the first terminal device.
上述方案中,所述方法还包括:In the above scheme, the method also includes:
所述第一服务端将所述第一身份标识及所述第一终端设备的以下至少一项信息存入所述第一数据库:The first server stores the first identity and at least one of the following information of the first terminal device into the first database:
所述至少一个第一信息、所述第二信息、用于加密所述第二信息的第一密钥对和/或所述第一身份标识的生成时间。The at least one piece of first information, the second information, the first key pair used to encrypt the second information, and/or the generation time of the first identity.
上述方案中,所述第一网络设备还包括运行于所述TEE中的第一日志模块;所述方法还包括:In the above solution, the first network device further includes a first log module running in the TEE; the method further includes:
所述第一日志模块生成并存储第一日志;其中,The first log module generates and stores a first log; wherein,
所述第一日志表征记录所述第一身份标识的相关操作的日志。The first log represents a log that records related operations of the first identity.
上述方案中,所述方法还包括:In the above scheme, the method also includes:
所述第一服务端获取所述第一终端设备发送的第二请求;所述第二请求用于请求重新接入所述第一网络设备;所述第二请求中携带有所述第一身份标识;The first server obtains the second request sent by the first terminal device; the second request is used to request re-access to the first network device; the second request carries the first identity logo;
在所述第一服务端基于所述第二请求中的第一身份标识确认所述第一终端设备与所述第一网络设备绑定的情况下,允许所述第一终端设备与所述第一网络设备建立连接。When the first server confirms that the first terminal device is bound to the first network device based on the first identity in the second request, allowing the first terminal device to bind with the second network device A network device establishes a connection.
上述方案中,所述方法还包括:In the above scheme, the method also includes:
在所述第一终端设备与所述第一网络设备解绑的情况下,所述第一服务端设置所述第一身份标识失效。When the first terminal device is unbound from the first network device, the first server sets the first identity to be invalid.
上述方案中,所述方法还包括:In the above scheme, the method also includes:
所述第一服务端获取所述第一终端设备发送的第三请求;所述第三请求用于请求所述第一网络设备为第二网络设备或第二终端设备进行关于所述第一终端设备的身份标识的安全认证;The first server obtains a third request sent by the first terminal device; the third request is used to request the first network device to perform a request for the second network device or the second terminal device regarding the first terminal Security authentication of the identity of the device;
基于所述第一网络设备与所述第二网络设备或所述第二终端设备之间的第一连接,所述第一服务端获取所述第二网络设备或所述第二终端设备发送的第二身份标识;所述第二身份标识表征所述第二网络设备或所述第二终端设备获取到的所述第一终端设备的身份标识;Based on the first connection between the first network device and the second network device or the second terminal device, the first server acquires the information sent by the second network device or the second terminal device A second identity; the second identity represents the identity of the first terminal device acquired by the second network device or the second terminal device;
在所述第一服务端确认所述第二身份标识与所述第一身份标识一致且满足设定条件的情况下,通过所述第一连接向所述第二网络设备或所述第二终端设备发送第三信息;所述第三信息用于所述第二网络设备或所述第二终端设备获取对所述第二身份标识的安全认证结果。When the first server confirms that the second identity is consistent with the first identity and satisfies the set conditions, send to the second network device or the second terminal through the first connection The device sends third information; the third information is used for the second network device or the second terminal device to obtain a security authentication result for the second identity.
上述方案中,所述设定条件包括以下至少一项:In the above scheme, the setting conditions include at least one of the following:
所述第一身份标识有效;The first identity is valid;
所述第一终端设备接入所述第一网络设备;The first terminal device accesses the first network device;
所述第三请求的请求时效在设定的时效范围内。The request limitation period of the third request is within the set limitation period range.
上述方案中,所述第一网络设备与所述第二网络设备之间的第一连接为可信连接或安全连接。In the above solution, the first connection between the first network device and the second network device is a trusted connection or a secure connection.
本申请实施例还提供了一种身份标识的处理装置,所述装置运行于由第一网络设备中的第一芯片支持的TEE中;所述第一芯片包括安全芯片或可信芯片;所述装置包括:The embodiment of the present application also provides an identity processing device, the device runs in the TEE supported by the first chip in the first network device; the first chip includes a security chip or a trusted chip; the Devices include:
第一处理单元,用于获取第一终端设备发送的第一请求;所述第一请求用于请求生成所述第一终端设备的身份标识;所述第一请求携带至少一个第一信息;所述第一信息表征用于描述所述第一终端设备的身份的信息;The first processing unit is configured to obtain a first request sent by the first terminal device; the first request is used to request generation of the identity of the first terminal device; the first request carries at least one piece of first information; The first information represents information used to describe the identity of the first terminal device;
第二处理单元,用获取所述第一终端设备的第一身份标识;所述第一身份标识通过对第二信息进行加密得到;所述第二信息表征所述至少一个第一信息对应的摘要信息;The second processing unit is configured to acquire a first identity of the first terminal device; the first identity is obtained by encrypting second information; the second information represents a digest corresponding to the at least one first information information;
第三处理单元,用将所述第一身份标识发送对所述第一终端设备。The third processing unit is configured to send the first identity to the first terminal device.
本申请实施例还提供了一种第一网络设备,其特征在于,所述第一网络设备包括第一芯片、第一处理器及第一通信接口;所述第一芯片包括安全芯片或可信芯片;其中,The embodiment of the present application also provides a first network device, characterized in that the first network device includes a first chip, a first processor, and a first communication interface; the first chip includes a security chip or a trusted chip; among them,
所述第一通信接口,用于在由所述第一芯片支持的TEE中获取第一终端设备发送的第一请求;所述第一请求用于请求生成所述第一终端设备的身份标识;所述第一请求携带至少一个第一信息;所述第一信息表征用于描述所述第一终端设备的身份的信息;The first communication interface is used to obtain a first request sent by the first terminal device in the TEE supported by the first chip; the first request is used to request to generate the identity of the first terminal device; The first request carries at least one piece of first information; the first information represents information used to describe the identity of the first terminal device;
所述第一处理器,用于在所述TEE中获取所述第一终端设备的第一身份标识;所述第一身份标识通过对第二信息进行加密得到;所述第二信息表征所述至少一个第一信息对应的摘要信息;The first processor is configured to acquire a first identity of the first terminal device in the TEE; the first identity is obtained by encrypting second information; the second information represents the Summary information corresponding to at least one first piece of information;
所述第一通信接口,还用于在所述TEE中将所述第一身份标识发送对所述第一终端设备。The first communication interface is further configured to send the first identity to the first terminal device in the TEE.
本申请实施例还提供了一种物联网系统,其特征在于,包括第一终端设备和第一网络设备,所述第一网络设备包括第一芯片和运行于由所述第一芯片支持的TEE中的第一服务端;所述第一芯片包括安全芯片或可信芯片;其中,The embodiment of the present application also provides an Internet of Things system, which is characterized in that it includes a first terminal device and a first network device, and the first network device includes a first chip and runs on a TEE supported by the first chip. In the first server; the first chip includes a security chip or a trusted chip; wherein,
所述第一服务端,用于获取第一终端设备发送的第一请求;所述第一请求用于请求生成所述第一终端设备的身份标识;所述第一请求携带至少一个第一信息;所述第一信息表征用于描述所述第一终端设备的身份的信息;The first server is configured to obtain a first request sent by the first terminal device; the first request is used to request to generate an identity of the first terminal device; the first request carries at least one piece of first information ; The first information represents information used to describe the identity of the first terminal device;
所述第一服务端,还用于获取所述第一终端设备的第一身份标识;所述第一身份标识通过对第二信息进行加密得到;所述第二信息表征所述至少一个第一信息对应的摘要信息;The first server is further configured to obtain a first identity of the first terminal device; the first identity is obtained by encrypting second information; the second information represents the at least one first Summary information corresponding to the information;
所述第一服务端,还用于将所述第一身份标识发送对所述第一终端设备。The first server is further configured to send the first identity to the first terminal device.
在本申请实施例中,第一网络设备包括第一芯片和运行于由所述第一芯片支持的TEE中的第一服务端,其中,所述第一芯片包括安全芯片或可信芯片,基于此,所述第一服务端获取第一终端设备发送的第一请求,所述第一请求用于请求生成所述第一终端设备的身份标识,并且所述第一请求携带至少一个用于描述所述第一终端设备的身份的第一信息;所述第一服务端获取所述第一终端设备的第一身份标识;所述第一身份标识通过对第二信息进行加密得到;所述第二信息表征所述至少一个第一信息对应的摘要信息;,再由所述第一服务端将所述第一身份标识发送对所述第一终端设备。基于上述方案,可以避免终端设备的身份标识被篡改或仿冒,从而实现对终端设备有效且低成本的安全防护。In this embodiment of the present application, the first network device includes a first chip and a first server running in a TEE supported by the first chip, wherein the first chip includes a security chip or a trusted chip, based on Here, the first server obtains the first request sent by the first terminal device, the first request is used to request to generate the identity of the first terminal device, and the first request carries at least one The first information of the identity of the first terminal device; the first server obtains the first identity of the first terminal device; the first identity is obtained by encrypting the second information; the first The second information represents summary information corresponding to the at least one piece of first information; and the first server sends the first identity to the first terminal device. Based on the foregoing solution, it is possible to prevent the identity of the terminal device from being tampered with or counterfeited, thereby realizing effective and low-cost security protection for the terminal device.
