CN109617896B - Internet of things access control method and system based on intelligent contract - Google Patents

Internet of things access control method and system based on intelligent contract Download PDF

Info

Publication number
CN109617896B
CN109617896B CN201811616085.0A CN201811616085A CN109617896B CN 109617896 B CN109617896 B CN 109617896B CN 201811616085 A CN201811616085 A CN 201811616085A CN 109617896 B CN109617896 B CN 109617896B
Authority
CN
China
Prior art keywords
node
access
resource
access control
contract
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811616085.0A
Other languages
Chinese (zh)
Other versions
CN109617896A (en
Inventor
吴增德
吴晓东
沈乐平
陈玲珑
程涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Public Information Industry Co ltd
Original Assignee
Zhejiang Public Information Industry Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Public Information Industry Co ltd filed Critical Zhejiang Public Information Industry Co ltd
Priority to CN201811616085.0A priority Critical patent/CN109617896B/en
Publication of CN109617896A publication Critical patent/CN109617896A/en
Application granted granted Critical
Publication of CN109617896B publication Critical patent/CN109617896B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to an access control method and system based on an intelligent contract in an Internet of things environment. The internet of things comprises a first node and a second node which are connected through a network, and the method comprises the following steps that at the first node: sending a resource access request to the second node for requesting access to a resource of the second node; receiving a redirection instruction from a second node, the redirection instruction redirecting the first node to a smart contract associated with the second node; invoking the intelligent contract on a blockchain; and receiving a response as a result of the execution of the smart contract, the response including an access token that allows the first node to access a resource of a second node or a denial of the resource access request.

Description

Internet of things access control method and system based on intelligent contract
Technical Field
The disclosure relates to the technical field of internet of things, in particular to an internet of things access control method and system based on an intelligent contract.
Background
With the development of technologies such as smart home, digital medical treatment and internet of vehicles, the application of the internet of things is more and more popular, and the safety problem of the internet of things is more and more concerned. The internet of things security should satisfy three important characteristics: confidentiality, integrity and availability. Confidentiality is to prevent unauthorized objects from accessing sensitive information while ensuring that authorized objects can access the information. Integrity ensures that data is not tampered with during transmission. Availability is to ensure that data is available at any time, ensuring redundancy. Authentication and access control are important components of the security of the internet of things.
Accordingly, there is a need for an internet of things access control method and system with enhanced security.
Disclosure of Invention
According to a first aspect of the present disclosure, there is provided a smart contract-based access control method in an internet of things environment, the internet of things including a first node and a second node connected by a network, the method including, at the first node: sending a resource access request to the second node for requesting access to a resource of the second node; receiving a redirection instruction from a second node, the redirection instruction redirecting the first node to a smart contract associated with the second node; invoking the intelligent contract on a blockchain; and receiving a response as a result of the execution of the smart contract, the response including an access token that allows the first node to access a resource of a second node or a denial of the resource access request. . The method further comprises, at the first node: sending an access request including the access token to a second node; and receiving a response from the second node to allow or deny access to the resource of the second node.
According to a second aspect of the present disclosure, there is provided a smart contract-based access control method in an internet of things environment, the internet of things including a first node and a second node connected by a network, the method including, at the second node: receiving a resource access request from a first node for requesting access to a resource of a second node; and sending a redirection instruction to the first node, the redirection instruction redirecting the first node to a smart contract associated with the second node. The first node, after receiving the redirection instruction, invokes the intelligent contract on a blockchain, and receives a response as a result of execution of the intelligent contract, the response including an access token that allows the first node to access a resource of a second node or a denial of the resource access request. The method further comprises, at the second node: receiving an access request including the access token from the first node; sending the access token to the smart contract to check the validity of the access token; and sending a response for allowing or denying access to the resource of the second node to the first node according to the checking result.
According to a third aspect of the present disclosure, there is provided a computer system comprising: one or more processors; and one or more memories configured to store a series of computer-executable instructions, wherein the series of computer-executable instructions, when executed by the one or more processors, cause the one or more processors to perform a method in accordance with the present disclosure.
According to a fourth aspect of the present disclosure, there is provided a non-transitory computer-readable medium having stored thereon computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform a method as recited in the present disclosure.
According to a fifth aspect of the present disclosure, there is provided an access control system for smart contract-based in an internet of things environment, comprising means for performing the steps of the method according to the present disclosure.
Other features of the present invention and advantages thereof will become more apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
fig. 1 illustrates a conventional access control technique.
Fig. 2 illustrates an internet of things architecture implementing a smart contract-based access control method according to an exemplary embodiment of the present disclosure.
Fig. 3 shows a flowchart of an access control method based on a smart contract according to an exemplary embodiment of the present disclosure.
FIG. 4 shows a flowchart of a method performed by a node requesting access to a resource according to an example embodiment of the present disclosure.
FIG. 5 shows a flowchart of a method performed by a node that is requested to access a resource according to an example embodiment of the present disclosure.
Fig. 6 illustrates a block chain based intelligent contract system according to an exemplary embodiment of the present disclosure.
Fig. 7 illustrates a structure of transaction information according to an exemplary embodiment of the present disclosure.
FIG. 8 illustrates a registration contract according to an exemplary embodiment of the present disclosure.
Fig. 9 illustrates an internet of things access control oriented storage mechanism according to an exemplary embodiment of the present disclosure.
FIG. 10 illustrates an exemplary configuration of a computing device in which embodiments in accordance with the invention may be implemented.
Detailed Description
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings. Details and functions not essential to the present invention are omitted so as not to obscure the understanding of the present invention.
Note that like reference numerals and letters refer to like items in the figures, and thus once an item is defined in one figure, it need not be discussed in subsequent figures.
In this disclosure, the terms "first," "second," and the like are used merely to distinguish between elements or steps, and are not intended to indicate temporal order, priority, or importance.
Fig. 1 illustrates a conventional access control technique. As shown in fig. 1, node a sends a resource access request to node B to request access to a resource of node B in step 101. The node B determines to accept or reject the access request of the node a through the access control processing mechanism. Node B then sends an accept and deny access request to node a at step 102. When the access request is accepted, node a accesses node B's data according to node B's authorization in step 103. There may be a number of problems with this conventional technique. One problem is that the conventional access control technology is based on a centralized architecture, and when a single node fails, the operation of the related node may be incomplete, that is, there is a single point of failure problem. In addition, a considerable number of internet of things devices are low in computing power, and thus it is difficult to perform authentication or access control processing. Furthermore, conventional techniques delegate authentication and access control to third party servers, which can undermine end-to-end security, leading to serious security issues.
The present invention solves one or more of the above-mentioned problems by providing an internet of things access control technique for intelligent contracts based on blockchains. It should be noted that the present invention can also solve other problems not mentioned. The inventive concept of the present disclosure is described in detail below by means of some exemplary embodiments.
Fig. 2 illustrates an internet of things architecture implementing a smart contract-based access control method according to an exemplary embodiment of the present disclosure. As shown in fig. 2, the internet of things system 200 may generally include one or more servers 201, one or more databases 202 such as storage devices, terminal devices 203 such as computers, mobile phones, one or more internet of things gateways 204, one or more internet of things devices 205, 206, and the like, connected by a network. The internet of things system also includes an access control intelligent contract system 207 running on the blockchain. The server 201 interacts with the terminal device 203 to receive requests from the terminal device 203 and return responses. The server 201 also interacts with the internet of things devices 204, 205, the database 202, accesses data, and provides data and services to users of the terminal devices. Such as smart home control, fire alarm, and environmental monitoring, among others. The database 202 stores data about servers, sensors, and users, among other things. Terminal device 203 may include a desktop, notebook, smartphone, tablet, etc. device. The user sends a request and obtains a service through the terminal device 203. The internet of things gateway 204 is used for accessing the network and providing proxy service for the internet of things devices 205 and 206 and the like. The internet of things devices 205 and 206 may sense environmental data (e.g., smoke, temperature, humidity, etc.) and perform certain operations (e.g., turn on an air conditioner, activate an alarm, etc.).
The internet of things system 200 may also include smart contracts 207 maintained and run over the blockchain for implementing access control. As known to those skilled in the art, a blockchain is a decentralized, distributed ledger database. An intelligent contract is a set of contracts that are defined and implemented in a digital form. An intelligent contract on a blockchain is a set of executable computer code that enables the trading process of an asset. Assets may include data, credentials, etc., which may be collectively defined by partners in a particular business scenario. One or more intelligent contracts are stored in all nodes in the block chain, the number and the types of the intelligent contracts stored in all the nodes are the same, and each type of intelligent contract has a unique address which is used for uniquely identifying one type of intelligent contract. The invention controls the access of the nodes through intelligent contracts based on the block chains.
A smart contract-based access control method according to an exemplary embodiment of the present disclosure is described below with reference to fig. 3. Node a and node B are nodes on the internet of things. Here, assume that node a wants to perform an access operation, such as a read or write operation, to protected node B. The flow of performing access control for the first time is as follows.
In step 301, node a sends a resource access request to node B requesting access to a resource of node B.
At step 302, node B sends a redirect instruction to node A, which redirects node A to the smart contract associated with node B.
In step 303, node a sends the resource access request to the blockchain to invoke the intelligent contract.
At step 304, the blockchain receiving the resource access request generates a transaction, such as a GetAccess transaction, containing information about which node a wishes to access node B. The structure of the transaction information will be described later herein.
In this step 304, the blockchain broadcasts the generated transaction to all nodes on the blockchain so that the intelligent contract is executed through miner mining activity.
In step 305, after the intelligent contract is executed, determining whether the node A has the right to access the resource of the node B;
in step 306, when the node a does not have the right to access the resources of the node B, a response denying the request is sent to the node a.
When the node a has the right to access the resources of node B, the transaction is added to the block chain in step 307, and a response containing an access token is sent to the node a in step 308.
To this end, steps 301 to 308 are the registration procedure when node a first accesses node B. Node a saves the access token and later keys the access token to the node B resource. The following continues to describe the access procedure after the registration procedure.
In step 309, node a sends an access request including the access token to node B.
In step 310, node B, upon receiving an access request including an access token, sends the access token to a smart contract to check the validity of the access token.
In step 311, the node B transmits a response for allowing or denying access to the resource of the node a to the node a according to the check result. When the node a is allowed to make resource access, the node a makes resource access to the node B.
It is to be understood that the present invention may not be limited to the above-described steps, may include additional steps or may delete steps, and the order of the steps may be different. And the present invention need not perform all of the above-described steps, but may perform only a portion of the steps for a particular purpose or purposes.
Fig. 4 shows a flowchart of a method performed on node a requesting access to a resource according to an exemplary embodiment of the present disclosure.
As shown in fig. 4, in step 401, node a sends a resource access request to node B for requesting access to a resource of node B.
In step 402, node A receives a redirect instruction from node B that redirects node A to an intelligent contract associated with node B.
In step 403, node a invokes the intelligent contract.
In step 404, node A receives a response as a result of the execution of the smart contract, the response including an access token that allows the first node to access a resource of a second node or a response that denies the access request.
The above is a registration procedure performed when the node a first accesses the node B. The following steps 405 and 406 are access procedures. If it is not the first access, the following access procedure may be directly performed without performing the above registration procedure.
In step 405, node a sends an access request including the access token to node B.
In step 406, node A receives a response from node B to allow or deny access to the resources of node B. When the response is to allow access to the resources of node B, node a starts to access the resources of node B.
Fig. 5 shows a flowchart of a method performed by a node B that is requested to access a resource according to an example embodiment of the present disclosure.
As shown in fig. 5, in step 501, node B receives a resource access request from node a requesting access to a resource of node B.
In step 502, a redirect instruction is sent to node a that redirects node a to an intelligent contract associated with node B.
After the registration process described with reference to fig. 3 is completed, node B receives an access request including the access token from node a in step 503.
In step 504, node B sends the access token to the smart contract to check the validity of the access token.
In step 505, the node B sends a response to the node a for allowing or denying access to the resource of the node B according to the checking result.
The invention carries out access control through the intelligent contract on the block chain, and can eliminate the single point fault problem of access control. In addition, the invention also solves the problem of access authorization of a subject (such as a user, a process or a server) to execute reading, writing and running operations on an object (such as a sensor or an execution mechanism) when the processing capacity of the equipment of the Internet of things is low.
A block chain based intelligent contract system according to an exemplary embodiment of the present disclosure is described below with reference to fig. 6.
As shown in fig. 6, transaction information and intelligent contracts are stored on the blockchain. Fig. 7 shows a schematic diagram of the structure of transaction information according to an example embodiment. Each piece of transaction information may also constitute a policy. As shown in fig. 7, the transaction information includes a plurality of fields including:
resources: defining resources of the strategy, such as temperature sensor temperature, smoke sensor concentration and the like;
operation: operations performed on the resource, such as read, write, etc.;
rights: operationally predefined rights, such as permit, deny, etc.;
last access time (ToLR): the time of the last access to the data;
allowed access time: the time the resource is allowed to be accessed.
An intelligent contract on a blockchain may include a plurality of access control contracts ACC, a judge contract JC and a registration contract RC. The access control contract ACC provides a subject-object access control method that enables access rights verification based on predefined rules and provides for adding, updating and deleting access control policies. If node a wants to access node B's data, an access control contract for node B data is deployed by node B's gateway proxy. The access control contract ACC also provides the following main programming interfaces to manage policies and enforce access control.
policyAdd (): adding a policy.
policyUpdate (): and updating the strategy.
policyDelete (): and (4) deleting the strategy.
accessControl (): and requesting to access the resource and returning access authorization to the resource.
setJC (): in order for the ACC to be able to execute the programming interface of the JC, the ACC needs to reserve an instance of the JC.
deleteACC (): the access control contract is deleted.
The judge contract JC enables dynamic access verification of the ACC. For example, a judge contract JC receives a false behavior report from the ACC and determines whether to access authorization based on the false behavior, thereby enabling dynamic authentication of the ACC.
The registration contract RC is used to add, update and delete access control contracts. The registration contract RC maintains a look-up table that registers the information needed to find and execute all methods. Fig. 8 shows an example of a registration contract RC. The lookup table contains, for example, a subject, a guest, a contract name, a contract creator, a contract address, and a programming interface, among others. The registration contract RC provides the following interfaces:
methodRegister (): the contract is increased.
methodUpdate (): and updating the contract.
methodDelete (): the contract is deleted.
getContract (): a contract address and a programming interface are obtained.
The disclosure provides a storage method and a storage structure facing access control of the Internet of things. FIG. 9 illustrates a storage mechanism for transaction information and smart contracts, according to an example embodiment of the present disclosure. The "contract" stores intelligent contract information, and policy _1, policy _2, and the like store access control policies.
When a new internet of things device (such as a fire smoke sensor) is added to the internet of things system, a proxy node (including nodes such as a server, a terminal and a gateway, hereinafter referred to as an internet of things gateway) of the internet of things allocates a public key and a private key for the internet of things device, and the public key is used as an account of the internet of things device. The internet of things gateway encrypts the contract with the private key of the internet of things device to generate an ACC contract 2, and writes the ACC contract into a contract list of a contract structure shown in fig. 9.
A user or security administrator may write internet of things access control rules for the new internet of things device or modify the internet of things access control rules generated by the AI algorithm, which are stored in block N. The user or security administrator checks the access control rules stored in block N and further modifies the access control rules, the modified access control rules being stored in block N + 1.
As shown in fig. 9, the access control rules are organized by a Merkle Tree (Merkle Tree) data structure. For example, policy _2 includes three transaction records, record 1, record 2, and record 3. Each transaction record corresponds to a specific configuration of the internet of things, namely the internet of things 1, the internet of things 2 and the internet of things 3. The internet of things 3 includes two security rules, security rule 4 and security rule 5. Each security rule may be further divided into sub-rules, e.g., rule 5 may be divided into sub-rule 6, sub-rule 7, sub-rule 8. And so on.
If the user modifies the security rule, for example, the user modifies the security rule 8 to obtain the security rule 8_1, and the modified rule is saved in the block N + 1. In block N +1, the new security rules are rule 6, rule 7, and rule 8_ 1. Recalculating the Merck Hash value according to the new security rule to obtain the Security rule storage root Hash _5_1, and further recalculating the Merck Hash value 3_1 and Policy _ 3. And so on.
FIG. 10 illustrates an exemplary configuration of a computing device 1000 in which embodiments in accordance with the invention may be implemented. Computing device 1000 is an example of a hardware device in which the above-described aspects of the invention may be applied. Computing device 1000 may be any machine configured to perform processing and/or computing. Computing device 1000 may be, but is not limited to, a workstation, a server, a desktop computer, a laptop computer, a tablet computer, a Personal Data Assistant (PDA), a smart phone, an in-vehicle computer, or a combination thereof.
As shown in fig. 10, computing device 1000 may include one or more elements connected to or in communication with a bus 1020, possibly via one or more interfaces. Bus 1002 can include, but is not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA (eisa) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus, to name a few. Computing device 1000 may include, for example, one or more processors 1004, one or more input devices 1006, and one or more output devices 1008. The one or more processors 1004 may be any kind of processor and may include, but are not limited to, one or more general-purpose processors or special-purpose processors (such as special-purpose processing chips). Input device 1006 may be any type of input device capable of inputting information to a computing device and may include, but is not limited to, a mouse, a keyboard, a touch screen, a microphone, and/or a remote control. Output device 1008 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, a video/audio output terminal, a vibrator, and/or a printer.
Computing device 1000 may also includeIncluding or connected to a non-transitory storage device 1014, which non-transitory storage device 1014 may be any non-transitory and may implement a data storage device and may include, but is not limited to, a disk drive, an optical storage device, a solid state memory, a floppy disk, a flexible disk, a hard disk, a magnetic tape or any other magnetic medium, a compact disk or any other optical medium, a cache memory and/or any other storage chip or module, and/or any other medium from which a computer may read data, instructions and/or code. Computing device 1000 may also include Random Access Memory (RAM)1010 and Read Only Memory (ROM) 1012. The ROM 1012 may store programs, utilities or processes to be executed in a nonvolatile manner. The RAM 1010 may provide volatile data storage and store instructions related to the operation of the computing device 1000. Computing device 1000 can also include a network/bus interface 1016 that couples to data link 10110. The network/bus interface 1016 may be any kind of device or system capable of enabling communication with external devices and/or networks, and may include, but is not limited to, a modem, a network card, an infrared communication device, a wireless communication device, and/or a chipset (such as bluetooth)TMDevices, 1302.11 devices, WiFi devices, WiMax devices, cellular communications facilities, etc.).
Various aspects, embodiments, implementations, or features of the foregoing embodiments may be used alone or in any combination. Various aspects of the foregoing embodiments may be implemented by software, hardware, or a combination of hardware and software.
For example, the foregoing embodiments may be embodied as computer readable code on a computer readable medium. The computer readable medium is any data storage device that can store data which can thereafter be read by a computer system. Examples of a computer readable medium include read-only memory, random-access memory, CD-ROMs, DVDs, magnetic tape, hard drives, solid state drives, and optical data storage devices. The computer readable medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
For example, the foregoing embodiments may take the form of hardware circuitry. Hardware circuitry may include any combination of combinational logic circuitry, clocked storage devices (such as floppy disks, flip-flops, latches, etc.), finite state machines, memories such as static random access memories or embedded dynamic random access memories, custom designed circuits, programmable logic arrays, etc.
In one embodiment, a hardware circuit according to the present disclosure may be implemented by encoding a circuit description in a Hardware Description Language (HDL) such as Verilog or VHDL. HDL descriptions can be synthesized for a library of cells designed for a given integrated circuit fabrication technology and can be modified for timing, power, and other reasons to obtain a final design database, which can be transferred to a factory for the production of integrated circuits by a semiconductor manufacturing system. Semiconductor manufacturing systems may produce integrated circuits by depositing semiconductor material (e.g., on a wafer that may include a mask), removing material, changing the shape of the deposited material, modifying the material (e.g., by doping the material or modifying the dielectric constant with ultraviolet processing), and so forth. The integrated circuit may include transistors and may also include other circuit elements (e.g., passive elements such as capacitors, resistors, inductors, etc.) and interconnections between the transistors and the circuit elements. Some embodiments may implement multiple integrated circuits coupled together to implement a hardware circuit, and/or may use discrete elements in some embodiments.
While some specific embodiments of the present invention have been shown in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are intended to be illustrative only and are not intended to limit the scope of the invention. It will be appreciated by those skilled in the art that the above-described embodiments may be modified without departing from the scope and spirit of the invention. The scope of the invention is defined by the appended claims.

Claims (15)

1. A smart contract-based access control method in an internet of things environment, the internet of things including a first node and a second node connected by a network, the method comprising, at the first node:
sending a resource access request to the second node for requesting access to a resource of the second node;
receiving a redirection instruction from a second node, the redirection instruction redirecting the first node to a smart contract associated with the second node;
invoking the intelligent contract on a blockchain; and
receiving a response as a result of execution of the smart contract, the response including an access token allowing the first node to access a resource of a second node or a denial of the resource access request,
wherein the access token is stored at the first node and has been used at a later time as a key for the first node to access the resource of the second node.
2. The access control method of claim 1, further comprising, at the first node:
sending an access request including the access token to a second node; and
a response is received from the second node to allow or deny access to the resource of the second node.
3. The access control method according to claim 2, wherein the second node, upon receiving the access request including the access token, transmits the access token to the smart contract to check validity of the access token, and transmits the response for allowing or denying access to the resource of the second node to the first node according to a result of the check.
4. The access control method of claim 1, wherein the blockchain is configured to:
receiving the resource access request;
generating transaction information;
broadcasting the transaction information to all nodes on the blockchain to cause the intelligent contract to be executed by the nodes on the blockchain;
after the intelligent contract is executed by a node on a blockchain, determining whether the first node has the right to access the resource of the second node;
adding the transaction information to the blockchain and sending the response containing the access token to the first node when the first node has the right to access a resource of a second node; and
sending the response to the first node containing a denial of the resource access request when the first node does not have access to a resource of a second node.
5. The access control method of claim 4, wherein the transaction information includes information relating to resources of the second node, operations performed on the second node, rights of the operations, last access time, and allowed access time.
6. The access control method of claim 1, wherein the intelligent contracts include access control contracts, registration contracts, and officer contracts,
wherein an access control contract defines an access control method of one node on the Internet of things to another node, and the access control method comprises access rights;
the registration contract comprises information about the access control contract for managing the access control contract; and
the judge contract receives reports from the access control contract and determines whether access is authorized.
7. The access control method of claim 4, wherein transaction information and smart contracts are stored on a blockchain in a Mercker tree structure, the transaction information corresponding to at least one rule,
wherein when the at least one rule is modified on a current tile, the modified rule and corresponding modified transaction information are stored on a next tile of the current tile.
8. A smart contract-based access control method in an internet of things environment, the internet of things including a first node and a second node connected by a network, the method comprising, at the second node:
receiving a resource access request from a first node for requesting access to a resource of a second node; and
sending a redirection instruction to a first node, the redirection instruction redirecting the first node to a smart contract associated with a second node, wherein the first node invokes the smart contract on a blockchain upon receiving the redirection instruction and receives a response as a result of execution of the smart contract, the response comprising an access token allowing the first node to access a resource of the second node or a denial of the resource access request, wherein the access token is saved at the first node and has been used at a later time as a key for the first node to access the resource of the second node;
receiving an access request including the access token from the first node;
sending the access token to the smart contract to check the validity of the access token; and
and sending a response for allowing or denying the access to the resource of the second node to the first node according to the checking result.
9. The access control method of claim 8, wherein the blockchain is configured to:
receiving the resource access request;
generating transaction information;
broadcasting the transaction information to all nodes on the blockchain to cause the intelligent contract to be executed by the nodes on the blockchain;
after the intelligent contract is executed by a node on a blockchain, determining whether the first node has the right to access the resource of the second node;
adding the transaction information to the blockchain and sending the response containing the access token to the first node when the first node has the right to access a resource of a second node; and
sending the response to the first node containing a denial of the resource access request when the first node does not have access to a resource of a second node.
10. The access control method of claim 9, wherein the transaction information includes information about resources of the second node, operations performed on the second node, rights of the operations, time of last request, and allowed access time.
11. The access control method of claim 8, wherein the intelligent contracts include access control contracts, registration contracts, and officer contracts,
wherein an access control contract defines an access control method of one node on the Internet of things to another node, and the access control method comprises access rights;
the registration contract comprises information about the access control contract for managing the access control contract; and
the judge contract receives reports from the access control contract and determines whether access is authorized.
12. The access control method of claim 11, wherein transaction information and smart contracts are stored on a blockchain in a Mercker tree structure, the transaction information corresponding to at least one rule,
wherein when the at least one rule is modified on a current tile, the modified rule and corresponding modified transaction information are stored on a next tile of the current tile.
13. A computer system, comprising:
one or more processors; and
one or more memories configured to store a series of computer-executable instructions,
wherein the series of computer-executable instructions, when executed by the one or more processors, cause the one or more processors to perform the method of any one of claims 1-12.
14. A non-transitory computer-readable medium having stored thereon computer-executable instructions that, when executed by one or more processors, cause the one or more processors to perform the method of any one of claims 1-12.
15. An access control system for smart contract-based in an internet of things environment, comprising means for performing the steps of the method according to any one of claims 1-12.
CN201811616085.0A 2018-12-28 2018-12-28 Internet of things access control method and system based on intelligent contract Active CN109617896B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811616085.0A CN109617896B (en) 2018-12-28 2018-12-28 Internet of things access control method and system based on intelligent contract

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811616085.0A CN109617896B (en) 2018-12-28 2018-12-28 Internet of things access control method and system based on intelligent contract

Publications (2)

Publication Number Publication Date
CN109617896A CN109617896A (en) 2019-04-12
CN109617896B true CN109617896B (en) 2021-07-13

Family

ID=66011682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811616085.0A Active CN109617896B (en) 2018-12-28 2018-12-28 Internet of things access control method and system based on intelligent contract

Country Status (1)

Country Link
CN (1) CN109617896B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110278255B (en) * 2019-06-13 2021-10-15 深圳前海微众银行股份有限公司 Method and device for communication between IOT (Internet of things) devices based on block chain
WO2021035708A1 (en) * 2019-08-30 2021-03-04 Oppo广东移动通信有限公司 Method and apparatus for accessing collection resources, device and storage medium
CN112560077A (en) * 2019-09-10 2021-03-26 北京国双科技有限公司 Access control method, device and system
CN110535880B (en) * 2019-09-25 2022-06-14 四川师范大学 Access control method and system of Internet of things
CN110716441B (en) * 2019-11-08 2021-01-15 北京金茂绿建科技有限公司 Method for controlling intelligent equipment, intelligent home system, equipment and medium
CN110809006A (en) * 2019-11-14 2020-02-18 内蒙古大学 Block chain-based Internet of things access control architecture and method
CN112116348B (en) * 2020-08-12 2024-05-03 北京智融云河科技有限公司 Access control method for node resources
CN112910996B (en) * 2021-01-30 2023-07-28 上海上实龙创智能科技股份有限公司 Internet of things equipment access control method, system, device and storage medium
CN113542117B (en) * 2021-07-09 2022-06-10 重庆邮电大学 Internet of things equipment resource access control method based on hierarchical block chain
CN113938493A (en) * 2021-10-09 2022-01-14 中国人民大学 Point-to-point resource sharing method, system, medium and computing equipment in Internet of things
CN115277168B (en) * 2022-07-25 2023-05-26 绿盟科技集团股份有限公司 Method, device and system for accessing server

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682331B (en) * 2017-09-28 2020-05-12 复旦大学 Block chain-based Internet of things identity authentication method
CN108270780B (en) * 2018-01-08 2020-12-29 中国电子科技集团公司第三十研究所 Multi-center digital identity management method in heterogeneous network environment
CN108763955B (en) * 2018-05-20 2020-11-13 深圳市图灵奇点智能科技有限公司 Travel data sharing method and apparatus, travel data sharing system, and computer storage medium
CN108848063B (en) * 2018-05-24 2021-05-07 苏州朗润创新知识产权运营有限公司 Block chain-based data processing method, system and computer-readable storage medium
CN108965299B (en) * 2018-07-19 2021-06-15 湖南岳麓山数据科学与技术研究院有限公司 Data access method, access verification equipment and data storage system
CN108989357B (en) * 2018-09-12 2021-02-05 中国人民解放军国防科技大学 User authorization and data sharing access control method based on block chain

Also Published As

Publication number Publication date
CN109617896A (en) 2019-04-12

Similar Documents

Publication Publication Date Title
CN109617896B (en) Internet of things access control method and system based on intelligent contract
US11507680B2 (en) System and method for access control using network verification
US10055561B2 (en) Identity risk score generation and implementation
CN107426169B (en) Service processing method and device based on permission
US9727751B2 (en) Method and apparatus for applying privacy policies to structured data
KR102462894B1 (en) Location-based access to controlled access resources
US10831915B2 (en) Method and system for isolating application data access
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
US11153327B2 (en) Data classification and access control for cloud based data
US11553000B2 (en) Systems and methods for using namespaces to access computing resources
AU2017275376B2 (en) Method and apparatus for issuing a credential for an incident area network
CN113271311B (en) Digital identity management method and system in cross-link network
US11063922B2 (en) Virtual content repository
WO2021238399A1 (en) Method for securely accessing data, and electronic device
US20220385596A1 (en) Protecting integration between resources of different services using service-generated dependency tags
CN116438778A (en) Persistent source value of assumed alternate identity
CN113055349A (en) Internet of things safety automatic configuration method and system
JP2021508097A (en) Systems, devices, and methods for data processing
US8627072B1 (en) Method and system for controlling access to data
CN113641966B (en) Application integration method, system, equipment and medium
CN115766018A (en) Authentication method, device and equipment based on decentralized identity
CN115964382A (en) Asset data processing system and asset data processing method based on block chain
CN117201133A (en) Multi-application authority management method, device, storage medium and processor
CN115705603A (en) Method, medium and device for conducting transaction based on block chain network
CN117010020A (en) Database processing method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant