CN105516948A

CN105516948A - Device control method and device control unit

Info

Publication number: CN105516948A
Application number: CN201410505941.0A
Authority: CN
Inventors: 黄晓生
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2014-09-26
Filing date: 2014-09-26
Publication date: 2016-04-20
Anticipated expiration: 2034-09-26
Also published as: CN105516948B

Abstract

The invention discloses a device control method and a device control unit. The device control method is characterized in that a first server is used to receive a device control request transmitted by a client, and the device control request comprises a device identification of a user device required to be retrieved; the first server can be used to generate a control command used for the indication of the device retrieving operation carried out the user device according to the device control request; the first server can be used to transmit the control command after a signature processing of a first private key corresponding to the device identification, and then the signature verification of the control command can be carried out by using a preset first public key by the user device, and the control command can be executed, when the verification succeeds; the first server can be used to receive the execution result of the control command executed by the user device, and can be used to return the execution result to the client. The control over the device can be effectively realized, when the device is lost, and the retrieving of the lost device can be facilitated.

Description

A kind of apparatus control method and device

Technical field

The present invention relates to communication technical field, particularly relate to a kind of apparatus control method and device.

Background technology

Along with the fast development of Internet technology, the function that the intelligent terminals such as mobile phone can realize gets more and more, such as user is by mobile phone browsing page, receiving and dispatching mail, online shopping or by mobile phone wallet, Mobile banking's correspondent bank card etc., mobile phone has become a part indispensable in people's life.Meanwhile, user by mobile phone use difference in functionality time, also store increasing private data in mobile phone, if mobile phone lose, then may cause very large economic loss, therefore when mobile phone is lost mobile phone give for change become key.

Current mobile phone retrieving system needs the legitimacy of certification current user identities when carrying out mobile phone and giving for change, when carrying out authentication, certification is carried out by means of only account number cipher, as long as account number cipher passes through, then think that this user identity is legal, thus relevant remote-control function can be performed to mobile phone, and as long range positioning, teledata erasing etc.But, the mode of carrying out validated user authentication should be bound by account easily to lose efficacy, such as carrying out that account exits, account changes or after the operation such as mobile phone upgrade, original binding relationship then can be caused to lose efficacy, as long as the people namely taking mobile phone exits account or use new account to log in, and bind in the relation that server completes new account with this, mobile phone retrieving system then assert that this user is the lawful owner of mobile phone, thus former owner cannot control this mobile phone again.

Summary of the invention

Embodiment of the present invention technical problem to be solved is, provides a kind of apparatus control method and device, effectively can realize the control to equipment when device losses.

First aspect, embodiments provides a kind of apparatus control method, comprising:

First server receives the equipment control request that client sends, and described equipment controls the device identification that request comprises the subscriber equipment that needs are given for change;

Described first server controls to ask generation to be used to indicate described subscriber equipment according to described equipment and carries out the control command that equipment gives operation for change;

Described first server sends to described subscriber equipment carries out through the first private key corresponding with described device identification the described control command processed of signing, by the first preset PKI, signature verification is carried out to described control command to make described subscriber equipment, and described control command is performed when being proved to be successful, described first PKI is stored in the secure storage areas of data persistence in described subscriber equipment;

Described first server receives the execution result that described subscriber equipment performs described control command, and returns described execution result to described client.

In conjunction with first aspect, in the implementation that the first is possible, described equipment controls request and also comprises and control request bag corresponding to request by the second private key be stored in external storage equipment to described equipment and carry out the digital signature processing and obtain of signing; To control request according to described equipment in described first server to generate and be used to indicate described subscriber equipment and carry out before equipment gives the control command of operation for change, described method also comprises:

Described equipment is controlled request and sends to second server by described first server, to make described second server search second PKI corresponding with described device identification, and carries out signature verification by described second PKI to described digital signature;

What if receive, described second server responded that described equipment controls that request returns is proved to be successful message, and described first server performs and controls request according to described equipment and generate and be used to indicate described subscriber equipment and carry out the step that equipment gives the control command of operation for change.

In conjunction with first aspect, or the first possible implementation of first aspect, in the implementation that the second is possible, to control request according to described equipment in described first server to generate and be used to indicate described subscriber equipment and carry out after equipment gives the control command of operation for change, and described first server by through signature process described control command be sent to described subscriber equipment before, described method also comprises:

Described control command is sent to second server by described first server, to make described second server search first private key corresponding with described device identification, and carries out signature process by described first private key to described control command;

Receive the control command through signature process that described second server returns.

In conjunction with first aspect, in the implementation that the third is possible, receive the equipment control request of client transmission in described first server before, described method also comprises:

First server receives the facility registration request of carrying the facility information of described subscriber equipment that subscriber equipment sends, and described facility information comprises propelling movement token corresponding to described subscriber equipment, device identification and the first PKI of being stored by described subscriber equipment request bag corresponding to described facility registration request carries out the digital signature processing and obtain of signing;

When the result of described digital signature is for being proved to be successful, described first server stores described propelling movement token and described device identification;

Described first server sends to described subscriber equipment carries out through the first private key corresponding with described device identification the described control command processed of signing, and comprising:

The described control command processed through signature and described propelling movement token are sent to message push gateway by described first server, according to described propelling movement token, the described control command through signature process are sent to described subscriber equipment to make described message push gateway.

In conjunction with the third possible implementation of first aspect, in the 4th kind of possible implementation, described first server receive described subscriber equipment send carry the facility registration request of the facility information of described subscriber equipment after, described method also comprises:

Described facility registration request is sent to second server by described first server, carries out signature verification to make described second server by first private key corresponding with described device identification stored to described digital signature;

Described first server receives the result of the described signature verification that described second server returns.