附图说明Description of drawings
图1为相关技术物联网系统感知控制域组网示意图;FIG. 1 is a schematic diagram of a related technology IoT system perception control domain networking;
图2为本申请实施例身份标识的处理流程示意图;FIG. 2 is a schematic diagram of the processing flow of identity identification in the embodiment of the present application;
图3为本申请应用实施例身份标识的处理流程示意图;FIG. 3 is a schematic diagram of the processing flow of identity identification in the application embodiment of the present application;
图4为本申请实施例身份标识的安全认证流程示意图;FIG. 4 is a schematic diagram of the security authentication process of the identity identification in the embodiment of the present application;
图5为本申请应用实施例身份标识的安全认证流程示意图;FIG. 5 is a schematic diagram of the security authentication process of the identity mark in the application embodiment of the present application;
图6为本申请实施例身份标识的处理方法一种应用场景示意图;FIG. 6 is a schematic diagram of an application scenario of a method for processing an identity mark according to an embodiment of the present application;
图7为本申请实施例一种身份标识的处理装置结构示意图;FIG. 7 is a schematic structural diagram of an identity processing device according to an embodiment of the present application;
图8为本申请实施例第一网络设备结构示意图。FIG. 8 is a schematic structural diagram of a first network device according to an embodiment of the present application.
具体实施方式Detailed ways
物联网系统感知控制域中的大多数物联网终端,如感知终端、控制终端等,如图1所示,需要通过物联网网关、路由器和/或智能网关等网络连接设备进行本地组网,然后接入互联网与物联网平台进行通信。通常来说,感知终端、控制终端等物联网终端成本低廉,无内置的安全芯片或可信芯片,计算能力、存储能力以及电池续航能力普遍较弱,不支持复杂的加解密运算以及信息的安全存储,因此,物联网终端的身份标识方法较为简单。相关技术中,常见的身份标识方法包括:由设备制造商在设备出厂时将一个设备序列号作为身份标识烧写进设备存储器中,或者,具备直接联网能力的物联网终端将MAC地址或者IP地址作为身份标识,上述方法容易导致设备序列号被篡改或仿冒。少数的物联网终端将预置的安全证书结合产品序列号作为身份标识,或者,物联网终端内置可信中央处理器(CPU,Central Processing Unit)或者可信平台模块(TPM,Trusted Platform Module)、可信平台控制模块(TPCM,Trusted Platform Control Module)等可信芯片作为身份标识,上述方法软硬件成本较高,兼容适用性差。因此,可以知道,相关技术中物联网终端的身份标识方法难以实现有效且低成本的安全防护。Most of the IoT terminals in the perception control domain of the IoT system, such as perception terminals and control terminals, as shown in Figure 1, need to connect devices such as IoT gateways, routers and/or smart gateways for local networking, and then Connect to the Internet to communicate with the IoT platform. Generally speaking, IoT terminals such as sensing terminals and control terminals are low in cost, without built-in security chips or trusted chips, and generally have weak computing power, storage capacity, and battery life, and do not support complex encryption and decryption operations and information security. Therefore, the identification method of the IoT terminal is relatively simple. In related technologies, common identification methods include: the device manufacturer burns a device serial number as an identification into the device memory when the device leaves the factory, or, an IoT terminal capable of direct networking uses the MAC address or IP address As an identity mark, the above method can easily lead to tampering or counterfeiting of the device serial number. A small number of IoT terminals use the pre-installed security certificate combined with the product serial number as an identity, or the IoT terminal has a built-in trusted central processing unit (CPU, Central Processing Unit) or trusted platform module (TPM, Trusted Platform Module), Trusted Platform Control Module (TPCM, Trusted Platform Control Module) and other trusted chips are used as identity marks. The above method requires high software and hardware costs and poor compatibility and applicability. Therefore, it can be known that it is difficult to achieve effective and low-cost security protection in the identification method of the Internet of Things terminal in the related art.
基于此,在本申请的各种实施例中,第一网络设备包括第一芯片和运行于由所述第一芯片支持的TEE中的第一服务端,其中,所述第一芯片包括安全芯片或可信芯片,所述第一服务端获取第一终端设备发送的第一请求,所述第一请求用于请求生成所述第一终端设备的身份标识,并且所述第一请求携带至少一个用于描述所述第一终端设备的身份的第一信息;所述第一服务端获取所述第一终端设备的第一身份标识;所述第一身份标识通过对所述至少一个第一信息对应的摘要信息进行加密得到;再由所述第一服务端将所述第一身份标识发送对所述第一终端设备。基于上述方案,可以避免终端设备的身份标识被篡改或仿冒,从而实现对终端设备有效且低成本的安全防护。Based on this, in various embodiments of the present application, the first network device includes a first chip and a first server running in a TEE supported by the first chip, wherein the first chip includes a security chip or a trusted chip, the first server obtains the first request sent by the first terminal device, the first request is used to request to generate the identity of the first terminal device, and the first request carries at least one The first information used to describe the identity of the first terminal device; the first server obtains the first identity of the first terminal device; the first identity is passed to the at least one first information The corresponding digest information is obtained by encrypting; and then the first server sends the first identity to the first terminal device. Based on the foregoing solution, it is possible to prevent the identity of the terminal device from being tampered with or counterfeited, thereby realizing effective and low-cost security protection for the terminal device.
首先,对本申请实施例身份标识的处理方法适用的系统架构进行说明:First, the system architecture applicable to the identity processing method of the embodiment of this application is described:
该系统框架包括网络设备和至少一个终端设备,实际应用时,网络设备包括但不限于安全智能网关、路由器等网络连接设备,进一步地,网络设备可以是应用于物联网系统中的安全智能网关、路由器等,用于连接位于同一局域网内的物联网感知控制域中的各种物联网终端。相比于成本低廉的物联网终端,安全智能网关、路由器等网络设备通常配置有较为充足的计算存储资源,并且通常配置有安全芯片或可信芯片,具备较高的安全性。在本申请实施例中,网络设备作为服务端,终端设备作为客户端,二者协同工作,利用网络设备的安全能力为终端设备构建安全的身份标识。The system framework includes network equipment and at least one terminal equipment. In actual application, the network equipment includes but is not limited to network connection equipment such as security intelligent gateways and routers. Further, the network equipment can be security intelligent gateways, A router, etc., is used to connect various IoT terminals located in the IoT-aware control domain within the same local area network. Compared with low-cost IoT terminals, network devices such as secure intelligent gateways and routers are usually equipped with sufficient computing and storage resources, and are usually equipped with security chips or trusted chips, which have higher security. In this embodiment of the application, the network device acts as the server, and the terminal device acts as the client. The two work together to construct a secure identity for the terminal device by using the security capability of the network device.
其中,在网络设备上内置有安全芯片或可信芯片,本申请实施例身份标识的处理方法在基于安全芯片或可信芯片进行支撑的安全区中实现,也就是说,服务端在由安全芯片或可信芯片支持的TEE中运行。Wherein, a security chip or a trusted chip is built into the network device, and the identity identification processing method in this embodiment of the application is implemented in a security zone supported by a security chip or a trusted chip. Or run in a TEE supported by a trusted chip.
下面结合附图及实施例对本申请再作进一步详细的描述。The application will be further described in detail below in conjunction with the accompanying drawings and embodiments.
本申请实施例提供了一种身份标识的处理方法,如图2所示,该方法的执行主体为第一网络设备,如上文所述,所述第一网络设备包括第一芯片和运行于由所述第一芯片支持的TEE中的第一服务端;所述第一芯片包括安全芯片或可信芯片。该方法包括:An embodiment of the present application provides a method for processing identity identification. As shown in FIG. 2 , the execution body of the method is the first network device. As mentioned above, the first network device includes the first chip and runs on the The first server in the TEE supported by the first chip; the first chip includes a security chip or a trusted chip. The method includes:
步骤201:所述第一服务端获取第一终端设备发送的第一请求。Step 201: The first server obtains the first request sent by the first terminal device.
所述第一请求用于请求生成所述第一终端设备的身份标识;所述第一请求携带至少一个第一信息;所述第一信息表征用于描述所述第一终端设备的身份的信息。The first request is used to request to generate the identity of the first terminal device; the first request carries at least one piece of first information; the first information represents information used to describe the identity of the first terminal device .
这里,第一终端设备在发送第一请求之前,根据设定配置中规定的需要采集的信息类型,采集可以代表第一终端设备的身份特征且信息内容较为固定的信息,包括但不限于设备名称、设备序列号、MAC地址、工作模式和/或上行连接信息。实际应用时,第一终端设备可以将采集到的信息以信息集合或者信息序列的方式发送给第一网络设备,请求第一网络设备为第一终端设备生成一个具备唯一性的身份标识。Here, before sending the first request, the first terminal device collects information that can represent the identity of the first terminal device and has relatively fixed information content according to the type of information to be collected specified in the setting configuration, including but not limited to the device name , device serial number, MAC address, working mode and/or uplink connection information. In practical application, the first terminal device may send the collected information to the first network device in the form of information set or information sequence, and request the first network device to generate a unique identity for the first terminal device.
步骤202:所述第一服务端获取所述第一终端设备的第一身份标识。Step 202: The first server acquires the first identity of the first terminal device.
所述第一身份标识通过对第二信息进行加密得到;所述第二信息表征所述至少一个第一信息对应的摘要信息。The first identity is obtained by encrypting the second information; the second information represents summary information corresponding to the at least one piece of first information.
第一网络设备在接收到第一请求后,利用安全芯片/可信芯片中内置的摘要算法,对第一请求中携带的用于描述所述第一终端设备的身份的信息进行处理,得到至少一个第一信息对应的摘要,并对生成的摘要进行加密,得到第一终端设备的第一身份标识。由于身份标识的生成过程完全在安全芯片/可信芯片支撑的TEE中进行,因此,可以保障身份标识的安全性。After receiving the first request, the first network device uses the built-in digest algorithm in the security chip/trusted chip to process the information used to describe the identity of the first terminal device carried in the first request to obtain at least A digest corresponding to the first information, and encrypting the generated digest to obtain the first identity of the first terminal device. Since the generation process of the identity mark is completely carried out in the TEE supported by the security chip/trusted chip, the security of the identity mark can be guaranteed.
其中,对于摘要生成过程,在一实施例中,在所述第一服务端获取所述第一终端设备的第一身份标识之前,所述方法还包括:Wherein, for the abstract generation process, in an embodiment, before the first server acquires the first identity of the first terminal device, the method further includes:
所述第一服务端或所述第一芯片对所述至少一个第一信息进行哈希运算,得到所述第二信息。The first server or the first chip performs a hash operation on the at least one piece of first information to obtain the second information.
这里,在收到第一请求后,利用安全芯片/可信芯片中内置的摘要算法,通过哈希运算得到至少一个第一信息对应的摘要。在实际应用时,如果安全芯片/可信芯片没有内置摘要算法,或者没有开放相关的摘要计算能力,也可以通过在安全芯片/可信芯片支撑的TEE中的第一服务端内嵌入摘要算法,进而得到至少一个第一信息对应的摘要。Here, after receiving the first request, at least one digest corresponding to the first information is obtained through a hash operation using a digest algorithm built in the secure chip/trusted chip. In practical applications, if the security chip/trusted chip does not have a built-in digest algorithm, or does not open related digest computing capabilities, it is also possible to embed the digest algorithm in the first server of the TEE supported by the secure chip/trusted chip, Further, at least one abstract corresponding to the first information is obtained.
实际应用时,针对第一终端设备向第一网络设备发送了至少两个第一信息的情况,或者,针对第一终端设备向第一网络设备发送了包含多个第一信息的信息集合或信息序列的情况下,在计算对应的摘要信息之前,第一网络设备可以对多个第一信息进行组合处理,例如,通过拼接、合并等方式,将多个第一信息处理为一个组合信息,再基于该组合信息生成对应的摘要信息。In actual application, for the case where the first terminal device sends at least two pieces of first information to the first network device, or for the first terminal device to send an information set or information set containing multiple first information to the first network device In the case of a sequence, before calculating the corresponding summary information, the first network device may combine multiple pieces of first information, for example, process multiple pieces of first information into one piece of combined information by splicing, merging, etc., and then The corresponding summary information is generated based on the combined information.
对于加密过程,在一实施例中,所述第一服务端获取所述第一终端设备的第一身份标识,包括:For the encryption process, in an embodiment, the first server obtains the first identity of the first terminal device, including:
所述第一服务端向所述第一芯片发送第二请求;所述第二请求用于请求所述第一芯片加密所述第二信息;The first server sends a second request to the first chip; the second request is used to request the first chip to encrypt the second information;
所述第一服务端获取所述第一芯片基于所述第二请求返回的响应;所述响应中携带所述第一芯片基于第一密钥对中的私钥对所述第二信息加密得到的所述第一身份标识。The first server obtains the response returned by the first chip based on the second request; the response carries the encryption of the second information by the first chip based on the private key in the first key pair to obtain The first identity of .
实际应用时,安全芯片/可信芯片在生成摘要信息后,将摘要信息发送给第一服务端,第一服务端在收到摘要信息后,向安全芯片/可信芯片申请生成一对密钥对,用于加密该摘要信息。安全芯片/可信芯片在收到第一服务端用于请求密钥对的第二请求后,生成第一密钥对,并基于该第一密钥对中的私钥对该摘要信息进行加密,从而得到第一终端设备的第一身份标识。In actual application, after the security chip/trusted chip generates the summary information, it sends the summary information to the first server, and after receiving the summary information, the first server applies to the security chip/trusted chip to generate a pair of keys Yes, for encrypting that digest information. After the security chip/trusted chip receives the second request for the key pair from the first server, it generates the first key pair, and encrypts the summary information based on the private key in the first key pair , so as to obtain the first identity of the first terminal device.
这里,由第一服务端将摘要信息发送至安全芯片/可信芯片,由安全芯片/可信芯片对摘要信息进行加密。其中,摘要信息可以携带在第二请求中并发送至安全芯片/可信芯片,安全芯片/可信芯片在收到第二请求之后,从第二请求中提取出摘要信息,并生成密钥对,通过密钥对中的私钥对提取出的摘要信息进行加密。也就是说,安全芯片/可信芯片不存储摘要信息,仅对摘要信息进行生成操作或者对摘要信息进行加密操作。Here, the first server sends the summary information to the security chip/trusted chip, and the security chip/trusted chip encrypts the summary information. Wherein, the summary information can be carried in the second request and sent to the security chip/trusted chip, and after receiving the second request, the security chip/trusted chip extracts the summary information from the second request and generates a key pair , encrypt the extracted digest information with the private key in the key pair. That is to say, the security chip/trusted chip does not store the summary information, but only generates or encrypts the summary information.
实际应用时,如果安全芯片/可信芯片没有内置加密算法,或者没有开放相关的加密能力,也可以通过在安全芯片/可信芯片支撑的TEE中的第一服务端内嵌入加密算法,进而得到至少一个第一信息对应的摘要。In practical applications, if the security chip/trusted chip does not have a built-in encryption algorithm, or does not open related encryption capabilities, the encryption algorithm can also be embedded in the first server of the TEE supported by the security chip/trusted chip to obtain An abstract corresponding to at least one first piece of information.
步骤203:所述第一服务端将所述第一身份标识发送对所述第一终端设备。Step 203: the first server sends the first identity to the first terminal device.
上述方案中,在不增加设备硬件成本的前提下,利用了网络设备较高的安全能力及计算性能,以软件实现的方式实现了终端设备身份标识的生成,避免了终端设备的身份标识被篡改或仿冒,从而实现对终端设备有效且低成本的安全防护。In the above solution, without increasing the hardware cost of the equipment, the high security capability and computing performance of the network equipment are used to realize the generation of the terminal device identity in the form of software implementation, which avoids the tampering of the terminal device identity or counterfeiting, so as to achieve effective and low-cost security protection for terminal equipment.
在一实施例中,所述网络设备还包括运行于所述TEE中的第一数据库;所述第一数据库中至少存储有由所述第一网络设备生成的至少一个终端设备的身份标识;所述第一服务端将所述第一身份标识发送对所述第一终端设备,包括:In an embodiment, the network device further includes a first database running in the TEE; the first database stores at least the identity of at least one terminal device generated by the first network device; The first server sending the first identity to the first terminal device includes:
在所述第一服务端查询到所述第一数据库中未存有所述第一身份标识的情况下,所述第一服务端将所述第一身份标识发送至所述第一终端设备。When the first server finds that the first identity is not stored in the first database, the first server sends the first identity to the first terminal device.
这里,第一数据库主要提供身份标识的存储、查询、更新等服务,具体地,第一数据库主要为第一网络设备生成的身份标识进行存储,并支持第一服务端对第一数据库中的身份标识进行查询和/或更新。由于第一数据库运行于TEE中,因此,身份标识存储在第一数据库中能够得到有效的数据安全保障,并且,进一步地,还可以在第一数据库中通过加密存储等方式对身份标识进行安全防护。Here, the first database mainly provides services such as storage, query, and update of the identity. Specifically, the first database mainly stores the identity generated by the first network device, and supports the first server to update the identity in the first database. ID for query and/or update. Since the first database runs in the TEE, effective data security can be obtained by storing the identity mark in the first database, and further, the identity mark can be protected in the first database through encrypted storage and other methods .
第一服务端在获取到新生成的第一身份标识后,查询第一身份标识是否已经存在于第一数据库中,若查询结果为第一身份标识不存在于第一数据库中,则确认了该第一身份标识的唯一性,此时,向第一终端设备发送第一身份标识;若查询结果为第一身份标识此前已存在于第一数据库中,则第一服务端向第一终端设备返回第一身份标识已存在的结果。After obtaining the newly generated first identity, the first server inquires whether the first identity already exists in the first database, and if the result of the query is that the first identity does not exist in the first database, the The uniqueness of the first identity, at this time, send the first identity to the first terminal device; if the query result shows that the first identity has previously existed in the first database, the first server returns to the first terminal device The result that the first identity already exists.
在一实施例中,所述方法还包括:In one embodiment, the method also includes:
所述第一服务端将所述第一身份标识及所述第一终端设备的以下至少一项信息存入所述第一数据库:The first server stores the first identity and at least one of the following information of the first terminal device into the first database:
所述至少一个第一信息、所述第二信息、用于加密所述第二信息的第一密钥对和/或所述第一身份标识的生成时间。The at least one piece of first information, the second information, the first key pair used to encrypt the second information, and/or the generation time of the first identity.
也就是说,在将生成的身份标识存入第一数据库的同时,一并存入该身份标识对应的摘要信息、生成身份标识时采用的密钥对、身份标识的生成时间以及对应的终端设备提供的至少一个用于描述身份的第一信息,这样,可基于存入的上述信息对第一数据库中的身份标识进行查询和更新。That is to say, when the generated identity is stored in the first database, the summary information corresponding to the identity, the key pair used when generating the identity, the generation time of the identity, and the corresponding terminal device are also stored. At least one piece of first information for describing the identity is provided, so that the identity in the first database can be queried and updated based on the stored information.
在一实施例中,所述第一网络设备还包括运行于所述TEE中的第一日志模块;所述方法还包括:In an embodiment, the first network device further includes a first log module running in the TEE; the method further includes:
所述第一日志模块生成并存储第一日志;其中,The first log module generates and stores a first log; wherein,
所述第一日志表征记录所述第一身份标识的相关操作的日志。The first log represents a log that records related operations of the first identity.
第一日志模块也运行于TEE中,能够有效地保护日志的数据安全,也因此使得身份标识能够得到有效的数据安全保障。The first log module also runs in the TEE, which can effectively protect the data security of the log, and thus enable effective data security protection for the identity.
图3应用实施例中,以物联网安全智能网关/路由器为第一网络设备,物联网终端设备为第一终端设备,基于对应的系统架构示出了身份标识的生成流程。In the application embodiment shown in Fig. 3 , the security intelligent gateway/router of the Internet of Things is used as the first network device, and the terminal device of the Internet of Things is used as the first terminal device. Based on the corresponding system architecture, the generation process of the identity is shown.
参见图3:See Figure 3:
1、运行在物联网终端设备上的身份标识客户端根据客户端设置,收集物联网终端设备上的可以代表身份特征的信息,得到信息集合F,然后将信息集合F发送给运行在物联网安全智能网关/路由器上的身份标识服务端,并申请为物联网终端设备生成一个具备唯一性的安全身份标识。1. The identity identification client running on the IoT terminal device collects the information on the IoT terminal device that can represent the identity characteristics according to the client settings, obtains the information set F, and then sends the information set F to the security server running on the IoT terminal device. The identity identification server on the smart gateway/router applies to generate a unique security identity for the IoT terminal device.
2、收到来自物联网终端设备的安全身份标识创建申请后,运行在物联网安全智能网关/路由器上的身份标识服务端将代表设备身份特征信息的信息集合F中的元素进行组合计算,形成组合后的设备身份特征信息S,然后将组合后的设备身份特征信息S发送给安全芯片/可信芯片,申请生成摘要信息。其中,S=Aggregation(F),Aggregation()表征对信息集合F进行信息聚合。2. After receiving the security identity creation application from the IoT terminal device, the identity server running on the IoT security smart gateway/router will combine and calculate the elements in the information set F representing the identity feature information of the device to form The combined device identity feature information S, and then send the combined device identity feature information S to the security chip/trusted chip, and apply for generating summary information. Wherein, S=Aggregation(F), and Aggregation( ) represents the information aggregation of the information set F.
3、安全芯片/可信芯片利用内置的相关密码算法对组合后的设备身份特征信息S生成摘要信息MDs,并将结果返回给身份标识服务端,其中:MDs=Hash(S),Hash()表征对组合后的设备身份特征信息S进行哈希运算。3. The security chip/trusted chip uses the built-in related cryptographic algorithm to generate summary information MD s for the combined device identity feature information S, and returns the result to the identity server, where: MD s = Hash(S), Hash () indicates that a hash operation is performed on the combined device identity feature information S.
4、身份标识服务端收到组合后的设备身份特征信息S的摘要信息MDs后,向安全芯片/可信芯片申请生成一对公私钥对,并将摘要信息MDs发送给安全芯片/可信芯片,申请对MDs进行私钥加密。4. After receiving the summary information MD s of the combined device identity feature information S, the identity identification server applies to the security chip/trusted chip to generate a pair of public-private key pairs, and sends the summary information MD s to the security chip/trusted chip. Letter chip, apply for private key encryption of MD s .
5、安全芯片/可信芯片利用内置的相关密码算法生成一对公私钥对PrivateKey:PublicKey,并利用其中的私钥PrivateKey为摘要信息MDs进行加密,然后将结果返回给身份标识服务端。5. The security chip/trusted chip uses the built-in related cryptographic algorithm to generate a pair of public-private key pair PrivateKey:PublicKey, and uses the private key PrivateKey to encrypt the summary information MD s , and then returns the result to the identification server.
6、身份标识服务端将收到的MDs的加密值作为物联网终端设备的安全身份标识SecurityID,并将新生成的SecurityID发送给身份标识数据库进行查询,其中,SecurityID=Crypt(MDs,PrivateKey),Crypt()表征身份标识数据库返回的对应的加密字串。6. The identity identification server uses the encrypted value of the received MD s as the Security ID of the IoT terminal device, and sends the newly generated Security ID to the identity identification database for query, wherein, SecurityID=Crypt(MD s , PrivateKey ), Crypt() characterizes the corresponding encrypted string returned by the identity database.
7、身份标识数据库查询新生成的SecurityID是否已存在于数据库中,并将查询结果返回给身份标识服务端。7. The identity identification database queries whether the newly generated SecurityID already exists in the database, and returns the query result to the identity identification server.
8、根据查询结果,如果新的安全身份标识尚不存在于身份标识数据库,则身份标识服务端将新的安全身份标识SecurityID、摘要信息MDs、公私钥对PrivateKey:PublicKey、安全身份标识生成时间Time以及物联网终端设备原始的信息集合F等信息存入身份标识数据库中。8. According to the query result, if the new security identity does not exist in the identity database, the identity server will use the new security identity SecurityID, summary information MD s , public-private key pair PrivateKey:PublicKey, and security identity generation time Information such as Time and the original information set F of the IoT terminal device are stored in the identity database.
9、身份标识服务端将安全身份标识生成相关的日志信息存入身份标识日志中。9. The identity server stores the log information related to the generation of the security identity into the identity log.
10、身份标识服务端将安全身份标识SecurityID返回给运行在物联网终端设备上身份标识客户端。10. The identity server returns the security identity SecurityID to the identity client running on the IoT terminal device.
经过上述安全身份标识的生成流程后,为物联网终端设备新生成的安全身份标识最终为:After the above-mentioned generation process of the security identity, the newly generated security identity for the IoT terminal device is finally:
SecurityID=Crypt(Hash(Aggregation(F)),PrivateKey)SecurityID=Crypt(Hash(Aggregation(F)),PrivateKey)
在物联网系统中,实际部署时,物联网终端设备与物联网安全智能网关/路由器通常会通过安全的方式进行配对或配置,以建立首次连接,那么可以将首次连接建立成功的第一时间作为物联网终端设备申请创建身份标识的时机。In the IoT system, during actual deployment, the IoT terminal device and the IoT security smart gateway/router are usually paired or configured in a secure manner to establish the first connection, then the first time when the first connection is successfully established can be taken as The timing for IoT terminal devices to apply for identity identification.
基于上述方案,在可信的物联网安全智能网关/路由器的支持下,为物联网终端设备生成的身份标识与物联网终端设备的多类特征相关联,具备唯一性,且具备较高的安全性。实际应用时,物联网终端设备可以根据物联网应用的需求,将身份标识应用于其他的标识体系中,比如唯一设备识别符(UDID,Unique Device Identifier)、通用唯一识别码(UUID,Universally Unique Identifier)或IEID等标识体系中。Based on the above scheme, with the support of trusted IoT security intelligent gateways/routers, the identity generated for IoT terminal devices is associated with multiple characteristics of IoT terminal devices, which is unique and has high security sex. In actual application, IoT terminal devices can apply identity identification to other identification systems according to the requirements of IoT applications, such as Unique Device Identifier (UDID, Unique Device Identifier), Universally Unique Identifier (UUID, Universally Unique Identifier) ) or IEID and other identification systems.
在一实施例中,所述方法还包括:In one embodiment, the method also includes:
所述第一服务端获取所述第一终端设备发送的第二请求;所述第二请求用于请求重新接入所述第一网络设备;所述第二请求中携带有所述第一身份标识;The first server obtains the second request sent by the first terminal device; the second request is used to request re-access to the first network device; the second request carries the first identity logo;
在所述第一服务端基于所述第二请求中的第一身份标识确认所述第一终端设备与所述第一网络设备绑定的情况下,允许所述第一终端设备与所述第一网络设备建立连接。When the first server confirms that the first terminal device is bound to the first network device based on the first identity in the second request, allowing the first terminal device to bind with the second network device A network device establishes a connection.
在物联网系统中,当物联网终端设备与物联网安全智能网关/路由器绑定期间,物联网终端设备每次重连时都需要将身份标识发送至物联网安全智能网关/路由器进行确认。如果物联网安全智能网关/路由器中的身份标识服务端确认物联网终端设备及身份标识属于已绑定的设备,则允许该物联网终端设备保持连接;如果身份标识服务端确认物联网终端设备及身份标识不属于已绑定的设备,则断开该物联网终端设备,并产生告警信息及记录在身份标识日志中。In the IoT system, when the IoT terminal device is bound to the IoT security smart gateway/router, each time the IoT terminal device reconnects, it needs to send the identity to the IoT security smart gateway/router for confirmation. If the identity server in the IoT security smart gateway/router confirms that the IoT terminal device and the identity belong to the bound device, the IoT terminal device is allowed to remain connected; if the identity server confirms that the IoT terminal device and If the ID does not belong to the bound device, the IoT terminal device will be disconnected, and an alarm message will be generated and recorded in the ID log.
在一实施例中,所述方法还包括:In one embodiment, the method also includes:
在所述第一终端设备与所述第一网络设备解绑的情况下,所述第一服务端设置所述第一身份标识失效。When the first terminal device is unbound from the first network device, the first server sets the first identity to be invalid.
一旦物联网终端设备与之前的物联网安全智能网关/路由器解绑,并加入新的物联网安全智能网关/路由器时,物联网安全智能网关/路由器会将物联网终端设备原来拥有的身份标识设置为失效,并且物联网终端设备需要向新绑定的物联网安全智能网关/路由器申请生成新的SecurityID。Once the IoT terminal device is unbound from the previous IoT security smart gateway/router and added to a new IoT security smart gateway/router, the IoT security smart gateway/router will set the original identity of the IoT terminal device to Invalid, and the IoT terminal device needs to apply to the newly bound IoT security smart gateway/router to generate a new SecurityID.
实际应用时,第一终端设备在与云端或者远端设备进行交互时,可以将第一终端设备的身份标识发送给对方,以表明身份。在一实施例中,如图4所示,所述方法还包括:In actual application, when the first terminal device interacts with the cloud or the remote device, it can send the identity of the first terminal device to the other party to indicate the identity. In one embodiment, as shown in Figure 4, the method further includes:
步骤401:所述第一服务端获取所述第一终端设备发送的第三请求。Step 401: The first server acquires a third request sent by the first terminal device.
所述第三请求用于请求所述第一网络设备为第二网络设备或第二终端设备进行关于所述第一终端设备的身份标识的安全认证。The third request is used to request the first network device to perform security authentication on the identity of the first terminal device for the second network device or the second terminal device.
在物联网系统中,第二网络设备可以理解为物联网云平台,第二终端设备可以理解为与第一终端设备处于同一局域网下的物联网终端设备。实际应用时,在步骤401之前,第一终端设备会向第二网络设备或第二终端设备发送自己的身份标识,第二网络设备或第二终端设备在收到身份标识后,需要对该身份标识进行验证,因此,第二网络设备或第二终端设备向第一终端设备发送身份真实性证明请求。第一终端设备在接收到身份真实性证明请求后,向第一网络设备发送第三请求,并将第二网络设备或第二终端设备的地址信息,比如IP地址携带在第三请求中,告知第一网络设备。In the IoT system, the second network device can be understood as an IoT cloud platform, and the second terminal device can be understood as an IoT terminal device under the same local area network as the first terminal device. In actual application, before
步骤402:基于所述第一网络设备与所述第二网络设备或所述第二终端设备之间的第一连接,所述第一服务端获取所述第二网络设备或所述第二终端设备发送的第二身份标识。Step 402: Based on the first connection between the first network device and the second network device or the second terminal device, the first server acquires the second network device or the second terminal The second identity sent by the device.
所述第二身份标识表征所述第二网络设备或所述第二终端设备获取到的所述第一终端设备的身份标识。The second identity represents the identity of the first terminal device acquired by the second network device or the second terminal device.
这里,第一网络设备在接收到第三请求后,首先对第三请求以及请求时间进行备案,之后设定一个真实性证明有效时间并开始计时,然后,将第一网络设备的IP地址发送给第一终端设备,再由第一终端设备将第一网络设备的IP地址发送给第二网络设备或第二终端设备。这样,第一网络设备与第二网络设备或第二终端设备之间相互都得知了对方的真实地址信息,在此基础之上,双方通过可信远程证明或双向认证等安全过程建立起可信连接/安全连接,即第一连接。基于第一连接,第一网络设备获取到第二网络设备或第二终端设备发送的第二身份标识,该第二身份标识为第一终端设备发送给第二网络设备或第二终端设备的身份标识。Here, after receiving the third request, the first network device first records the third request and the request time, then sets an authenticity certificate valid time and starts timing, and then sends the IP address of the first network device to The first terminal device, and then the first terminal device sends the IP address of the first network device to the second network device or the second terminal device. In this way, both the first network device and the second network device or the second terminal device know each other's real address information. Letter connection/secure connection, that is, the first connection. Based on the first connection, the first network device obtains the second identity sent by the second network device or the second terminal device, and the second identity is the identity sent by the first terminal device to the second network device or the second terminal device logo.
步骤403:在所述第一服务端确认所述第二身份标识与所述第一身份标识一致且满足设定条件的情况下,通过所述第一连接向所述第二网络设备或所述第二终端设备发送第三信息。Step 403: When the first server confirms that the second identity is consistent with the first identity and satisfies the set conditions, send the second network device or the The second terminal device sends third information.
所述第三信息用于所述第二网络设备或所述第二终端设备获取对所述第二身份标识的安全认证结果。The third information is used for the second network device or the second terminal device to obtain a security authentication result for the second identity.
这里,第一网络设备在接收到第二身份标识后,对第二身份标识进行验证,判断第一终端设备发送给第二网络设备或第二终端设备的第二身份标识是否与第一网络设备生成的关于第一终端设备的第一身份标识相一致,或者,在判断出二者相一致的基础之上,进一步判断第一身份标识是否有效,从而得到对应的身份标识的安全认证结果,并将安全认证结果通过第一连接返回给所述第二网络设备或所述第二终端设备。Here, after receiving the second identity, the first network device verifies the second identity, and judges whether the second identity sent by the first terminal device to the second network device or the second terminal device is consistent with that of the first network device. The generated first identity of the first terminal device is consistent, or, on the basis of judging that the two are consistent, further judging whether the first identity is valid, so as to obtain the security authentication result of the corresponding identity, and Returning the security authentication result to the second network device or the second terminal device through the first connection.
具体地,所述设定条件包括以下至少一项:Specifically, the setting conditions include at least one of the following:
所述第一身份标识有效;The first identity is valid;
所述第一终端设备接入所述第一网络设备;The first terminal device accesses the first network device;
所述第三请求的请求时效在设定的时效范围内。The request limitation period of the third request is within the set limitation period range.
图5应用实施例中,以物联网安全智能网关/路由器为第一网络设备,物联网终端设备为第一终端设备,基于对应的系统架构示出了身份标识的安全认证流程。参见图5:In the application embodiment shown in Fig. 5 , the security intelligent gateway/router of the Internet of Things is used as the first network device, and the terminal device of the Internet of Things is the first terminal device, and the security authentication process of identity identification is shown based on the corresponding system architecture. See Figure 5:
1、物联网终端设备将自己的身份标识SecurityID发送给物联网云平台/远端设备。1. The IoT terminal device sends its own identity identification SecurityID to the IoT cloud platform/remote device.
2、如果物联网云平台/远端设备需要对该SecurityID进行验证,则向物联网终端设备发送身份真实性证明请求。2. If the Internet of Things cloud platform/remote device needs to verify the SecurityID, send an identity authenticity certification request to the Internet of Things terminal device.
3、物联网终端设备将身份真实性证明请求以及物联网云平台/远端设备的相关信息,如物联网云平台/远端设备IP地址等告知物联网安全智能网关/路由器中的身份标识服务端。3. The IoT terminal device notifies the identity identification service in the IoT security smart gateway/router of the identity authenticity certification request and the relevant information of the IoT cloud platform/remote device, such as the IP address of the IoT cloud platform/remote device end.
4、物联网安全智能网关/路由器中的身份标识服务端将物联网终端设备发来的身份真实性证明请求信息以及请求时间进行备案,并设定一个真实性证明有效时间,然后将物联网安全智能网关/路由器的IP地址作为身份标识生成者/证明者的IP地址,并发送给物联网终端设备。4. The identity server in the Internet of Things security smart gateway/router records the identity authenticity certificate request information and request time sent by the Internet of Things terminal device, and sets an authenticity certificate valid time, and then sends the Internet of Things security The IP address of the smart gateway/router is used as the IP address of the identity generator/certifier and sent to the IoT terminal device.
5、物联网终端设备将身份标识生成者/证明者的IP地址发送给物联网云平台/远端设备。5. The IoT terminal device sends the IP address of the identity generator/certifier to the IoT cloud platform/remote device.
6、物联网云平台/远端设备依照物联网终端设备提供的身份标识生成者/证明者的IP地址,尝试与物联网安全智能网关/路由器建立联系。双方在经过可信远程证明或双向认证等安全过程后建立可信/安全连接。6. The IoT cloud platform/remote device tries to establish contact with the IoT security intelligent gateway/router according to the IP address of the identity generator/certifier provided by the IoT terminal device. The two parties establish a trusted/secure connection after going through a secure process such as trusted remote attestation or two-way authentication.
7、通过可信/安全连接,物联网云平台/远端设备将待验证的物联网终端设备的SecurityID发送给物联网安全智能网关/路由器,申请对SecurityID进行身份真实性证明。7. Through a trusted/safe connection, the IoT cloud platform/remote device sends the SecurityID of the IoT terminal device to be verified to the IoT security smart gateway/router, and applies for authenticity certification of the SecurityID.
8、物联网安全智能网关/路由器的身份标识服务端收到物联网云平台/远端设备的申请后,首先查询物联网云平台/远端设备发送的SecurityID是否在数据库中,并确认该SecurityID对应的物联网终端设备当前是否下接在本物联网安全智能网关/路由器上;然后再确认本次身份真实性证明申请是否已由该SecurityID对应的物联网终端设备进行了报备,并且本次身份真实性证明申请是否仍在设定的时效范围内。如果上述条件均满足,则将该SecurityID所对应的MDs、PublicKey以及非对称密码算法类型通过可信/安全连接返回给物联网云平台/远端设备。需要说明的是,在物联网安全智能网关/路由器的上述安全认证过程中,若出现任何异常则产生告警信息,且该安全认证事件需记录在身份标识日志中。8. After receiving the application of the IoT cloud platform/remote device for the identity identification server of the IoT security smart gateway/router, it first checks whether the SecurityID sent by the IoT cloud platform/remote device is in the database, and confirms the SecurityID Whether the corresponding IoT terminal device is currently connected to the IoT security smart gateway/router; Proof of authenticity whether the application is still within the set statute of limitations. If the above conditions are met, then return the MDs, PublicKey and asymmetric cryptographic algorithm type corresponding to the SecurityID to the IoT cloud platform/remote device through a trusted/secure connection. It should be noted that during the above-mentioned security authentication process of the Internet of Things security intelligent gateway/router, if any abnormality occurs, an alarm message will be generated, and the security authentication event needs to be recorded in the identity log.
9、物联网云平台/远端设备收到MDs、PublicKey以及非对称密码算法类型后,使用PublicKey对SecurityID进行解密得到MDs',然后判断MDs'是否与MDs一致,如果一致则证明物联网终端设备的SecurityID是真实安全的。9. After receiving MDs, PublicKey and asymmetric encryption algorithm type, the IoT cloud platform/remote device uses the PublicKey to decrypt the SecurityID to obtain MDs', and then judges whether MDs' is consistent with MDs, and if they are consistent, it proves the IoT terminal device The SecurityID is real and secure.
上述身份标识的安全认证流程不仅可以应用于物联网云平台/远端设备对物联网安全智能网关/路由器下接的物联网终端设备的SecurityID真实性的安全认证,也可以应用于同一个物联网安全智能网关/路由器下接的两个物联网终端设备之间的SecurityID真实性的安全认证。上述两个应用场景中,身份标识的安全认证流程基本上是相似的,唯一不同之处在于:当同一个物联网安全智能网关/路由器下接的两个物联网终端设备之间进行SecurityID真实性的安全认证时,发起安全认证的物联网终端设备与物联网安全智能网关/路由器可以不需要经过可信远程证明或双向认证等安全过程去建立可信/安全连接,原因在于发起安全认证的物联网终端设备同样是下接在物联网安全智能网关/路由器上的,它们之间的连接是经过确认的本地连接,是安全可信的。The security authentication process of the above identity identification can not only be applied to the security authentication of the Security ID authenticity of the IoT terminal device connected to the IoT security smart gateway/router by the IoT cloud platform/remote device, but also can be applied to the same IoT Security authentication of the authenticity of the SecurityID between two IoT terminal devices connected to the security smart gateway/router. In the above two application scenarios, the security authentication process of identity identification is basically similar, the only difference is: when two IoT terminal devices connected to the same IoT security smart gateway/router are connected to the SecurityID authenticity During security authentication, the IoT terminal device that initiates security authentication and the IoT security smart gateway/router do not need to go through security processes such as trusted remote attestation or two-way authentication to establish a trusted/secure connection, because the IoT terminal device that initiates security authentication The networked terminal devices are also connected to the Internet of Things security intelligent gateway/router, and the connection between them is a confirmed local connection, which is safe and reliable.
此外,本申请实施例提供的身份标识的安全认证方案也可以适用于具备可信功能和互联网直连能力的设备中,例如,可以应用于物联网安全智能网关/路由器自身上,将身份标识客户端安装运行在可信物联网安全智能网关/路由器上的普通运行区中,如图6所示,让身份标识客户端和身份标识服务端通过内部本地网络进行通信。并且,当将身份标识客户端安装运行在可信物联网安全智能网关/路由器上的普通运行区中时,身份标识的生成及相关使用方法与本申请实施例相关方案的实现完全一致。In addition, the identity security authentication scheme provided by the embodiment of the present application can also be applied to devices with trusted functions and Internet direct connection capabilities. The terminal is installed and runs in the common operating area on the trusted Internet of Things security intelligent gateway/router, as shown in Figure 6, so that the identity identification client and the identity identification server communicate through the internal local network. Moreover, when the identity identification client is installed and operated in the common operating area on the trusted Internet of Things security intelligent gateway/router, the generation of the identity identification and related usage methods are completely consistent with the realization of the related solutions of the embodiments of the present application.
基于本申请实施例方案,在可信的物联网安全智能网关/路由器的支持下,为物联网终端设备生成的身份标识与物联网终端设备的多类特征相关联,包括可以在实际部署时加入物联网终端设备的场景特征,能够体现物联网终端设备的身份状态,具备唯一性,且具备较高的安全性。进一步地,本方案生成的身份标识能够作为一个公开的身份标识被广泛应用于各种场景中。并且,在物联网终端设备上,只需要集成一个轻量的身份标识客户端,且物联网终端设备在身份标识的生成和使用过程中均不需要参与任何加密运算,也不需要对身份标识进行存储,因此,本方案的应用对物联网终端设备自身性能和成本的影响极低,使用便捷。此外,当物联网终端设备被迁移效用时,在物联网安全智能网关/路由器将对对应的身份标识设置为失效,这样也对物联网终端设备的迁移盗用起到了一定的安全防范作用。Based on the solution of the embodiment of this application, with the support of a trusted IoT security intelligent gateway/router, the identity generated for the IoT terminal device is associated with multiple types of characteristics of the IoT terminal device, including the fact that it can be added during actual deployment. The scene characteristics of the IoT terminal device can reflect the identity status of the IoT terminal device, which is unique and has high security. Furthermore, the identity generated by this scheme can be widely used in various scenarios as a public identity. Moreover, on the IoT terminal device, only a lightweight identity client needs to be integrated, and the IoT terminal device does not need to participate in any encryption operations during the generation and use of the identity, nor does it need to perform identity verification. Therefore, the application of this solution has a very low impact on the performance and cost of the IoT terminal equipment itself, and it is easy to use. In addition, when the IoT terminal device is migrated, the IoT security smart gateway/router will set the corresponding identity to invalid, which also plays a certain security role in the migration and misappropriation of the IoT terminal device.
为了实现本申请实施例的方法,本申请实施例还提供了一种身份标识的处理装置,设置在第一网络设备上,所述装置运行于由第一网络设备中的第一芯片支持的TEE中;所述第一芯片包括安全芯片或可信芯片;如图7所示,该装置包括:In order to implement the method of the embodiment of the present application, the embodiment of the present application also provides an identity processing device, which is set on the first network device, and the device runs on the TEE supported by the first chip in the first network device. In; the first chip includes a security chip or a trusted chip; as shown in Figure 7, the device includes:
第一处理单元701,用于获取第一终端设备发送的第一请求;所述第一请求用于请求生成所述第一终端设备的身份标识;所述第一请求携带至少一个第一信息;所述第一信息表征用于描述所述第一终端设备的身份的信息;The
第二处理单元702,用获取所述第一终端设备的第一身份标识;所述第一身份标识通过对第二信息进行加密得到;所述第二信息表征所述至少一个第一信息对应的摘要信息;The
第三处理单元703,用将所述第一身份标识发送对所述第一终端设备。The
其中,在一实施例中,所述至少一个第一信息包括所述第一终端设备的以下至少一项信息:Wherein, in an embodiment, the at least one piece of first information includes at least one piece of information of the first terminal device as follows:
设备名称;device name;
设备序列号;devise serial number;
MAC地址;MAC address;
工作模式;Operating mode;
上行连接信息。Uplink connection information.
在一实施例中,所述装置还包括:In one embodiment, the device also includes:
第四处理单元,用于在所述第一服务端获取所述第一终端设备的第一身份标识之前,对所述至少一个第一信息进行哈希运算,得到所述第二信息。The fourth processing unit is configured to perform a hash operation on the at least one piece of first information to obtain the second information before the first server acquires the first identity of the first terminal device.
在一实施例中,所述第二处理单元702,用于:In an embodiment, the
向所述第一芯片发送第二请求;所述第二请求用于请求所述第一芯片加密所述第二信息;sending a second request to the first chip; the second request is used to request the first chip to encrypt the second information;
获取所述第一芯片基于所述第二请求返回的响应;所述响应中携带所述第一芯片基于第一密钥对中的私钥对所述第二信息加密得到的所述第一身份标识。Obtaining a response returned by the first chip based on the second request; the response carries the first identity obtained by encrypting the second information by the first chip based on the private key in the first key pair logo.
在一实施例中,所述网络设备还包括运行于所述TEE中的第一数据库;所述第一数据库中至少存储有由所述第一网络设备生成的至少一个终端设备的身份标识;所述第三处理单元703,用于:In an embodiment, the network device further includes a first database running in the TEE; the first database stores at least the identity of at least one terminal device generated by the first network device; The
在查询到所述第一数据库中未存有所述第一身份标识的情况下,将所述第一身份标识发送至所述第一终端设备。Sending the first identity to the first terminal device when it is found that the first identity is not stored in the first database.
在一实施例中,所述装置还包括:In one embodiment, the device also includes:
第五处理单元,用于将所述第一身份标识及所述第一终端设备的以下至少一项信息存入所述第一数据库:A fifth processing unit, configured to store the first identity and at least one of the following information of the first terminal device into the first database:
所述至少一个第一信息、所述第二信息、用于加密所述第二信息的第一密钥对和/或所述第一身份标识的生成时间。The at least one piece of first information, the second information, the first key pair used to encrypt the second information, and/or the generation time of the first identity.
在一实施例中,所述第一网络设备还包括运行于所述TEE中的第一日志模块;所述装置还包括:In an embodiment, the first network device further includes a first log module running in the TEE; the device further includes:
第六处理单元,用于生成并存储第一日志;其中,A sixth processing unit, configured to generate and store the first log; wherein,
所述第一日志表征记录所述第一身份标识的相关操作的日志。The first log represents a log that records related operations of the first identity.
在一实施例中,所述装置还包括:In one embodiment, the device also includes:
第七处理单元,用于获取所述第一终端设备发送的第二请求;所述第二请求用于请求重新接入所述第一网络设备;所述第二请求中携带有所述第一身份标识;A seventh processing unit, configured to obtain a second request sent by the first terminal device; the second request is used to request re-access to the first network device; the second request carries the first identification;
基于所述第二请求中的第一身份标识确认所述第一终端设备与所述第一网络设备绑定的情况下,允许所述第一终端设备与所述第一网络设备建立连接。If it is confirmed that the first terminal device is bound to the first network device based on the first identity in the second request, the first terminal device is allowed to establish a connection with the first network device.
在一实施例中,所述装置还包括:In one embodiment, the device also includes:
第八处理单元,用于在所述第一终端设备与所述第一网络设备解绑的情况下,设置所述第一身份标识失效。An eighth processing unit, configured to set the first identity to be invalid when the first terminal device is unbound from the first network device.
在一实施例中,所述装置还包括:In one embodiment, the device also includes:
第九处理单元,用于获取所述第一终端设备发送的第三请求;所述第三请求用于请求所述第一网络设备为第二网络设备或第二终端设备进行关于所述第一终端设备的身份标识的安全认证;A ninth processing unit, configured to acquire a third request sent by the first terminal device; the third request is used to request the first network device to perform a request for the second network device or the second terminal device regarding the first Security authentication of the identity of the terminal device;
基于所述第一网络设备与所述第二网络设备或所述第二终端设备之间的第一连接,获取所述第二网络设备或所述第二终端设备发送的第二身份标识;所述第二身份标识表征所述第二网络设备或所述第二终端设备获取到的所述第一终端设备的身份标识;Based on the first connection between the first network device and the second network device or the second terminal device, acquiring a second identity sent by the second network device or the second terminal device; The second identity represents the identity of the first terminal device acquired by the second network device or the second terminal device;
在所述第一服务端确认所述第二身份标识与所述第一身份标识一致且满足设定条件的情况下,通过所述第一连接向所述第二网络设备或所述第二终端设备发送第三信息;所述第三信息用于所述第二网络设备或所述第二终端设备获取对所述第二身份标识的安全认证结果。When the first server confirms that the second identity is consistent with the first identity and satisfies the set conditions, send to the second network device or the second terminal through the first connection The device sends third information; the third information is used for the second network device or the second terminal device to obtain a security authentication result for the second identity.
在一实施例中,所述设定条件包括以下至少一项:In one embodiment, the setting conditions include at least one of the following:
所述第一身份标识有效;The first identity is valid;
所述第一终端设备接入所述第一网络设备;The first terminal device accesses the first network device;
所述第三请求的请求时效在设定的时效范围内。The request limitation period of the third request is within the set limitation period range.
在一实施例中,所述第一网络设备与所述第二网络设备之间的第一连接为可信连接或安全连接。In an embodiment, the first connection between the first network device and the second network device is a trusted connection or a secure connection.
实际应用时,所述第一处理单元701、第三处理单元703、第七处理单元和第九处理单元可由身份标识的处理装置中的通信接口实现;所述第二处理单元702及第四、五、六、八处理单元可由身份标识的处理装置中的处理器实现。In actual application, the
需要说明的是:上述实施例提供身份标识的处理装置在进行身份标识的处理时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的身份标识的处理装置与身份标识的处理方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the identity processing device provided in the above embodiment processes the identity, it only uses the division of the above-mentioned program modules as an example for illustration. In practical applications, the above-mentioned processing can be assigned to different programs according to needs. Module completion means that the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the identity processing device and the identity processing method embodiment provided by the above embodiment belong to the same idea, and the specific implementation process thereof is detailed in the method embodiment, and will not be repeated here.
基于上述程序模块的硬件实现,且为了实现本申请实施例的方法,本申请实施例还提供了一种第一网络设备,如图8所示,第一网络设备800包括:Based on the hardware implementation of the above program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application also provides a first network device. As shown in FIG. 8 , the
第一通信接口801,能够与其他网络节点进行信息交互;The
第一处理器802,与所述第一通信接口801连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器803上。The
具体地,所述第一通信接口801,用于在由所述第一芯片支持的TEE中获取第一终端设备发送的第一请求;所述第一请求用于请求生成所述第一终端设备的身份标识;所述第一请求携带至少一个第一信息;所述第一信息表征用于描述所述第一终端设备的身份的信息;Specifically, the
所述第一处理器802,用于在所述TEE中获取所述第一终端设备的第一身份标识;所述第一身份标识通过对第二信息进行加密得到;所述第二信息表征所述至少一个第一信息对应的摘要信息;The
所述第一通信接口801,还用于在所述TEE中将所述第一身份标识发送对所述第一终端设备。The
其中,在一实施例中,所述至少一个第一信息包括所述第一终端设备的以下至少一项信息:Wherein, in an embodiment, the at least one piece of first information includes at least one piece of information of the first terminal device as follows:
设备名称;device name;
设备序列号;devise serial number;
MAC地址;MAC address;
工作模式;Operating mode;
上行连接信息。Uplink connection information.
在一实施例中,所述第一处理器802,还用于在所述第一服务端获取所述第一终端设备的第一身份标识之前,在所述TEE中对所述至少一个第一信息进行哈希运算,得到所述第二信息。In an embodiment, the
在一实施例中,所述第一处理器802,用于在所述TEE中向所述第一芯片发送第二请求;所述第二请求用于请求所述第一芯片加密所述第二信息;获取所述第一芯片基于所述第二请求返回的响应;所述响应中携带所述第一芯片基于第一密钥对中的私钥对所述第二信息加密得到的所述第一身份标识。In an embodiment, the
在一实施例中,所述网络设备还包括运行于所述TEE中的第一数据库;所述第一数据库中至少存储有由所述第一网络设备生成的至少一个终端设备的身份标识;所述第一通信接口801,还用于在所述TEE中查询到所述第一数据库中未存有所述第一身份标识的情况下,将所述第一身份标识发送至所述第一终端设备。In an embodiment, the network device further includes a first database running in the TEE; the first database stores at least the identity of at least one terminal device generated by the first network device; The
在一实施例中,所述第一处理器802,用于在所述TEE中将所述第一身份标识及所述第一终端设备的以下至少一项信息存入所述第一数据库:In an embodiment, the
所述至少一个第一信息、所述第二信息、用于加密所述第二信息的第一密钥对和/或所述第一身份标识的生成时间。The at least one piece of first information, the second information, the first key pair used to encrypt the second information, and/or the generation time of the first identity.
在一实施例中,所述第一网络设备还包括运行于所述TEE中的第一日志模块;所述第一处理器802,用于在所述TEE中生成并存储第一日志;其中,In an embodiment, the first network device further includes a first log module running in the TEE; the
所述第一日志表征记录所述第一身份标识的相关操作的日志。The first log represents a log that records related operations of the first identity.
在一实施例中,所述第一通信接口801,还用于在所述TEE中获取所述第一终端设备发送的第二请求;所述第二请求用于请求重新接入所述第一网络设备;所述第二请求中携带有所述第一身份标识;In an embodiment, the
基于所述第二请求中的第一身份标识确认所述第一终端设备与所述第一网络设备绑定的情况下,允许所述第一终端设备与所述第一网络设备建立连接。If it is confirmed that the first terminal device is bound to the first network device based on the first identity in the second request, the first terminal device is allowed to establish a connection with the first network device.
在一实施例中,在所述第一终端设备与所述第一网络设备解绑的情况下,所述第一处理器802,用于在所述TEE中设置所述第一身份标识失效。In an embodiment, when the first terminal device is unbound from the first network device, the
在一实施例中,所述第一通信接口801,还用于获取所述第一终端设备发送的第三请求;所述第三请求用于请求所述第一网络设备为第二网络设备或第二终端设备进行关于所述第一终端设备的身份标识的安全认证;基于所述第一网络设备与所述第二网络设备或所述第二终端设备之间的第一连接,所述第一服务端获取所述第二网络设备或所述第二终端设备发送的第二身份标识;所述第二身份标识表征所述第二网络设备或所述第二终端设备获取到的所述第一终端设备的身份标识;在确认所述第二身份标识与所述第一身份标识一致且满足设定条件的情况下,通过所述第一连接向所述第二网络设备或所述第二终端设备发送第三信息;所述第三信息用于所述第二网络设备或所述第二终端设备获取对所述第二身份标识的安全认证结果。In an embodiment, the
在一实施例中,所述设定条件包括以下至少一项:In one embodiment, the setting conditions include at least one of the following:
所述第一身份标识有效;The first identity is valid;
所述第一终端设备接入所述第一网络设备;The first terminal device accesses the first network device;
所述第三请求的请求时效在设定的时效范围内。The request limitation period of the third request is within the set limitation period range.
在一实施例中,所述第一网络设备与所述第二网络设备之间的第一连接为可信连接或安全连接。In an embodiment, the first connection between the first network device and the second network device is a trusted connection or a secure connection.
需要说明的是:第一处理器802和第一通信接口801的具体处理过程可参照上述方法理解。It should be noted that: the specific processing process of the
当然,实际应用时,第一网络设备800中的各个组件通过总线系统804耦合在一起。可理解,总线系统804用于实现这些组件之间的连接通信。总线系统804除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图8中将各种总线都标为总线系统804。Of course, in practical application, various components in the
本申请实施例中的第一存储器803用于存储各种类型的数据以支持第一网络设备800的操作。这些数据的示例包括:用于在第一网络设备800上操作的任何计算机程序。The
上述本申请实施例揭示的方法可以应用于所述第一处理器802中,或者由所述第一处理器802实现。所述第一处理器802可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器802中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器802可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器802可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器803,所述第一处理器802读取第一存储器803中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the foregoing embodiments of the present application may be applied to the
在示例性实施例中,第一网络设备800可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable LogicDevice)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the
可以理解,本申请实施例的第一存储器803可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(FlashMemory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random AccessMemory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random AccessMemory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the
在示例性实施例中,本申请实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的第一存储器803,上述计算机程序可由第一网络设备800的第一处理器802执行,以完成前述方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, the embodiment of the present application also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including a
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that: "first", "second", etc. are used to distinguish similar objects, and not necessarily used to describe a specific order or sequence.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中术语“至少一种”表示多个中的任意一种或多种中的至少两种的任意组合,例如,包括A、B、C中的至少一种,可以表示包括从A、B和C构成的集合中选择的任意一个或多个元素。The term "and/or" in this article is just an association relationship describing associated objects, which means that there can be three relationships, for example, A and/or B can mean: A exists alone, A and B exist simultaneously, and there exists alone B these three situations. In addition, the term "at least one" herein means any combination of any one or more of at least two of a plurality, for example, including at least one of A, B, and C, which may mean including from A, Any one or more elements selected from the set formed by B and C.
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present application may be combined arbitrarily if there is no conflict.
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。The above descriptions are only preferred embodiments of the present application, and are not intended to limit the protection scope of the present application.
Claims (15)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111152658.0A CN115884169A (en) | 2021-09-29 | 2021-09-29 | Processing method, device, network equipment and storage medium of identity mark |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111152658.0A CN115884169A (en) | 2021-09-29 | 2021-09-29 | Processing method, device, network equipment and storage medium of identity mark |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115884169A true CN115884169A (en) | 2023-03-31 |
Family
ID=85756215
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111152658.0A Pending CN115884169A (en) | 2021-09-29 | 2021-09-29 | Processing method, device, network equipment and storage medium of identity mark |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115884169A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116346783A (en) * | 2023-04-17 | 2023-06-27 | 中国长江三峡集团有限公司 | Device network configuration method, configuration device, terminal device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453246A (en) * | 2016-08-30 | 2017-02-22 | 北京小米移动软件有限公司 | Equipment identity information distribution method, device and system |
| CN106960148A (en) * | 2016-01-12 | 2017-07-18 | 阿里巴巴集团控股有限公司 | The distribution method and device of a kind of device identification |
| US20170257341A1 (en) * | 2014-10-03 | 2017-09-07 | Telefonaktiebolaget Lm Ericsson (Publ) | Dynamic generation of unique identifiers in a system of connected things |
| CN112788042A (en) * | 2021-01-18 | 2021-05-11 | 亚信科技(成都)有限公司 | Method for determining equipment identifier of Internet of things and Internet of things equipment |
-
2021
- 2021-09-29 CN CN202111152658.0A patent/CN115884169A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170257341A1 (en) * | 2014-10-03 | 2017-09-07 | Telefonaktiebolaget Lm Ericsson (Publ) | Dynamic generation of unique identifiers in a system of connected things |
| CN106960148A (en) * | 2016-01-12 | 2017-07-18 | 阿里巴巴集团控股有限公司 | The distribution method and device of a kind of device identification |
| US20180324170A1 (en) * | 2016-01-12 | 2018-11-08 | Alibaba Group Holding Limited | Method and apparatus for allocating device identifiers |
| CN106453246A (en) * | 2016-08-30 | 2017-02-22 | 北京小米移动软件有限公司 | Equipment identity information distribution method, device and system |
| CN112788042A (en) * | 2021-01-18 | 2021-05-11 | 亚信科技(成都)有限公司 | Method for determining equipment identifier of Internet of things and Internet of things equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116346783A (en) * | 2023-04-17 | 2023-06-27 | 中国长江三峡集团有限公司 | Device network configuration method, configuration device, terminal device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108055274B (en) | A method and system for encrypting and sharing data based on consortium chain storage | |
| TWI776404B (en) | Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium | |
| CN112003832A (en) | Block chain-based Internet of things data privacy protection method | |
| CN107846396B (en) | Memory system and binding method between it and the host | |
| CN112202715A (en) | System, method and device for credible interaction between Internet of things and block chain | |
| CN110175467A (en) | Signature file store method, device and computer equipment based on block chain | |
| CN103326859B (en) | System and method for safety certification based on catalog | |
| CN112653553B (en) | Internet of things equipment identity management system | |
| CN114338091B (en) | Data transmission method, device, electronic device and storage medium | |
| US20240380616A1 (en) | Secure root-of-trust enrolment and identity management of embedded devices | |
| CN114039753B (en) | Access control method and device, storage medium and electronic equipment | |
| CN116015856A (en) | Data transfer method and device based on blockchain digital identity | |
| CN113872990B (en) | VPN network certificate authentication method and device based on SSL protocol and computer equipment | |
| CN111600903A (en) | Communication method, system, equipment and readable storage medium | |
| WO2020119477A1 (en) | Identity authentication method employing blockchain, and terminal apparatus | |
| CN115884169A (en) | Processing method, device, network equipment and storage medium of identity mark | |
| CN115001707A (en) | Blockchain-based device authentication method and related devices | |
| CN114024678B (en) | Information processing method, system and related device | |
| JP7581553B2 (en) | Device authentication with seal and verification | |
| CN114329511A (en) | Virtual machine encryption method, system, equipment and medium based on identity authentication | |
| CN114979071B (en) | Dynamic domain name configuration method, device, electronic equipment and storage medium | |
| US20240195641A1 (en) | Interim root-of-trust enrolment and device-bound public key registration | |
| CN116166409A (en) | Resource creation method and device, electronic equipment and storage medium | |
| CN115617766A (en) | Data transaction method and device, electronic equipment and storage medium | |
| CN118803755A (en) | Trusted connection networking method, network device, terminal device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |