CN117527276A

CN117527276A - Equipment network access method, server, terminal, medium and electronic equipment

Info

Publication number: CN117527276A
Application number: CN202210900888.9A
Authority: CN
Inventors: 王爱宝; 徐勇; 高加盟; 郭帅旗; 王艳伟; 王凯平; 常青超; 聂乐乐
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2022-07-28
Filing date: 2022-07-28
Publication date: 2024-02-06

Abstract

The disclosure provides a device networking method, a server, a terminal, a medium and electronic equipment, and relates to the technical field of communication. The method is applied to a server and comprises the following steps: receiving a registration request of a third party to terminal equipment; generating communication link information of the terminal device, a first Certificate Authority (CA) certificate and a first private key of the terminal device, and a second CA certificate and a second private key of the server in response to receiving the registration request; transmitting communication link information, a first CA certificate and a first private key to the terminal device in response to completion of the registration; receiving a connection request; performing bidirectional authentication on the terminal device based on the second CA certificate associated with the device information in response to the connection request; establishing an encryption channel with the terminal equipment based on the second private key according to the bidirectional verification result; and sending network access configuration information to the terminal equipment based on the encryption channel. The method and the device improve the network access safety of the device.

Description

Equipment network access method, server, terminal, medium and electronic equipment

Technical Field

The disclosure relates to the technical field of communication, and in particular relates to a device networking method, a server, a terminal, a computer readable storage medium and electronic devices.

Background

With the increasing severity of network attack situations, attack means are various, and attacks against a network layer are more and more. The security of the communication device is critical, and the device is usually default to be secure when being connected to the network, but an attacker can often forge the communication device, illegally hijack or tamper with the traffic.

Therefore, how to control the process of equipment output and deployment from the source and ensure the identity uniqueness of the network access communication equipment, so as to avoid data leakage is a technical problem which needs to be solved by the technicians in the field.

It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.

Disclosure of Invention

The disclosure aims to provide a device networking method, a server, a terminal, a medium and electronic equipment, so as to at least solve the technical problem of low device networking security caused by data leakage in the related technology.

Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.

The technical scheme of the present disclosure is as follows:

According to one aspect of the present disclosure, there is provided a device networking method, which is applied to a server, including: receiving a registration request of a third party to the terminal equipment, wherein the third party is used for registering the terminal equipment on a server, and the registration request comprises equipment information and network access configuration information of the terminal equipment; in response to receiving the registration request, generating communication link information of the terminal device, a first Certificate Authority (CA) certificate and a first private key of the terminal device and a second CA certificate and a second private key of the server, and storing the device information, the network access configuration information, the first CA certificate and the first private key of the terminal device and the second CA certificate and the second private key of the server in a correlated manner to complete registration; transmitting communication link information, a first CA certificate and a first private key to the terminal device in response to completion of the registration; receiving a connection request sent by terminal equipment based on communication link information, wherein the connection request comprises equipment information; performing bidirectional authentication on the terminal device based on the second CA certificate associated with the device information in response to the connection request; establishing an encryption channel with the terminal equipment based on the second private key according to the bidirectional verification result; and sending network access configuration information to the terminal equipment based on the encryption channel so as to complete network connection of the terminal equipment.

In some embodiments of the present disclosure, performing bidirectional authentication on the terminal device based on the second CA certificate associated with the device information in response to the connection request includes: acquiring equipment information of terminal equipment; verifying equipment information; if the equipment information passes the verification, a second CA certificate is sent to the terminal equipment; the method comprises the steps that a first CA certificate sent by a terminal device after the second CA certificate passes verification is received; and verifying the first CA certificate.

In some embodiments of the disclosure, wherein the encryption channel further includes a symmetric encryption channel, establishing the encryption channel with the terminal device based on the second private key according to the bidirectional authentication result includes: if the bidirectional verification result is passed, acquiring an encrypted symmetric key sent by the terminal equipment, wherein the encrypted symmetric key is encrypted by using a second public key in a second CA certificate; decrypting the encrypted symmetric key using the second private key to obtain a symmetric key; and establishing a symmetric encryption channel using the symmetric key.

In some embodiments of the present disclosure, establishing an encrypted channel with the terminal device based on the second private key according to the bidirectional authentication result includes: establishing a terminal equipment list; according to the result of the bidirectional verification, adding the equipment information of the terminal equipment into a terminal equipment list; and sending the terminal equipment list to other terminal equipment of the access network so that the other terminal equipment processes the data request according to the terminal equipment list when receiving the terminal equipment data request.

According to still another aspect of the present disclosure, there is provided a device networking method, applied to a terminal device, including: receiving communication link information, a first certificate authority CA certificate and a first private key which are sent by a server in response to the completion of the registration of the third party to the terminal equipment; transmitting a connection request to a server based on the communication link information, the connection request including device information of the terminal device; performing a two-way authentication on the server based on the device information and the first CA certificate; establishing an encryption channel based on the first private key and the server according to the bidirectional verification result; and receiving the network access configuration information sent by the server based on the encryption channel so as to connect the network according to the network access configuration information.

In some embodiments of the present disclosure, performing bidirectional authentication on the server based on the device information and the first CA certificate includes: the receiving server responding to the device information and verifying the sent second CA certificate; verifying the second CA certificate; if the second CA certificate passes the verification, the first CA certificate is sent to the server to enable the server to verify the first CA certificate.

In some embodiments of the present disclosure, verifying the second CA certificate may further comprise: verifying certificate owner information and validity period information in the second CA certificate; and/or verifying whether the certificate is issued by a legal authority based on the first CA certificate being compared with an issuing authority CA in the second CA certificate.

In some embodiments of the present disclosure, the encryption channel comprises a symmetric encryption channel, and establishing the encryption channel with the server based on the first private key according to the bi-directional authentication result comprises: generating a symmetric key; encrypting the symmetric key using a second public key in a second CA certificate; and sending the encrypted symmetric key to the server so that the server decrypts the symmetric key based on the second private key to establish a symmetric encryption channel with the terminal equipment based on the symmetric key.

According to still another aspect of the present disclosure, there is provided a server including: the registration request receiving module is used for receiving a registration request of a third party to the terminal equipment, wherein the third party is used for registering the terminal equipment in the server, and the registration request comprises equipment information and network access configuration information of the terminal equipment; the registration module is used for responding to the received registration request, generating communication link information of the terminal equipment, a first Certificate Authority (CA) certificate and a first private key of the terminal equipment and a second CA certificate and a second private key of the server, and storing the equipment information, the network access configuration information, the first CA certificate and the first private key of the terminal equipment and the second CA certificate and the second private key of the server in a correlated way so as to finish registration; the registration information sending module is used for sending the communication link information, the first CA certificate and the first private key to the terminal equipment in response to the completion of registration; a connection request receiving module, configured to receive a connection request sent by a terminal device based on communication link information, where the connection request includes device information; a first bidirectional authentication module for performing bidirectional authentication on the terminal device based on a second CA certificate associated with the device information in response to the connection request; the first channel establishing module is used for establishing an encryption channel with the terminal equipment based on the second private key according to the bidirectional verification result; and the configuration information sending module is used for sending network access configuration information to the terminal equipment based on the encryption channel so as to complete network connection of the terminal equipment.

According to still another aspect of the present disclosure, there is provided a terminal device including: the registration information receiving module is used for receiving communication link information, a first certificate authority CA certificate and a first private key which are sent by the server in response to the completion of the registration of the third party to the terminal equipment; a connection request sending module, configured to send a connection request to a server based on the communication link information, where the connection request includes device information of the terminal device; a second bidirectional authentication module for performing bidirectional authentication on the server based on the device information and the first CA certificate; the second channel establishing module is used for establishing an encryption channel with the server based on the first private key according to the bidirectional verification result; and the configuration information receiving module is used for receiving the network access configuration information sent by the server based on the encryption channel so as to connect the network according to the network access configuration information.

According to still another aspect of the present disclosure, there is provided an electronic apparatus including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the device networking method described above via execution of the executable instructions.

According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described device networking method.

Compared with the method for directly deploying the network access configuration information to the terminal equipment when the equipment is registered in the prior art, the network access method for the equipment provided by the embodiment of the invention has the advantages that the network access configuration information is stored in the authentication server, and the network access configuration information is issued to the terminal for access when the terminal requests network access, so that the terminal equipment is prevented from being forged and tampered before network access, social engineering attack is avoided, and the problems of data leakage and the like caused by sinking of sensitive data to the terminal equipment are avoided.

In addition, the network access method for the equipment for checking the legality of the network access equipment before the network access of the terminal equipment solves the problem of identity check during the network access of the equipment, and ensures the safety, the controllability, the credibility and the traceability of the network equipment in the network.

Further, the method for verifying the identity information of the terminal equipment in the two directions verifies the identity of the authentication server which performs network access, ensures that the identity of the network access equipment is unique, and improves the security of the network to the greatest extent.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.

Fig. 1 is a schematic diagram illustrating an exemplary system architecture of a device networking method in an embodiment of the present disclosure.

Fig. 2 shows a flowchart of a device networking method performed by a server in an embodiment of the present disclosure.

Fig. 3 shows a flowchart for performing two-way authentication with a terminal device in a device networking method performed by a server in an embodiment of the present disclosure.

Fig. 4 shows a flowchart for establishing a symmetric encryption channel with a terminal device in a device networking method performed by a server in an embodiment of the present disclosure.

Fig. 5 shows a flowchart of a device networking method performed by a terminal device in an embodiment of the present disclosure.

Fig. 6 shows a flowchart for performing two-way authentication with a server in a device networking method performed by a terminal device in an embodiment of the present disclosure.

Fig. 7 shows a flowchart for establishing a symmetric encryption channel with a server in a device networking method performed by a terminal device in an embodiment of the present disclosure.

Fig. 8A shows an interaction schematic diagram of a device networking method in an embodiment of the disclosure.

Fig. 8B is an interaction diagram of a server and a terminal device performing two-way authentication in a device networking method according to an embodiment of the disclosure.

Fig. 9 shows a schematic diagram of a server for performing a device networking method in an embodiment of the disclosure.

Fig. 10 is a schematic diagram of a terminal device for performing a device networking method in an embodiment of the disclosure. And

fig. 11 is a block diagram illustrating a computer device for performing a device networking method in an embodiment of the present disclosure.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present disclosure, the meaning of "a plurality" is at least two, such as two, three, etc., unless explicitly specified otherwise.

In view of the technical problems in the related art, an embodiment of the present disclosure provides a device networking method, which is used to at least solve one or all of the technical problems.

As shown in fig. 1, the system architecture 100 may include a terminal device 120, a communication network 130, and a server 140. The network 130 is the medium used to provide communication links between the terminal devices 120 and the server 140. The network 130 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

Alternatively, the wireless network or wired network described above uses standard communication techniques and/or protocols. The network is typically the Internet, but may be any network including, but not limited to, a local area network (Local Area Network, LAN), metropolitan area network (Metropolitan Area Network, MAN), wide area network (Wide Area Network, WAN), mobile, wired or wireless network, private network, or any combination of virtual private networks. In some embodiments, data exchanged over a network is represented using techniques and/or formats including HyperText Mark-up Language (HTML), extensible markup Language (Extensible MarkupLanguage, XML), and the like. All or some of the links may also be encrypted using conventional encryption techniques such as secure socket layer (Secure Socket Layer, SSL), transport layer security (Transport Layer Security, TLS), virtual private network (Virtual Private Network, VPN), internet protocol security (Internet ProtocolSecurity, ipsec), and the like. In other embodiments, custom and/or dedicated data communication techniques may also be used in place of or in addition to the data communication techniques described above.

The terminal 120 may be a mobile terminal such as a mobile phone, a game console, a tablet computer, an electronic book reader, a smart glasses, an MP4 (MovingPicture Experts Group Audio Layer IV, dynamic image expert compression standard audio layer 4) player, a smart home device, an AR (Augmented Reality ) device, a VR (Virtual Reality) device, or the terminal 120 may be a personal computer (Personal Computer, PC) such as a laptop portable computer and a desktop computer, etc.

The terminal 120 may perform the device networking method described herein, and the terminal 120 may also be a third party device for registering the terminal 120 on a server.

Server 140 may comprise several servers, either a virtualized platform or a cloud computing service center. The server 140 may be a server providing various services, and may include a third party device for assisting the terminal 120 in performing device networking, the third party device being used to register information of the terminal device to the authentication server 140; may further include device information for storing the terminal 120 that completed registration; an authentication server for performing the device networking method may be further included, and the authentication server is responsible for verifying the identity of the terminal 120 to establish a network connection with the terminal 120.

It should be understood that the number of terminal devices 120, networks 130, and servers 140 in fig. 1 are merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

It should be noted that, the terms or terms related to the embodiments of the present application may be referred to each other, and are not repeated.

Hereinafter, each step in the device networking method in the present exemplary embodiment will be described in more detail with reference to the accompanying drawings and examples.

Fig. 2 shows a flowchart of a device networking method performed by a server in an embodiment of the present disclosure. The method provided by the embodiments of the present disclosure may be performed by an authentication server that performs device networking, such as server 140 in fig. 1. In the following illustration, the server 140 in fig. 1 is exemplified as a main body for performing network access.

As shown in fig. 2, the method 200 may include the steps of:

in step S210, a registration request of a third party for registering the terminal device on the server is received, the registration request including device information and network access configuration information of the terminal device.

Wherein the third party may be another separate terminal device or another separate server for registering the terminal device. The third party and the terminal device are by default interconnected.

The device information of the terminal device may include, but is not limited to, a device ID, a product model number, a central processing unit ID (Central Processing Unit Identity, CPU ID), and a third party device ID. The device ID is a manufacturer unique identification number and has a unified format.

The network access configuration information refers to system configuration and service policies required by the device to complete conventional functions after the device accesses the network, for example, access control policies generated based on an operating system, a device type, or a network address.

The reason that the third party is independent of the terminal equipment is to avoid the problem that the terminal equipment is falsified and tampered before network access caused by the fact that the network access configuration information sinks to the terminal side in advance in registration.

In step S220, in response to receiving the registration request, the communication link information of the terminal device, the first certificate authority (Certificate Authority, CA) certificate and the first private key of the terminal device, and the second CA certificate and the second private key of the server are generated, and the device information, the network access configuration information, and the first CA certificate and the first private key of the terminal device, and the second CA certificate and the second private key of the server are stored in association to complete the registration.

Wherein the communication link information includes a network protocol (Internet Protocol, IP) address of a proxy server of the authentication server and routing information supporting access only to the proxy server.

In step S230, in response to the registration completion, the communication link information, the first CA certificate, and the first private key are transmitted to the terminal device.

The authentication server sends communication link information, a first CA certificate and a first private key to the terminal equipment through a third party.

In step S240, a connection request transmitted by the terminal device based on the communication link information is received, the connection request including the device information.

The terminal equipment is connected with the proxy server according to the IP address and the route information of the proxy server in the communication link information, and sends a network connection request to the proxy server. Wherein the proxy server and the authentication server are interconnected by default.

In step S250, in response to the connection request, bidirectional authentication is performed on the terminal device based on the second CA certificate associated with the device information.

Wherein the mutual authentication includes mutual authentication of the authentication server and the terminal device. The authentication server queries a second CA certificate associated with the device information for verification according to the device information in the connection request.

In step S260, an encryption channel is established with the terminal device based on the second private key according to the bidirectional authentication result.

Wherein the bidirectional validation result includes pass and fail; the result passing refers to the condition that the terminal equipment and the authentication server pass verification; the failure of the result refers to the case where the terminal device and/or the authentication server verify failure.

The encryption channel is a connection channel for transmitting encrypted data required by connecting the terminal equipment with the authentication server to realize network access. That is, in the network access process, the data transmitted between the authentication server and the terminal device through the encryption channel is transmitted in the form of ciphertext in the transmission process, specifically, the authentication server receives the data encrypted by the terminal device by using the public key in the second CA certificate, and decrypts the data by using the second private key to obtain the data, thereby ensuring the security of network data transmission and ensuring more reliable network connection.

In step S270, the network access configuration information is transmitted to the terminal device based on the encrypted channel to complete the network connection of the terminal device.

The authentication server encrypts the network access configuration information by using the public key in the first CA certificate and sends the network access configuration information to the terminal equipment, so that the terminal equipment obtains the network access configuration information by using the first private key and loads the network access configuration information to access the network.

Compared with the method for directly deploying the network access configuration information to the terminal equipment when the equipment is registered in the prior art, the network access configuration information is stored in the authentication server and then issued to the terminal for access when the terminal requests network access, so that the terminal equipment is prevented from being falsified and tampered before network access, social engineering attack is avoided, and the problems of data leakage and the like caused by sinking of sensitive data to the terminal equipment are avoided.

Fig. 3 shows a flowchart for performing two-way authentication with a terminal device in a device networking method performed by a server in an embodiment of the present disclosure. As shown in fig. 3, the method 300 includes:

in step S310, device information of the terminal device is acquired.

Wherein the device information is obtained from a connection request sent by the terminal device.

The device information of the terminal device may include, but is not limited to, a device ID, a product model number, a central processing unit ID (Central Processing Unit Identity, CPU ID), and a third party device ID. The device ID is a manufacturer unique identification number and has a unified format. Wherein one or more of the above information is identity information for indicating a unique device.

In step S320, the device information is verified.

The method for verifying the device information may include querying whether the terminal device is registered. Specifically, if registration information stored in association with the device information exists in the authentication server, wherein the registration information includes network access configuration information of the terminal device, and a first CA certificate and a first private key and a second CA certificate and a second private key generated by the authentication server in response to receiving a registration request, the terminal device is proved to have completed registration, and a verification result passes; if the associated registration information is not queried, the terminal equipment is proved to not finish registration, and the verification result is not passed.

In step S330, if the device information passes the verification, a second CA certificate is sent to the terminal device.

If the authentication server judges that the terminal equipment executes registration, the authentication server sends a second CA certificate associated with the equipment information to the terminal equipment for verification; if the authentication server judges that the equipment information is not registered, the bidirectional authentication process is finished in advance.

In step S340, the receiving terminal device responds to the first CA certificate transmitted after the second CA certificate passes the authentication.

In step S350, the first CA certificate is verified.

Wherein the authentication server may verify the first CA certificate using a root certificate, wherein the root certificate is used to indicate whether the first CA certificate was issued by the authentication server. If the issuing authority CA of the first CA certificate is issued by the authentication server, the authentication server passes the verification of the terminal equipment; otherwise, the verification is not passed.

Compared with the method that in the prior art, the terminal equipment directly sends the CA certificate to the server side for unidirectional verification, the method improves the security of network access of the equipment through a bidirectional authentication means.

Fig. 4 shows a flowchart for establishing a symmetric encryption channel with a terminal device in a device networking method performed by a server in an embodiment of the present disclosure. As shown in fig. 4, the method 400 may include the steps of:

in step S410, if the bidirectional authentication result is passed, the encrypted symmetric key sent by the terminal device is obtained, and the encrypted symmetric key is encrypted using the second public key in the second CA certificate.

Wherein the second CA certificate is sent by the server to the terminal device when performing the bi-directional authentication.

Wherein the symmetric key may be a random number.

In step S420, the encrypted symmetric key is decrypted using the second private key to obtain the symmetric key.

In some embodiments of the present disclosure, the authentication server decrypts the random number with the second private key.

In step S430, a symmetric encryption channel is established using the symmetric key.

In some embodiments of the present disclosure, the authentication server encrypts data requested by the terminal device using the random number as a symmetric key, so that the terminal device can decrypt the data returned by the authentication server using the locally stored random number after receiving the ciphertext.

According to the embodiment of the disclosure, the symmetric encryption channel between the terminal equipment and the authentication server is established by using asymmetric encryption, so that the efficiency of data transmission is greatly improved on the basis of ensuring the reliability of network access.

In some embodiments of the present disclosure, establishing an encryption channel with the terminal device based on the second private key according to the bidirectional authentication result may further include: establishing a terminal equipment list; according to the result of the bidirectional verification, adding the equipment information of the terminal equipment into a terminal equipment list; and sending the terminal equipment list to other terminal equipment of the access network so that the other terminal equipment processes the data request according to the terminal equipment list when receiving the terminal equipment data request.

In some embodiments of the present disclosure, the list of terminal devices may include a whitelist. The authentication server adds the terminal device information which passes the bidirectional authentication to the white list, and sends the white list to other terminal devices which access the network so as to establish data connection with the other terminal devices.

In some embodiments of the present disclosure, the list of terminal devices may also include a blacklist. The authentication server adds the terminal equipment information which does not pass the bidirectional authentication to the blacklist, and sends the blacklist to other terminal equipment of the access network, so that all data request messages sent by the terminal equipment are automatically shielded.

The method of the embodiment of the disclosure identifies, manages and controls the networking equipment, realizes the classification management and control of the black-and-white list of the networking equipment, can set the verified networking equipment as the white list, and realizes the normal communication of the networking equipment; the network access device can also set a non-blacklist for the network access device which is not verified, so that the illegal device cannot access the network, the illegal network device can be effectively prevented from maliciously stealing or falsifying the flow, and only the trusted device is ensured to access the network.

Fig. 5 shows a flowchart of a device networking method performed by a terminal device in an embodiment of the present disclosure. The method 500 corresponds to the method 200 of fig. 2. As shown in fig. 5, the method 500 may include the steps of:

In step S510, the receiving server completes the transmitted communication link information, the first certificate authority CA certificate, and the first private key in response to the registration of the terminal device by the third party.

The server is an authentication server and is responsible for carrying out identity verification on the terminal equipment to establish network connection of the terminal.

The third party may be an independent terminal device or an independent server, and is configured to register device information of the terminal device to the authentication server. Wherein the third party and the terminal device are by default interconnected. In some embodiments of the present disclosure, the terminal device receives the above-described communication link information, the first CA certificate, and the first private key transmitted by the authentication server through a third party.

Wherein the communication link information includes an IP address of a proxy server of the authentication server and routing information only supporting access to the proxy server. The authentication server and the proxy server are connected by default.

Wherein the first CA certificate and the first private key are generated by the authentication server in response to registration of the terminal device.

In step S520, a connection request including device information of the terminal device is transmitted to the server based on the communication link information.

The terminal device sends a connection request to the authentication server through the proxy server.

The device information represents the uniqueness of the terminal device, and may include, but is not limited to, a device ID, a product model number, a central processing unit ID (Central Processing Unit Identity, CPU ID), and a third party device ID. The device ID is a manufacturer unique identification number and has a unified format.

In step S530, bidirectional authentication is performed on the server based on the device information and the first CA certificate.

Wherein the two-way verification includes mutual authentication of the terminal device and the authentication server. In some embodiments of the present disclosure, the terminal device transmits device information and its own CA certificate to the proxy server, respectively, for performing mutual authentication with the authentication server.

In step S540, an encryption channel is established with the server based on the first private key according to the bidirectional authentication result.

The bidirectional authentication result is similar to step S260 in fig. 2, and will not be described here again.

The terminal encrypts the data by using the public key in the second CA certificate, and the authentication server decrypts the data by using the second private key to obtain the data, so that the security of network data transmission is ensured, and the network connection is more reliable.

In step S550, the network access configuration information transmitted by the server is received based on the encrypted channel to connect the network according to the network access configuration information.

The terminal equipment receives network access configuration information which is sent by the authentication server and is encrypted by using a first CA certificate, and decrypts by using a first private key to obtain and load the network access configuration information, so that the network is accessed.

Compared with the method that the terminal equipment directly executes network access according to the network access configuration information obtained during registration after the registration of the equipment is executed by the terminal equipment in the prior art, the network access is performed by the terminal equipment which obtains the network access configuration information during network access connection, so that the terminal equipment can be effectively prevented from being forged and tampered before network access, social engineering attack is avoided, and the problems of data leakage and the like caused by sinking of sensitive data to the terminal equipment are avoided.

Fig. 6 shows a flowchart for performing two-way authentication with a server in a device networking method performed by a terminal device in an embodiment of the present disclosure. The method 600 corresponds to the method 300 of fig. 3.

In step S610, the receiving server verifies the transmitted second CA certificate in response to the device information.

The verification of the device information may include that the server queries information that the terminal device has performed registration, that is, queries network access configuration information associated with the device information, and a first CA certificate and a first private key and a second CA certificate and a second private key of the terminal device.

In step S620, the second CA certificate is verified.

The method for verifying the second CA certificate by the terminal equipment can include, but is not limited to, verifying certificate owner information and validity period information in the second CA certificate; and/or verifying whether the certificate is issued by a legal authority based on the first CA certificate being compared with an issuing authority CA in the second CA certificate.

In step S630, if the second CA certificate passes the verification, the first CA certificate is sent to the server to cause the server to verify the first CA certificate.

In some embodiments of the present disclosure, the case where the second CA certificate is verified may include, but is not limited to, the certificate owner in the second CA certificate being the authentication server; and/or the validity period of the second CA certificate has not expired; and/or the issuing authority of the second CA certificate is consistent with the issuing authority of the first CA certificate, the second CA certificate is verified; otherwise, the second CA certificate is not authenticated. In some embodiments of the present disclosure, if the second CA certificate is not authenticated, the terminal stops the mutual authentication and no longer sends the first CA certificate to the server.

Fig. 7 shows a flowchart for establishing a symmetric encryption channel with a server in a device networking method performed by a terminal device in an embodiment of the present disclosure. Method 700 corresponds to method 400 of fig. 4, as shown in fig. 7, the method 700 may include the steps of:

in step S710, a symmetric key is generated.

In step S720, the symmetric key is encrypted using the second public key in the second CA certificate.

In step S730, the encrypted symmetric key is sent to the server to enable the server to decrypt the symmetric key based on the second private key, so as to establish a symmetric encryption channel with the terminal device based on the symmetric key.

In some embodiments of the present disclosure, after the terminal device obtains the second CA certificate of the server in performing the bidirectional authentication, a random number is generated as a symmetric key, and the random number is encrypted with the second public key in the second CA certificate and then sent to the authentication server, so that the authentication server exchanges data with the terminal device based on the symmetric key.

Fig. 8A shows an interaction schematic diagram of a device networking method in an embodiment of the disclosure. As shown in fig. 8A, method 800 includes: a registration phase and a network entry phase of the terminal device 800 a.

Wherein the registration phase may comprise the steps of:

in step S802, a registration request is transmitted to the server 800c by the third party 800b connected to the terminal device 800 a.

In step S804, the communication link information of the terminal device 800a, the first CA certificate and the first private key of the terminal device 800a, and the second CA certificate and the second private key of the server 800c are generated by the server 800c and stored in association.

In step S806, the communication link information, the first CA certificate, and the first private key are transmitted to the terminal device 800a by the server 800c through the third party 800 b.

Wherein, the network access stage may include the following steps:

in step S808, a connection request including device information is transmitted by the terminal device 800a to the server 800c based on the communication link information.

In step S810, bidirectional authentication is performed by the server 800c on the terminal device 800a based on the second CA certificate associated with the device information in response to the connection request.

In step S812, an encrypted channel is established with the terminal device 800a based on the second private key according to the bidirectional authentication result.

In step S814, the network entry configuration information is transmitted to the terminal device 800a by the server 800c based on the encrypted channel to complete the network connection of the terminal device 800 a.

In some embodiments of the present disclosure, step S810 may further be an interaction process as shown in fig. 8B, taking fig. 8B as an example, which illustrates an interaction schematic diagram of performing bidirectional authentication by the server 800c and the terminal device 800a in the device networking method in the embodiments of the present disclosure.

As shown in fig. 8B, the method may include the steps of:

in step S8102, the device information transmitted by the terminal device 800a is verified by the server 800 c.

In step S8104, if the device information passes the verification, the server 800c transmits a second CA certificate to the terminal device 800 a.

In step S8106, the second CA certificate is verified by the terminal device 800 a.

In step S8108, if the second CA certificate is authenticated, the terminal device 800a transmits the first CA certificate to the server 800 c.

In step S8110, the first CA certificate transmitted by the terminal device 800a is verified by the server 800 c.

With respect to the terminal device 800a, the third party 800b and the server 800c in the above embodiments, a specific manner of performing the respective steps has been described in detail in the embodiments regarding the method, and will not be described in detail herein.

It is noted that the above-described figures are only schematic illustrations of processes involved in a method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.

Fig. 9 shows a schematic diagram of a server for performing a device networking method in an embodiment of the disclosure. As shown in fig. 9, the server 900 may include the following modules:

a registration request receiving module 910, configured to receive a registration request of a third party for a terminal device, where the third party is configured to register the terminal device in a server, and the registration request includes device information and network access configuration information of the terminal device;

a registration module 920, configured to generate, in response to receiving the registration request, communication link information of the terminal device, a first CA certificate and a first private key of a first certificate authority of the terminal device, and a second CA certificate and a second private key of the server, and store the device information, the network access configuration information, and the first CA certificate and the first private key of the terminal device, and the second CA certificate and the second private key of the server in association to complete registration;

A registration information transmitting module 930 configured to transmit, in response to completion of registration, communication link information, a first CA certificate and a first private key to the terminal device;

a connection request receiving module 940, configured to receive a connection request sent by a terminal device based on the communication link information, where the connection request includes device information;

a first bidirectional authentication module 950 for performing bidirectional authentication on the terminal device based on the second CA certificate associated with the device information in response to the connection request;

a first channel establishing module 960, configured to establish an encrypted channel with the terminal device based on the second private key according to the bidirectional authentication result; and

the configuration information sending module 970 is configured to send network access configuration information to the terminal device based on the encrypted channel to complete network connection of the terminal device.

In some embodiments of the present disclosure, the first bidirectional authentication module 950 may also be used to obtain device information of a terminal device; verifying equipment information; if the equipment information passes the verification, a second CA certificate is sent to the terminal equipment; the method comprises the steps that a first CA certificate sent by a terminal device after the second CA certificate passes verification is received; and verifying the first CA certificate.

In some embodiments of the present disclosure, the encryption channel includes a symmetric encryption channel, and if the bidirectional authentication result is passed, the first channel setup module 960 may be further configured to obtain an encrypted symmetric key sent by the terminal device, where the encrypted symmetric key is encrypted using a second public key in the second CA certificate; decrypting the encrypted symmetric key using the second private key to obtain a symmetric key; and establishing a symmetric encryption channel using the symmetric key.

In some embodiments of the present disclosure, server 900 may also include a list module that may be used to build a list of terminal devices; according to the result of the bidirectional verification, adding the equipment information of the terminal equipment into a terminal equipment list; and sending the terminal equipment list to other terminal equipment of the access network so that the other terminal equipment processes the data request according to the terminal equipment list when receiving the terminal equipment data request.

Fig. 10 is a schematic diagram of a terminal device for performing a device networking method in an embodiment of the disclosure. As shown in fig. 10, the terminal device 1000 may include the following modules:

a registration information receiving module 1010, configured to receive communication link information, a first certificate authority CA certificate, and a first private key that are sent by a server in response to completion of registration of a terminal device by a third party;

a connection request transmitting module 1020 for transmitting a connection request to the server based on the communication link information, the connection request including device information of the terminal device;

a second bidirectional authentication module 1030 for performing bidirectional authentication on the server based on the device information and the first CA certificate;

the second channel establishing module 1040 is configured to establish an encrypted channel with the server based on the first private key according to the bidirectional authentication result;

The configuration information receiving module 1050 is configured to receive the network access configuration information sent by the server based on the encryption channel, so as to connect to the network according to the network access configuration information.

In some embodiments of the present disclosure, the second bidirectional authentication module 1030 may also be configured to receive a second CA certificate sent by the server through authentication in response to the device information; verifying the second CA certificate; if the second CA certificate passes the verification, the first CA certificate is sent to the server to enable the server to verify the first CA certificate.

In some embodiments of the present disclosure, the encryption channel further comprises a symmetric encryption channel, and the second channel setup module 1040 may be further configured to generate a symmetric key; encrypting the symmetric key using a second public key in a second CA certificate; and sending the encrypted symmetric key to the server so that the server decrypts the symmetric key based on the second private key to establish a symmetric encryption channel with the terminal equipment based on the symmetric key.

The specific manner in which the respective modules perform the operations in relation to the server and the terminal device in the above embodiments has been described in detail in relation to the embodiments of the method, and will not be described in detail here.

Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.

An electronic device 1100 according to this embodiment of the invention is described below with reference to fig. 11. The electronic device 1100 shown in fig. 11 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.

As shown in fig. 11, the electronic device 1100 is embodied in the form of a general purpose computing device. Components of electronic device 1100 may include, but are not limited to: the at least one processing unit 1110, the at least one memory unit 1120, a bus 1130 connecting the different system components, including the memory unit 1120 and the processing unit 1110.

Wherein the storage unit stores program code that is executable by the processing unit 1110 such that the processing unit 1110 performs steps according to various exemplary embodiments of the present invention described in the above-described "exemplary methods" section of the present specification. For example, the processing unit 1110 may perform S210 as shown in fig. 2, receive a registration request for a terminal device from a third party, where the third party is used to register the terminal device on a server, and the registration request includes device information and network access configuration information of the terminal device; s220, in response to receiving the registration request, generating communication link information of the terminal equipment, a first certificate authority (Certificate Authority, CA) certificate and a first private key of the terminal equipment and a second CA certificate and a second private key of the server, and storing the equipment information, the network access configuration information and the first CA certificate and the first private key of the terminal equipment and the second CA certificate and the second private key of the server in a correlated manner to finish registration; s230, in response to the completion of registration, sending communication link information, a first CA certificate and a first private key to the terminal equipment; s240, receiving a connection request sent by the terminal equipment based on the communication link information, wherein the connection request comprises equipment information; s250, performing bidirectional authentication on the terminal equipment based on a second CA certificate associated with the equipment information in response to the connection request; s260, establishing an encryption channel with the terminal equipment based on the second private key according to the bidirectional verification result; s270, sending network access configuration information to the terminal equipment based on the encryption channel to complete network connection of the terminal equipment.

The storage unit 1120 may include a readable medium in the form of a volatile storage unit, such as a Random Access Memory (RAM) 1121 and/or a cache memory 1122, and may further include a Read Only Memory (ROM) 1123.

Storage unit 1120 may also include a program/utility 1124 having a set (at least one) of program modules 1125, such program modules 1125 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.

The bus 1130 may be a local bus representing one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a bus using any of a variety of bus architectures.

The electronic device 1100 may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 1100, and/or any device (e.g., router, modem, etc.) that enables the electronic device 1100 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1150. Also, electronic device 1100 can communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 1160. As shown, network adapter 1160 communicates with other modules of electronic device 1100 via bus 1130. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 1100, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.

In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.

A program product for implementing the above-described method according to an embodiment of the present invention may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.

Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.

From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims

1. A method for accessing a network of devices, applied to a server, the method comprising:

receiving a registration request of a third party to terminal equipment, wherein the third party is used for registering the terminal equipment on the server, and the registration request comprises equipment information and network access configuration information of the terminal equipment;

generating communication link information of the terminal equipment, a first Certificate Authority (CA) certificate and a first private key of the terminal equipment and a second CA certificate and a second private key of the server in response to receiving the registration request, and storing the equipment information, the network access configuration information, the first CA certificate and the first private key of the terminal equipment and the second CA certificate and the second private key of the server in a correlated manner to finish registration;

Transmitting the communication link information, the first CA certificate and the first private key to the terminal device in response to the registration completion;

receiving a connection request sent by the terminal equipment based on the communication link information, wherein the connection request comprises the equipment information;

performing bidirectional authentication on the terminal device based on the second CA certificate associated with the device information in response to the connection request;

establishing an encryption channel with the terminal equipment based on the second private key according to the bidirectional verification result; and

and sending the network access configuration information to the terminal equipment based on the encryption channel so as to complete network connection of the terminal equipment.

2. The device networking method of claim 1, wherein performing bidirectional authentication of the terminal device based on the second CA certificate associated with the device information in response to the connection request comprises:

acquiring equipment information of the terminal equipment;

verifying the device information;

if the equipment information passes the verification, the second CA certificate is sent to the terminal equipment;

receiving the first CA certificate sent by the terminal equipment after the second CA certificate passes verification; and

The first CA certificate is verified.

3. The device networking method of claim 2, wherein the encryption channel comprises a symmetric encryption channel, and establishing the encryption channel with the terminal device based on the second private key according to the bidirectional authentication result comprises:

if the bidirectional verification result is passed, acquiring an encrypted symmetric key sent by the terminal equipment, wherein the encrypted symmetric key is encrypted by using a second public key in the second CA certificate;

decrypting the encrypted symmetric key using the second private key to obtain the symmetric key; and

the symmetric encryption channel is established using the symmetric key.

4. The device networking method according to claim 2, wherein establishing an encrypted channel with the terminal device based on the second private key according to the bidirectional authentication result comprises:

establishing a terminal equipment list;

according to the result of the bidirectional verification, adding the equipment information of the terminal equipment into the terminal equipment list;

and sending the terminal equipment list to other terminal equipment of an access network, so that when the other terminal equipment receives the terminal equipment data request, the data request is processed according to the terminal equipment list.

5. A method for accessing a network of a device, applied to a terminal device, the method comprising:

the method comprises the steps that communication link information, a first certificate authority CA certificate and a first private key which are sent by a receiving server in response to the completion of the registration of a third party to terminal equipment are received;

transmitting a connection request to the server based on the communication link information, the connection request including device information of the terminal device;

performing a two-way authentication on the server based on the device information and the first CA certificate;

establishing an encryption channel with the server based on the first private key according to the bidirectional verification result; and

and receiving network access configuration information sent by the server based on the encryption channel so as to connect a network according to the network access configuration information.

6. The device networking method of claim 5, wherein performing bidirectional authentication on the server based on the device information and the first CA certificate comprises:

receiving the second CA certificate sent by the server in response to the device information through verification;

verifying the second CA certificate;

and if the second CA certificate passes the verification, sending the first CA certificate to the server so that the server verifies the first CA certificate.

7. The device networking method of claim 6, wherein verifying the second CA certificate comprises:

verifying certificate owner information and validity period information in the second CA certificate; and/or verifying whether the certificate is issued by a legal authority based on the first CA certificate and an issuing authority CA in the second CA certificate being compared.

8. The method of device networking of claim 7, wherein the encryption channel comprises a symmetric encryption channel, and wherein establishing the encryption channel with the server based on the first private key according to the bi-directional authentication result comprises:

generating a symmetric key;

encrypting the symmetric key using a second public key in the second CA certificate;

and sending the encrypted symmetric key to the server so that the server decrypts the symmetric key based on the second private key to establish a symmetric encryption channel with the terminal equipment based on the symmetric key.

9. A server, comprising:

a registration request receiving module, configured to receive a registration request of a third party to a terminal device, where the third party is configured to register the terminal device with the server, and the registration request includes device information and network access configuration information of the terminal device;

A registration module, configured to generate, in response to receiving the registration request, communication link information of the terminal device, a first CA certificate and a first private key of a first certificate authority of the terminal device, and a second CA certificate and a second private key of the server, and store the device information, the network access configuration information, and the first CA certificate and the first private key of the terminal device, and the second CA certificate and the second private key of the server in association to complete registration;

a registration information sending module, configured to send, in response to the registration completion, the communication link information, the first CA certificate and the first private key to the terminal device;

a connection request receiving module, configured to receive a connection request sent by the terminal device based on the communication link information, where the connection request includes the device information;

a first bidirectional authentication module configured to perform bidirectional authentication on the terminal device based on the second CA certificate associated with the device information in response to the connection request;

the first channel establishing module is used for establishing an encryption channel with the terminal equipment based on the second private key according to the bidirectional verification result; and

And the configuration information sending module is used for sending the network access configuration information to the terminal equipment based on the encryption channel so as to complete network connection of the terminal equipment.

10. A terminal device, comprising:

the registration information receiving module is used for receiving communication link information, a first certificate authority CA certificate and a first private key which are sent by the server in response to the completion of the registration of the third party to the terminal equipment;

a connection request sending module, configured to send a connection request to the server based on the communication link information, where the connection request includes device information of the terminal device;

a second bidirectional authentication module configured to perform bidirectional authentication on the server based on the device information and the first CA certificate;

the second channel establishing module is used for establishing an encryption channel with the server based on the first private key according to the bidirectional verification result;

and the configuration information receiving module is used for receiving network access configuration information sent by the server based on the encryption channel so as to connect a network according to the network access configuration information.

11. An electronic device, comprising:

a processor; and

A memory for storing executable instructions of the processor;

wherein the processor is configured to perform the device networking method of any one of claims 1-4 or claims 5-8 via execution of the executable instructions.

12. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the method of network access of a device according to any of claims 1-4 or claims 5-8.