Second aspect, the embodiment of the present invention additionally provides another kind of apparatus control method, is applied in subscriber equipment, and described subscriber equipment is provided with device identification and PKI in advance, described device identification and PKI are stored in the secure storage areas of data persistence in described subscriber equipment, and described method comprises:

The control command that described subscriber equipment reception server sends, described control command carries out signature process by pre-configured private key;

Described subscriber equipment obtains described PKI from the secure storage areas of local terminal, and carries out signature verification by described PKI to described control command;

If signature verification success, then described subscriber equipment performs described control command, and the execution result performing described control command is returned to described server.

In conjunction with second aspect, in the implementation that the first is possible, before the control command that described subscriber equipment reception server sends, described method also comprises:

Subscriber equipment to message push gateway send token request, with make described message push gateway according to described token request be described user equipment allocation push token, described propelling movement token is be used to indicate the addressing identification that message push gateway carries out message push;

If receive described message push gateway to respond the propelling movement token that described token request issues, then described subscriber equipment sends the facility registration request of carrying the facility information of described subscriber equipment to server, described facility information comprises described propelling movement token, described device identification and carries out by the request bag that described PKI is corresponding to described facility registration request the digital signature processed of signing, to make described server when successful to described digital signature authentication by pre-configured private key, store described propelling movement token and described device identification.

The third aspect, the embodiment of the present invention additionally provides a kind of plant control unit, is arranged in first server, comprises:

First receiver module, the equipment sent for receiving client controls request, and described equipment controls the device identification that request comprises the subscriber equipment that needs are given for change;

Generation module, the equipment for receiving according to described first receiver module controls to ask generation to be used to indicate described subscriber equipment and carries out the control command that equipment gives operation for change;

First sending module, carry out through the first private key corresponding with described device identification the described control command processed of signing for sending to described subscriber equipment, by the first preset PKI, signature verification is carried out to described control command to make described subscriber equipment, and described control command is performed when being proved to be successful, described first PKI is stored in the secure storage areas of data persistence in described subscriber equipment;

Processing module, performs the execution result of described control command for receiving described subscriber equipment, and returns described execution result to described client.

In conjunction with the third aspect, in the implementation that the first is possible, described equipment controls request and also comprises and control request bag corresponding to request by the second private key be stored in external storage equipment to described equipment and carry out the digital signature processing and obtain of signing; Described device also comprises:

Second sending module, sends to second server for described equipment is controlled request, to make described second server search second PKI corresponding with described device identification, and carries out signature verification by described second PKI to described digital signature;

Notification module, for receive that described second server responds that described equipment controls that request returns be proved to be successful message time, notify that described generation module controls request according to described equipment and generates and be used to indicate described subscriber equipment and carry out the control command that equipment gives operation for change.

In conjunction with the third aspect, or the first possible implementation of the third aspect, in the implementation that the second is possible, described device also comprises:

3rd sending module, is sent to second server for the control command generated by described generation module, to make described second server search first private key corresponding with described device identification, and carries out signature process by described first private key to described control command;

Second receiver module, for receiving the control command through signature process that described second server returns.

In conjunction with the third aspect, in the implementation that the third is possible, described device also comprises:

3rd receiver module, for receiving the facility registration request of carrying the facility information of described subscriber equipment that subscriber equipment sends, described facility information comprises propelling movement token corresponding to described subscriber equipment, device identification and the first PKI of being stored by described subscriber equipment request bag corresponding to described facility registration request carries out the digital signature processing and obtain of signing;

Information storage module, for when the result of described digital signature is for being proved to be successful, stores described propelling movement token and described device identification;

Described first sending module specifically for:

The described control command processed through signature and described propelling movement token are sent to message push gateway, according to described propelling movement token, the described control command through signature process are sent to described subscriber equipment to make described message push gateway.

In conjunction with the third possible implementation of the third aspect, in the 4th kind of possible implementation, described device also comprises:

4th sending module, for described facility registration request is sent to second server, carries out signature verification by first private key corresponding with described device identification stored to described digital signature to make described second server;

3rd receiver module, for receiving the result of the described signature verification that described second server returns.

Fourth aspect, the embodiment of the present invention additionally provides another kind of plant control unit, is arranged in subscriber equipment, and described subscriber equipment is provided with device identification and PKI in advance, and described device identification and PKI are stored in the secure storage areas of data persistence, comprising:

Order receiver module, for the control command that reception server sends, described control command carries out signature process by pre-configured private key;

Acquisition module, for obtaining described PKI from the secure storage areas of local terminal, and carries out signature verification by described PKI to the control command that described order receiver module receives;

Executive Module, for when signature verification is successful, performs described control command, and the execution result performing described control command is returned to described server.

In conjunction with fourth aspect, in the implementation that the first is possible, described device also comprises:

First request sending module, for sending token request to message push gateway, with make described message push gateway according to described token request be described user equipment allocation push token, described propelling movement token is be used to indicate the addressing identification that message push gateway carries out message push;

Second request sending module, for when receiving described message push gateway and responding the propelling movement token that described token request issues, the facility registration request of carrying the facility information of described subscriber equipment is sent to server, described facility information comprises described propelling movement token, described device identification and carries out by the request bag that described PKI is corresponding to described facility registration request the digital signature processed of signing, to make described server when successful to described digital signature authentication by pre-configured private key, store described propelling movement token and described device identification.

The embodiment of the present invention can generate corresponding control command when receiving the equipment control request that client sends, and the control command processed of carrying out through the private key corresponding with needing the subscriber equipment given for change signing is sent to this subscriber equipment, by the PKI being stored in secure storage areas, signature verification is carried out to described control command to make this subscriber equipment, and perform described control command when being proved to be successful, thus effectively can realize the control to equipment when device losses.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

Fig. 1 is the schematic flow sheet of a kind of apparatus control method that the embodiment of the present invention provides;

Fig. 2 is the schematic flow sheet of the another kind of apparatus control method that the embodiment of the present invention provides;

Fig. 3 is the mutual schematic diagram of the method for a kind of configuration device information that the embodiment of the present invention provides;

Fig. 4 is the mutual schematic diagram of the register method of a kind of subscriber equipment that the embodiment of the present invention provides;

Fig. 5 is the mutual schematic diagram of a kind of apparatus control method that the embodiment of the present invention provides;

Fig. 6 is the structural representation of a kind of plant control unit that the embodiment of the present invention provides;

Fig. 7 is the structural representation of the another kind of plant control unit that the embodiment of the present invention provides;

Fig. 8 is the structural representation of another plant control unit that the embodiment of the present invention provides;

Fig. 9 is the structural representation of a kind of server that the embodiment of the present invention provides;

Figure 10 is the structural representation of a kind of subscriber equipment that the embodiment of the present invention provides.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.

Refer to Fig. 1, it is the schematic flow sheet of a kind of apparatus control method that the embodiment of the present invention provides, the described method of the embodiment of the present invention specifically can be carried out equipment and gives for change in the first server of operation and realize being used to indicate subscriber equipment, and concrete, the described method of the embodiment of the present invention comprises:

S101: first server receives the equipment control request that client sends, and described equipment controls the device identification that request comprises the subscriber equipment that needs are given for change.

Concrete, described equipment control request can comprise subscriber equipment that needs are given for change as the Location Request of mobile phone, erasing ask, screen locking request or alert requests etc.

S102: described first server controls to ask generation to be used to indicate described subscriber equipment according to described equipment and carries out the control command that equipment gives operation for change.

In specific embodiment, described equipment controls request and also comprises and control request bag corresponding to request by the second private key be stored in external storage equipment to described equipment and carry out the digital signature processing and obtain of signing, concrete, this external storage equipment can be specially excellent shield U-KEY.This equipment is given operation for change and be can be long range positioning, remote wipe, screen locking or warn, and correspondingly, this control command correspondence can be positioning command, erase command, screen locking order or warning order, and the embodiment of the present invention is not construed as limiting.

Further, before execution step S102, described equipment can be controlled request and send to second server by described first server, to make described second server search second PKI corresponding with described device identification, and carries out signature verification by described second PKI to described digital signature.When receive described second server respond described equipment control request return be proved to be successful message time, this first server can perform step S102.

S103: described first server sends to described subscriber equipment carries out through the first private key corresponding with described device identification the described control command processed of signing, to make described subscriber equipment carry out signature verification by the first preset PKI to described control command, and perform described control command when being proved to be successful.

Further, after the described step S102 of execution, and before performing described step S103, described first server is by being sent to second server by the control command of generation, to make described second server search first private key corresponding with described device identification, and by described first private key, signature process is carried out to described control command; This first server receives the control command through signature process that described second server returns.

It should be noted that, described second server can be specially certificate server as AUTH server, stores the device identification of subscriber equipment and the double secret key (comprising the first above-mentioned private key and the second PKI) of correspondence thereof in this second server.

Concrete, be provided with independently secure storage areas in this subscriber equipment, the data stored in this secure storage areas at this subscriber equipment through recovering to dispatch from the factory or can not losing after the operation such as brush machine.The secure storage areas of this data persistence stores the PKI (first PKI) corresponding with this subscriber equipment and device identification.

S104: described first server receives the execution result that described subscriber equipment performs described control command, and returns described execution result to described client.

In specific embodiment, receive the equipment control request of the subscriber equipment given for change for needs that client sends in first server before, this subscriber equipment also need be registered in described first server.Concrete, first server can receive the facility registration request of carrying the facility information of described subscriber equipment that subscriber equipment sends, and described facility information comprises propelling movement token corresponding to described subscriber equipment, device identification and the first PKI of being stored by described subscriber equipment request bag corresponding to described facility registration request carries out the digital signature processing and obtain of signing; When the result of described digital signature is for being proved to be successful, this first server can store described propelling movement token and described device identification, is put in storage by facility information.

Concrete, described first server receive described subscriber equipment send carry the facility registration request of the facility information of described subscriber equipment after, described facility registration request can be sent to second server by described first server, carries out signature verification to make described second server by first private key corresponding with described device identification stored to described digital signature; Described first server receives the result of the described signature verification that described second server returns.If this first server receives be proved to be successful message, then store described propelling movement token and described device identification.

Described first server sends to described subscriber equipment carries out through the first private key corresponding with described device identification the described control command processed of signing, the described control command processed through signature and described propelling movement token can be sent to message push gateway PushGW, according to described propelling movement token, the described control command through signature process be sent to described subscriber equipment to make PushGW.

Implement the embodiment of the present invention and can generate corresponding control command when receiving the equipment control request that client sends, and the control command processed of carrying out through the private key corresponding with needing the subscriber equipment given for change signing is sent to this subscriber equipment, by the PKI being stored in secure storage areas, signature verification is carried out to described control command to make this subscriber equipment, and perform described control command when being proved to be successful, thus effectively can realize the control to equipment when device losses.

Referring to Fig. 2, is the schematic flow sheet of the another kind of apparatus control method that the embodiment of the present invention provides, and the described method of the embodiment of the present invention specifically can realize in the subscriber equipment such as mobile phone, panel computer, concrete, and the described method of the embodiment of the present invention comprises:

S201: the control command that subscriber equipment reception server sends, described control command carries out signature process by pre-configured private key.

In specific embodiment, the control command processed through signature and the propelling movement token corresponding with this subscriber equipment can be sent to message push gateway PushGW by this server.The control command of this process signature process is pushed to relevant user equipment according to this propelling movement token by PushGW, makes subscriber equipment receive this control command.Concrete, described server can specifically with reference to the associated description of the first server in the corresponding embodiment of Fig. 1, and this pre-configured private key can refer to the associated description of the first private key in above-described embodiment.This control command can be specially positioning command, erase command, screen locking order or warning order, and the embodiment of the present invention is not construed as limiting.

S202: described subscriber equipment obtains PKI from the secure storage areas of local terminal, and carries out signature verification by described PKI to described control command.

It should be noted that, be provided with device identification and PKI in this subscriber equipment in advance, described device identification and PKI are stored in the secure storage areas of data persistence in described subscriber equipment.This PKI can refer to the associated description of the first PKI in above-described embodiment.

S203: if signature verification success, then described subscriber equipment performs described control command, and the execution result performing described control command is returned to described server.

Further, before the control command that subscriber equipment sends at reception server, also need to register to server.Concrete, subscriber equipment is by sending token request to message push gateway, with make described message push gateway according to described token request be described user equipment allocation push token, described propelling movement token be used to indicate message push gateway carry out message push addressing identification (server by message push gateway PUSH message time, this propelling movement token need be carried, control command is pushed to corresponding subscriber equipment according to this propelling movement token by message push gateway), subscriber equipment receives described message push gateway and responds the propelling movement token that described token request issues.

After receiving message push gateway and responding the propelling movement token that described token request issues, described subscriber equipment can send the facility registration request of carrying the facility information of described subscriber equipment to server, described facility information comprises described propelling movement token, described device identification and by the request bag that described PKI (i.e. the first PKI) is corresponding to described facility registration request carry out sign process digital signature, to make described server when successful to described digital signature authentication by pre-configured private key (i.e. the first private key), store described propelling movement token and described device identification.Concrete, this server (i.e. first server) is after the facility registration request receiving subscriber equipment transmission, second server can be asked to carry out signature verification process to this digital signature, and receive the result that this second server returns, when this result is for being proved to be successful message, server can store the propelling movement token of this subscriber equipment and the facility information of device identification.

Implement embodiment of the present invention subscriber equipment can receive that server issues carry the control command of digital signature time, signature verification is carried out by this control command of double secret key being stored in the secure storage areas of the data persistence of local terminal, and perform this control command when being proved to be successful, thus have effectively achieved the control to the subscriber equipment lost.

Refer to Fig. 3, be the mutual schematic diagram of the method for a kind of configuration device information that the embodiment of the present invention provides, concrete, the described method of the embodiment of the present invention comprises:

S301: production equipment computer is to server application double secret key.

Concrete, this production equipment computer be on production line for carry out equipment dispatch from the factory prepackage workbench, and coordinate with subscriber equipment, the data initialization before finishing equipment dispatches from the factory, program installation etc., comprise and obtain double secret key and device identification for subscriber equipment and write subscriber equipment.Described server can be second server, and authentication authorization and accounting server as AUTH server (being called for short AUTH), and specifically can refer to the associated description of second server in the corresponding embodiment of Fig. 1 to Fig. 2.

S302: server generates double secret key (comprising PKI and private key) and corresponding device identification.

S303: server " return " key" to and device identification.

In specific embodiment, AUTH is after the application request receiving production equipment computer application double secret key, by RSA public key encryption algorithm, generate the double secret key (comprising PKI and private key) of 2048 and corresponding device identification and device id, and this double secret key and device id being returned to production equipment computer, this AUTH stores this double secret key and device id simultaneously.When subscriber equipment carries out registering or operation given for change by actuating equipment, this ID is the unique identification of this subscriber equipment.

S304: produce equipment computer equipment for indicating user more new key.

S305: whether the identity of user equipment authentication production equipment computer is legal, and when authentication success, write PKI and device identification.

In specific embodiment, produce equipment computer after receiving PKI that AUTH returns, private key and device identification, equipment code can be called, ask PKI to be written in corresponding subscriber equipment.Concrete, produce equipment computer and can call key updating interface, application upgrades PKI corresponding to subscriber equipment, and this subscriber equipment needs checking to produce the legitimacy of the identity of equipment computer.If authentication failure, key updating flow process terminates; If authentication success, then write device ID and PKI (namely as the first PKI) in the secure storage areas in this subscriber equipment.Wherein, user equipment authentication produces the legitimacy of the identity of equipment computer similarly to the prior art, does not repeat them here.

S306: key updating data are back to by subscriber equipment produces equipment computer.

S307: produce equipment computer and judge that whether the key updating of subscriber equipment is successful, if so, then by device identification and private key write U-KEY.

After write device ID and PKI, subscriber equipment reads PKI and the device id of write again, and stochastic generation challenge word challenge, utilize PKI to be encrypted challenge and device id, and the key updating data comprising challenge and encrypted cipher text are turned back to production equipment computer.Produce equipment computer by private key decrypting ciphertext, and the data after deciphering and challenge expressly, device id are compared, if comparison result is consistent, then show the key updating success of subscriber equipment; If inconsistent, then show to upgrade unsuccessfully, need again to upgrade.After determining subscriber equipment key updating success, then device id and private key can be write external storage equipment as in U-KEY, the private key stored in this U-KEY is namely as the second private key.

Referring to Fig. 4, is the mutual schematic diagram of the register method of a kind of subscriber equipment that the embodiment of the present invention provides, and concrete, the described method of the embodiment of the present invention comprises:

S401: user device applies PushToken.

S402:PushGW returns PushToken.

In specific embodiment, subscriber equipment needs to carry out the first server that equipment gives operation for change and register being used to indicate subscriber equipment in advance.Before subscriber equipment sends registration request to this first server, can apply for pushing token PushToken to message push gateway PushGW, this PushToken is as the addressing identification of message push, with make first server to PushGW ask PUSH message time, can according to this PushToken by message push to corresponding subscriber equipment.

S403: registration request initiated by subscriber equipment, and described registration request comprises device id, PushToken and digital signature.

Concrete, if application PushToken failure, then register flow path terminates; If apply for successfully, then subscriber equipment sends to first server the facility registration request of the facility information of described subscriber equipment of carrying, and this facility information is comprised this PushToken, device identification and device id and to be undertaken signing digital signature that process obtains etc. by the request bag that the PKI (i.e. the first PKI) that stores in subscriber equipment is corresponding to described facility registration request.Concrete, by the cryptographic algorithm preset, this request bag is encrypted, draws summary, then with the PKI stored in subscriber equipment, summary is encrypted, obtain digital signature.Wherein, this cryptographic algorithm can be SHA SHA256 or Message Digest 5 MD5 etc., and the embodiment of the present invention is not construed as limiting.

S404: signature verification is carried out in first server request.

S405: second server carries out signature verification by obtaining the private key corresponding with device id.

S406: second server returns the result.

First server, can to the legitimacy of this digital signature of second server requests verification after receiving facility registration request.Concrete, device id, summary (cryptographic algorithm namely by presetting is encrypted to this request bag the summary obtained) and digital signature can be sent to second server by first server, this second server finds out the private key (i.e. first private key) corresponding with this device id, and carries out signature verification by private key to this digital signature.Namely decipher this digital signature by private key, the character string draw deciphering and this summary contrast, if both match, then can show the signature verification success to this digital signature; If do not mate, then can show authentication failed, signature verification result is returned to first server by second server.

S407: if be proved to be successful, first server writes this device id and PushToken.

S408: first server returns registering result.

If the signature verification result that second server returns is for being proved to be successful, then first server writes this device id and PushToken, namely store the facility information of this subscriber equipment, and notifying user equipment succeeds in registration.

Referring to Fig. 5, is the mutual schematic diagram of a kind of apparatus control method that the embodiment of the present invention provides, and concrete, the described method of the embodiment of the present invention comprises:

S501: user logs in client, inserts U-KEY.

In specific embodiment, user can log in client, namely opens corresponding interface door, and this interface door is associated with the operation pages that equipment is given for change.

S502: transmitting apparatus controls request, and described request comprises device id and digital signature.

User login client and insert external storage equipment as U-KEY after, can determine to need the equipment carried out to give operation for change, client sends and this equipment is given for change and operated corresponding equipment and control to ask, this request comprises device id and digital signature, and (this digital signature is that the cryptographic algorithm by presetting is encrypted the request bag that this equipment controls request corresponding, draw summary, then use the private key in U-KEY (the second private key) to be encrypted to summary the digital signature obtained).Concrete, described equipment control request can comprise subscriber equipment that needs are given for change as the Location Request of mobile phone, erasing ask, screen locking request or alert requests etc.

S503: signature verification.

S504: find out the public key verifications corresponding with this device id and sign.

S505: return the result.

First server, after the equipment receiving client transmission controls request, can carry out signature verification to second server request to this digital signature.Concrete, device id, summary (cryptographic algorithm namely by presetting is encrypted to this request bag the summary obtained) and digital signature can be sent to second server by first server, this second server finds out the PKI (second PKI) corresponding with this device id, and carries out signature verification by this PKI to this digital signature.Namely by this digital signature of public key decryptions, the character string draw deciphering and this summary contrast, if both match, then can show the signature verification success to this digital signature; If do not mate, then can show authentication failed, signature verification result is returned to first server by second server.

S506: if be proved to be successful, then control request according to this equipment and generate control command.

If it is authentication failed that first server receives the signature verification result that second server returns, then terminates this equipment and give operation for change; If the signature verification result returned is for being proved to be successful, then first server can control request according to this equipment and generates and be used to indicate described subscriber equipment and carry out the control command that equipment gives operation for change.Concrete, this equipment is given operation for change and be can be long range positioning, remote wipe, screen locking or warn, and correspondingly, this control command correspondence can be positioning command, erase command, screen locking order or warning order, and the embodiment of the present invention is not construed as limiting.

S507: ask to sign to this control command.

S508: find out the private key corresponding with this device id, signs to control command.

S509: return signature result.

In specific embodiment, device id and control command can be sent to second server by first server, to ask to carry out signature process to this control command.Concrete, this second server can find out the private key (first private key) corresponding with this device id, thus carries out signature process by this private key to this control command, and the control command through signature process is returned to first server.

S510: issue control command by PushGW.

S511: signature verification is carried out to control command, and this control command is performed when being proved to be successful.

S512: return execution result.

First server is after the control command receiving the process signature process that second server returns, the control command of this process signature process and PushToken can be sent to message push gateway PushGW, the control command of this process signature process is pushed on the subscriber equipment corresponding with this PushToken by this PushGW.

This subscriber equipment is after receiving control command, the PKI (the first PKI) that need be stored by secure storage areas carries out signature verification to this control command, and described control command is performed when being proved to be successful, then operation can be positioned when such as this control command is positioning command, this subscriber equipment can start GPS and position, and the execution result performing this positioning action is back to first server, by first server to this execution result of client push.

Implement embodiment of the present invention client and the equipment of the digital signature of carrying through being stored in the secret key encryption in external storage equipment control request can be sent to server, corresponding control command is generated when successful to this digital signature authentication, and the control command processed of carrying out through the private key corresponding with needing the subscriber equipment given for change signing is sent to this subscriber equipment, after this subscriber equipment receives this control command, signature verification is carried out by control command described in the double secret key that is stored in secure storage areas, and described control command is performed when being proved to be successful, thus the control that effectively can realize when device losses equipment.

Refer to Fig. 6, it is the structural representation of a kind of plant control unit that the embodiment of the present invention provides, the described device of the embodiment of the present invention can specifically be arranged in first server, concrete, the described device of the embodiment of the present invention comprises: the first receiver module 11, generation module 12, first sending module 13 and processing module 14.Wherein,

Described first receiver module 11, the equipment sent for receiving client controls request, and described equipment controls the device identification that request comprises the subscriber equipment that needs are given for change.

Concrete, described equipment control request can comprise subscriber equipment that needs are given for change as the Location Request of mobile phone, erasing ask, screen locking request or alert requests etc.Described device identification is pre-configured obtaining, and uniquely determines a subscriber equipment, and this subscriber equipment is the subscriber equipment needing to give for change.

Described generation module 12, the equipment for receiving according to described first receiver module 11 controls to ask generation to be used to indicate described subscriber equipment and carries out the control command that equipment gives operation for change.

When the first receiver module 11 receives after equipment that client sends controls request, generation module 12 can control request according to this equipment and generate control command to subscriber equipment corresponding to this device identification.Concrete, this equipment is given operation for change and be can be long range positioning, remote wipe, screen locking or warn etc., and correspondingly, this control command correspondence can be positioning command, erase command, screen locking order or warning order etc., and the embodiment of the present invention is not construed as limiting.

Described first sending module 13, carry out through the first private key corresponding with described device identification the described control command processed of signing for sending to described subscriber equipment, by the first preset PKI, signature verification is carried out to described control command to make described subscriber equipment, and described control command is performed when being proved to be successful, described first PKI is stored in the secure storage areas of data persistence in described subscriber equipment.

It should be noted that, in subscriber equipment, be provided with independently secure storage areas, the data stored in this secure storage areas at this subscriber equipment through recovering to dispatch from the factory or can not losing after the operation such as brush machine.This secure storage areas stores the PKI (first PKI) corresponding with this subscriber equipment and device identification.

Described processing module 14, performs the execution result of described control command for receiving described subscriber equipment, and returns described execution result to described client.

Concrete, such as this control command is positioning command, locating information to this subscriber equipment when then this execution result is this positioning command of successful execution, or location failure information when performing unsuccessfully, processing module 14 receives this to the locating information of subscriber equipment or location failure information, and this locating information or location failure information are returned to client.

Refer to Fig. 7, it is the structural representation of the another kind of plant control unit that the embodiment of the present invention provides, the described device of the embodiment of the present invention comprises the first receiver module 11 of above-mentioned plant control unit, generation module 12, first sending module 13 and processing module 14, repeats no more in this.Further, in embodiments of the present invention, described equipment controls request and also comprises and control request bag corresponding to request by the second private key be stored in external storage equipment to described equipment and carry out the digital signature processing and obtain of signing, and described device also comprises:

Second sending module 15, sends to second server for described equipment is controlled request, to make described second server search second PKI corresponding with described device identification, and carries out signature verification by described second PKI to described digital signature.

In specific embodiment, the equipment that first receiver module 11 receives controls request and comprises device identification and digital signature, this digital signature is that the cryptographic algorithm by presetting is encrypted the request bag that this equipment controls request corresponding, draw summary, then by external storage equipment as the private key (the second private key) in U-KEY is encrypted to summary the digital signature obtained.First receiver module 11, after the equipment receiving client transmission controls request, carries out signature verification to second server request to this digital signature by the second sending module 15.Concrete, device identification, summary (cryptographic algorithm namely by presetting is encrypted to this request bag the summary obtained) and digital signature can be sent to second server by the second sending module 15, to make this second server find out the PKI (second PKI) corresponding with this device id, and by this second PKI, signature verification is carried out to this digital signature.Namely by this digital signature of the second public key decryptions, the character string draw deciphering and this summary contrast, if both match, then can show the signature verification success to this digital signature; If do not mate, then authentication failed can be shown.This second server returns signature verification result.Wherein, this cryptographic algorithm can be SHA SHA256 or Message Digest 5 MD5 etc., and the embodiment of the present invention is not construed as limiting.

Notification module 16, for receive that described second server responds that described equipment controls that request returns be proved to be successful message time, notify that described generation module 12 controls request according to described equipment and generates and be used to indicate described subscriber equipment and carry out the control command that equipment gives operation for change.

When receiving signature verification result that this second server returns for being proved to be successful message, can show that this equipment controls request legal, then notification module 16 can notify that generation module 12 can control to ask generation to be used to indicate described subscriber equipment according to this equipment and carry out the control command that equipment gives operation for change.

Further, in embodiments of the present invention, described device also can comprise:

3rd sending module 17, control command for being generated by described generation module 12 is sent to second server, to make described second server search first private key corresponding with described device identification, and by described first private key, signature process is carried out to described control command;

Second receiver module 18, for receiving the control command through signature process that described second server returns.

In specific embodiment, after generation module 12 generates control command, by the 3rd sending module 17, device identification and this control command are sent to second server, to ask to carry out signature process to this control command.Concrete, this second server can find out the private key (first private key) corresponding with this device identification, thus carries out signature process by this private key to this control command, and the control command through signature process is returned to first server.Second receiver module 18 receives the control command through signature process that described second server returns.

3rd receiver module 19, for receiving the facility registration request of carrying the facility information of described subscriber equipment that subscriber equipment sends, described facility information comprises propelling movement token corresponding to described subscriber equipment, device identification and the first PKI of being stored by described subscriber equipment request bag corresponding to described facility registration request carries out the digital signature processing and obtain of signing;

Information storage module 20, for when the result of described digital signature is for being proved to be successful, stores described propelling movement token and described device identification;

Described first sending module 13 can be specifically for:

Alternatively, in embodiments of the present invention, described device also can comprise further:

4th sending module 21, for described facility registration request is sent to second server, carries out signature verification by first private key corresponding with described device identification stored to described digital signature to make described second server;

3rd receiver module 22, for receiving the result of the described signature verification that described second server returns.

In specific embodiment, subscriber equipment needs to carry out the first server that equipment gives operation for change and register being used to indicate subscriber equipment in advance.3rd receiver module 19 carrying of receiving that subscriber equipment sends push token PushToken, device identification and by subscriber equipment in the PKI (i.e. the first PKI) that the stores request bag corresponding to described facility registration request carry out signing the facility registration request of the facility informations such as digital signature that process obtains time, by the legitimacy of the 4th sending module 21 to this digital signature of second server requests verification.Concrete, this facility registration request can be sent to second server by the 4th sending module 21, this second server finds out the private key (i.e. first private key) corresponding with this device identification, carries out signature verification, and return signature verification result by private key to this digital signature.3rd receiver module 22 receives the result that second server returns, and when the result is for being proved to be successful, stores this PushToken and this device identification by information storage module 20.

Further, second receiver module 18 is after the control command receiving the process signature process that second server returns, by the first sending module 13, the control command of this process signature process and PushToken are sent to PushGW, to make this PushGW, the control command of this process signature process is pushed on the subscriber equipment corresponding with this PushToken.

Implement the embodiment of the present invention and can control request at the equipment receiving the digital signature of carrying through being stored in the secret key encryption in external storage equipment and when to this digital signature authentication success, generating instruction needs the subscriber equipment given for change to carry out the control command that equipment gives operation for change, the control command of the private key corresponding through this subscriber equipment being carried out signature process is sent to this subscriber equipment, by the PKI being stored in secure storage areas, signature verification is carried out to described control command to make this subscriber equipment, and described control command is performed when being proved to be successful, thus the control that effectively can realize when device losses equipment.

Refer to Fig. 8, it is the structural representation of another plant control unit that the embodiment of the present invention provides, the described device of the embodiment of the present invention can specifically be arranged in the subscriber equipment such as mobile phone, panel computer, concrete, the described device of the embodiment of the present invention comprises: order receiver module 31, acquisition module 32 and Executive Module 33.Wherein,

Described order receiver module 31, for the control command that reception server sends, described control command carries out signature process by pre-configured private key.

Concrete, described server can specifically referring to figs. 1 through the associated description of first server in the corresponding embodiment of Fig. 7, and this pre-configured private key can refer to the associated description of the first private key in above-described embodiment.This control command can be specially positioning command, erase command, screen locking order or warning order, and the embodiment of the present invention is not construed as limiting.

Described acquisition module 32, obtains PKI for the secure storage areas from local terminal, and carries out signature verification by described PKI to the control command that described order receiver module 31 receives.

It should be noted that, be provided with device identification and PKI in this subscriber equipment in advance, described device identification and PKI are stored in the secure storage areas of data persistence in described subscriber equipment.This PKI can refer to the associated description of the first PKI in the corresponding embodiment of Fig. 1 to Fig. 7.

Described Executive Module 33, for when signature verification is successful, performs described control command, and the execution result performing described control command is returned to described server.

In specific embodiment, order receiver module 31 is after receiving control command, the PKI (the first PKI) that acquisition module 32 need be stored by secure storage areas carries out signature verification to this control command, and perform described control command when being proved to be successful by Executive Module 33, then operation can be positioned when such as this control command is positioning command, start GPS to position, and the execution result performing this positioning action is back to server (first server), locating information to this subscriber equipment when this execution result is this positioning command of successful execution, or location failure information when performing unsuccessfully, with by first server to this this locating information of client push or location failure information.

First request sending module 34, for sending token request to message push gateway, with make described message push gateway according to described token request be described user equipment allocation push token, described propelling movement token is be used to indicate the addressing identification that message push gateway carries out message push;

Second request sending module 35, for when receiving described message push gateway and responding the propelling movement token that described token request issues, the facility registration request of carrying the facility information of described subscriber equipment is sent to server, described facility information comprises described propelling movement token, described device identification and carries out by the request bag that described PKI is corresponding to described facility registration request the digital signature processed of signing, to make described server when successful to described digital signature authentication by pre-configured private key, store described propelling movement token and described device identification.

In specific embodiment, subscriber equipment needs to carry out the first server that equipment gives operation for change and register being used to indicate subscriber equipment in advance.Before sending registration request to this first server, apply for pushing token PushToken to message push gateway PushGW by the first request sending module 34, this PushToken is as the addressing identification of message push, with make first server to PushGW ask PUSH message time, can according to this PushToken by message push to corresponding subscriber equipment.

Concrete, if application PushToken failure, then register flow path terminates; If apply for successfully, then send to first server the facility registration request of the facility information of described subscriber equipment of carrying by the second request sending module 35, this facility information is comprised described PushToken, device identification and to be undertaken signing digital signature that process obtains etc. by the request bag that the PKI (i.e. the first PKI) that stores in the secure storage areas of subscriber equipment is corresponding to described facility registration request.First server is after receiving facility registration request, can to the legitimacy of this digital signature of second server requests verification, this second server finds out the private key (i.e. first private key) corresponding with this device identification, and carries out signature verification by private key to this digital signature.Signature verification result is returned to first server by second server.If the result is for being proved to be successful message, then this first server can store this facility information such as PushToken and device identification.

Further, refer to Fig. 9, it is the structural representation of a kind of server that the embodiment of the present invention provides, the described server of the embodiment of the present invention comprises: receiver 300, reflector 400, memory 200 and processor 100, described memory 200 can be high-speed RAM memory, also can be non-labile memory (non-volatilememory), such as at least one magnetic disc store.Corresponding application program etc. is stored as in a kind of memory 200 of computer-readable storage medium.Data cube computation can be carried out by bus between described receiver 300, reflector 400, memory 200 and processor 100, also can data cube computation by other means.Connect with bus in the present embodiment and be described.Concrete, the described server of the embodiment of the present invention is be used to indicate subscriber equipment to carry out the server that equipment gives operation for change, specifically can refer to the associated description of first server in the corresponding embodiment of Fig. 1 to Fig. 8.

Wherein, described processor 100 performs following steps:

Receive the equipment control request that client sends, described equipment controls the device identification that request comprises the subscriber equipment that needs are given for change;

Control to ask generation to be used to indicate described subscriber equipment according to described equipment and carry out the control command that equipment gives operation for change;

Send to described subscriber equipment and carry out through the first private key corresponding with described device identification the described control command processed of signing, by the first preset PKI, signature verification is carried out to described control command to make described subscriber equipment, and described control command is performed when being proved to be successful, described first PKI is stored in the secure storage areas of data persistence in described subscriber equipment;

Receive the execution result that described subscriber equipment performs described control command, and return described execution result to described client.

Alternatively, described equipment controls request and also comprises and control request bag corresponding to request by the second private key be stored in external storage equipment to described equipment and carry out the digital signature processing and obtain of signing; Described processor 100 to control request and generates and be used to indicate described subscriber equipment and carry out before equipment gives the control command of operation for change, also for performing execution is described according to described equipment:

Described equipment is controlled request and sends to second server, to make described second server search second PKI corresponding with described device identification, and by described second PKI, signature verification is carried out to described digital signature;

What if receive, described second server responded that described equipment controls that request returns is proved to be successful message, then perform to control request according to described equipment and generate and be used to indicate described subscriber equipment and carry out the step that equipment gives the control command of operation for change.

Alternatively, described processor 100 to control request and generates and be used to indicate described subscriber equipment and carry out after equipment gives the control command of operation for change execution is described according to described equipment, and perform described by through signature process described control command be sent to described subscriber equipment before, also perform following steps:

Described control command is sent to second server, to make described second server search first private key corresponding with described device identification, and by described first private key, signature process is carried out to described control command;

Alternatively, described processor 100, before the equipment performing the transmission of described reception client controls request, also performs following steps:

Receive the facility registration request of carrying the facility information of described subscriber equipment that subscriber equipment sends, described facility information comprises propelling movement token corresponding to described subscriber equipment, device identification and the first PKI of being stored by described subscriber equipment request bag corresponding to described facility registration request carries out the digital signature processing and obtain of signing;

When the result of described digital signature is for being proved to be successful, store described propelling movement token and described device identification;

Described processor 100 carries out through the first private key corresponding with described device identification the described control command processed of sign, specifically for execution described to send to described subscriber equipment of execution:

Alternatively, described processor 100 perform that described reception described subscriber equipment sends carry the facility registration request of the facility information of described subscriber equipment after, also perform following steps:

Described facility registration request is sent to second server, by first private key corresponding with described device identification stored, signature verification is carried out to described digital signature to make described second server;

Receive the result of the described signature verification that described second server returns.

Further, refer to Figure 10, it is the structural representation of a kind of subscriber equipment that the embodiment of the present invention provides, the described subscriber equipment of the embodiment of the present invention comprises: receiver 700, reflector 800, memory 600 and processor 500, described memory 600 can be high-speed RAM memory, also can be non-labile memory (non-volatilememory), such as at least one magnetic disc store.Corresponding application program etc. is stored as in a kind of memory 600 of computer-readable storage medium.Data cube computation can be carried out by bus between described receiver 700, reflector 800, memory 600 and processor 500, also can data cube computation by other means.Connect with bus in the present embodiment and be described.Concrete, described subscriber equipment is provided with device identification and PKI in advance, described device identification and PKI are stored in the secure storage areas of data persistence in described subscriber equipment, and described subscriber equipment can refer to the associated description of subscriber equipment in the corresponding embodiment of Fig. 1 to Fig. 8.

Wherein, described processor 500 performs following steps:

The control command that reception server sends, described control command carries out signature process by pre-configured private key;

Obtain described PKI from the secure storage areas of local terminal, and by described PKI, signature verification is carried out to described control command;

If signature verification success, then perform described control command, and the execution result performing described control command is returned to described server.

Alternatively, described processor 500, before the control command performing the transmission of described reception server, also performs following steps:

Send token request to message push gateway, to make described message push gateway distribute propelling movement token according to described token request, described propelling movement token is be used to indicate the addressing identification that message push gateway carries out message push;

If receive described message push gateway to respond the propelling movement token that described token request issues, the facility registration request of Portable device information is then sent to server, described facility information comprises described propelling movement token, described device identification and carries out by the request bag that described PKI is corresponding to described facility registration request the digital signature processed of signing, to make described server when successful to described digital signature authentication by pre-configured private key, store described propelling movement token and described device identification.

One of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, that the hardware that can carry out instruction relevant by computer program has come, described program can be stored in a computer read/write memory medium, this program, when performing, can comprise the flow process of the embodiment as above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-OnlyMemory, ROM) or random store-memory body (RandomAccessMemory, RAM) etc.

Above disclosedly be only present pre-ferred embodiments, certainly can not limit the interest field of the present invention with this, therefore according to the equivalent variations that the claims in the present invention are done, still belong to the scope that the present invention is contained.

Claims

1. an apparatus control method, is characterized in that, comprising:

2. method according to claim 1, is characterized in that, described equipment controls request and also comprises and control request bag corresponding to request by the second private key be stored in external storage equipment to described equipment and carry out the digital signature processing and obtain of signing; To control request according to described equipment in described first server to generate and be used to indicate described subscriber equipment and carry out before equipment gives the control command of operation for change, described method also comprises:

3. method according to claim 1 and 2, it is characterized in that, to control request according to described equipment in described first server to generate and be used to indicate described subscriber equipment and carry out after equipment gives the control command of operation for change, and described first server by through signature process described control command be sent to described subscriber equipment before, described method also comprises:

4. method according to claim 1, is characterized in that, receive the equipment control request of client transmission in described first server before, described method also comprises:

5. method according to claim 4, is characterized in that, described first server receive described subscriber equipment send carry the facility registration request of the facility information of described subscriber equipment after, described method also comprises:

6. an apparatus control method, it is characterized in that, be applied in subscriber equipment, described subscriber equipment is provided with device identification and PKI in advance, described device identification and PKI are stored in the secure storage areas of data persistence in described subscriber equipment, and described method comprises:

7. method according to claim 6, is characterized in that, before the control command that described subscriber equipment reception server sends, described method also comprises:

8. a plant control unit, is characterized in that, is arranged in first server, comprises:

9. device according to claim 8, is characterized in that, described equipment controls request and also comprises and control request bag corresponding to request by the second private key be stored in external storage equipment to described equipment and carry out the digital signature processing and obtain of signing; Described device also comprises:

10. device according to claim 8 or claim 9, it is characterized in that, described device also comprises:

11. devices according to claim 8, is characterized in that, described device also comprises:

Described first sending module specifically for:

12. devices according to claim 11, is characterized in that, described device also comprises:

13. 1 kinds of plant control units, is characterized in that, are arranged in subscriber equipment, and described subscriber equipment is provided with device identification and PKI in advance, and described device identification and PKI are stored in the secure storage areas of data persistence, and described device comprises:

14. devices according to claim 13, is characterized in that, also comprise: