WO2024078313A1 - Authentication and authorization method and communication apparatus - Google Patents

Authentication and authorization method and communication apparatus Download PDF

Info

Publication number
WO2024078313A1
WO2024078313A1 PCT/CN2023/121110 CN2023121110W WO2024078313A1 WO 2024078313 A1 WO2024078313 A1 WO 2024078313A1 CN 2023121110 W CN2023121110 W CN 2023121110W WO 2024078313 A1 WO2024078313 A1 WO 2024078313A1
Authority
WO
WIPO (PCT)
Prior art keywords
internet
things
iot
information
authentication
Prior art date
Application number
PCT/CN2023/121110
Other languages
French (fr)
Chinese (zh)
Inventor
葛翠丽
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2024078313A1 publication Critical patent/WO2024078313A1/en

Links

Classifications

    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent

Definitions

  • the present application relates to the field of communication technology, and more specifically, to an authentication and authorization method and a communication device.
  • the 3rd generation partnership project (3GPP) is exploring the topic of personal internet of things networks (PIN).
  • PIN mainly includes three functions: PIN element management capability (PEMC), PIN element (PINE) and PIN element gateway capability (PEGC).
  • PMC PIN element management capability
  • PINE PIN element
  • PEGC PIN element gateway capability
  • the IoT gateway device can be used to perform other functions in PIN and exchange information with the core network (CN) of the fifth generation mobile communication technology (5th generation, 5G), and the IoT management device can be used to perform management such as adding and removing IoT devices.
  • the present application provides an authentication and authorization method and a communication device, which can support the completion of authentication and authorization of Internet of Things devices.
  • a method for authentication and authorization comprising: an Internet of Things gateway device receives request information from an Internet of Things device, the request information comprising a device identification and a device credential of the Internet of Things device; the Internet of Things gateway device determines that the request information is used to request authentication and authorization for the Internet of Things device; the Internet of Things gateway device sends request information to an Internet of Things authentication device, and the Internet of Things authentication device is used to authenticate and authorize the Internet of Things device; the Internet of Things gateway device sends response information to the Internet of Things device, the response information is used to indicate that the Internet of Things device has passed the authentication and authorization, the response information comprising a first identification and a first security credential configured by the Internet of Things authentication device for the Internet of Things device, and the first identification and the first security credential are used to indicate that the Internet of Things device has passed the authentication and authorization.
  • the present application supports the IoT gateway device forwarding specific types of information sent by the IoT device when the IoT device is not yet a member of the IoT (also understood as PIN), such as request information for requesting authentication and authorization of the IoT device.
  • the present application supports the completion of authentication and authorization of the IoT device, so that the IoT device can perform IoT-related services.
  • the method also includes: the Internet of Things gateway device receives first information from the Internet of Things device, the first information is used to instruct the Internet of Things operation of the Internet of Things management device or the Internet of Things server; the Internet of Things gateway device determines that the Internet of Things device is in a non-authentication and authorization state; the Internet of Things gateway device sends first indication information to the Internet of Things device, and the first indication information is used to instruct the Internet of Things device to send request information.
  • the IoT gateway device may refuse to forward the first information and send a first indication information to indicate that the IoT device needs to complete authentication and authorization. Accordingly, the IoT device performs authentication and authorization under the instruction of the first indication information.
  • this application supports IoT devices to perform authentication and authorization of IoT devices under the instruction of IoT gateway devices.
  • the method also includes: the Internet of Things gateway device receives second information from the Internet of Things device, the second information includes a first identifier and a first security credential, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server; the Internet of Things gateway device determines that the Internet of Things device passes the authentication authorization; the Internet of Things gateway device sends the second information to the Internet of Things management device or the Internet of Things server.
  • this application supports performing IoT related operations (or related services) after the IoT device completes authentication and authorization.
  • the IoT gateway device determines that the IoT device has passed authentication and authorization, including: the IoT gateway device sends a first identification and a first security credential to the IoT authentication device; the IoT gateway device receives feedback information from the IoT authentication device, and the feedback information is used to indicate that the IoT device has passed authentication and authorization; the IoT gateway device determines that the IoT device has passed authentication and authorization based on the feedback information.
  • the IoT gateway device determines whether the IoT device has passed authentication and authorization through information interaction with the IoT server.
  • the IoT gateway device determines that the IoT device has passed authentication and authorization, including: or, the IoT gateway device receives a second security credential from the IoT authentication device, the second security credential is used to indicate that the IoT device has passed authentication and authorization; the IoT gateway device determines that the IoT device has passed authentication and authorization based on the second security credential.
  • the IoT gateway device determines whether the IoT device has passed authentication and authorization through information interaction with the IoT server.
  • the Internet of Things authentication device includes at least one of an Internet of Things management device and an Internet of Things server.
  • both the IoT management device and the IoT server can implement authentication and authorization for the IoT device. Therefore, the IoT gateway device can forward the request information sent by the IoT device to the IoT management device or the IoT server.
  • the second information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things server; or the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things management device.
  • a method for authentication and authorization comprising: an Internet of Things gateway device receives first information from an Internet of Things device, the first information comprising a device identification and a device credential of the Internet of Things device; the Internet of Things gateway device determines that the Internet of Things device is in a non-authentication and authorization state; the Internet of Things gateway device sends a request message to an Internet of Things server, the request message being used to request the Internet of Things server to authenticate and authorize the Internet of Things device, the request message comprising a device identification and a device credential.
  • the IoT gateway device when the IoT gateway device determines that the IoT device has not passed or completed authentication and authorization, it can proxy the IoT device to send request information to the IoT server, thereby completing the authentication and authorization of the IoT device.
  • the method further includes: the Internet of Things gateway device receives response information from the Internet of Things server, where the response information is used to indicate that the Internet of Things device has passed the authentication authorization.
  • the first information is used to indicate the IoT operation of the IoT device, and the method also includes: the IoT gateway device sends the first information to the IoT management device; or, the IoT gateway device sends the first information to the IoT server.
  • the method further includes: the Internet of Things gateway device receives the address of the Internet of Things server from the Internet of Things management device.
  • a method for authentication and authorization comprising: an Internet of Things management device receives first information from an Internet of Things gateway device, the first information is used to indicate an Internet of Things operation of the Internet of Things management device, the first information comprises a first identifier and a first security credential, the first identifier and the first security credential are used to indicate that the Internet of Things device passes the authentication and authorization; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization; the Internet of Things management device performs the Internet of Things operation according to the first information.
  • this application supports the IoT management device to complete the confirmation of whether the IoT device has passed the authentication authorization, thereby ensuring the security of information interaction between other devices in the IoT.
  • the method before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device, the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information, and the first request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization, including: the Internet of Things management device sends a first identifier and a first security credential to the Internet of Things server; the Internet of Things management device receives first feedback information from the Internet of Things server, the first feedback information is used to indicate that the Internet of Things device passes the authentication and authorization; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization based on the feedback information; or, the Internet of Things management device receives a second security credential from the Internet of Things server, the second security credential is used to indicate that the Internet of
  • the present application supports the IoT device to send request information to the IoT server for requesting authentication and authorization of the IoT device. Accordingly, the IoT management device determines whether the IoT device has passed the authentication and authorization of the IoT server through interaction with the IoT server, thereby ensuring the security of information interaction between other devices in the IoT.
  • the method before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device, the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information, and the first request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization, including: the Internet of Things management device receives the second security credential from the Internet of Things server, the second security credential is used to indicate that the Internet of Things device passes the authentication and authorization; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization based on the second security credential.
  • the present application supports the IoT device to send request information to the IoT server for requesting authentication and authorization of the IoT device. Accordingly, the IoT management device determines whether the IoT device has passed the authentication and authorization of the IoT server through interaction with the IoT server, thereby ensuring the security of information interaction between other devices in the IoT.
  • the aforementioned Internet of Things operation for instructing the Internet of Things management device is an Internet of Things operation that the Internet of Things device requests the Internet of Things management device to perform.
  • the IoT device can request the IoT management device to execute the IoT operation requested by the IoT device, which can enhance the flexibility of executing the IoT operation of the IoT device.
  • the first information is used to indicate an IoT invitation confirmation operation of the IoT management device.
  • the method also includes: the IoT management device sends IoT invitation information to the IoT device, and the IoT invitation information is used to indicate the IoT device to join the IoT managed by the IoT management device; the IoT management device performs IoT operations according to the first information, including: the IoT management device adds the IoT device to the IoT.
  • the operation of IoT devices can be simplified, and the IoT management device can actively control the IoT devices to join the IoT, thereby enhancing the centralized management function of the IoT management device.
  • the method before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device receives the second information from the Internet of Things device, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device; the Internet of Things management device determines that the Internet of Things device is in a non-authentication and authorization state; the Internet of Things management device sends the first indication information to the Internet of Things device, and the first indication information is used to instruct the Internet of Things device to send the first request information.
  • the present application supports the IoT management device to send instruction information to the IoT device after confirming that the IoT device has not completed authentication and authorization.
  • the IoT device completes the authentication and authorization process of the IoT device under the instruction of the instruction information sent by the IoT management device, so that the IoT device can perform related operations of the IoT.
  • the first indication information includes an address of the Internet of Things server.
  • the method before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device receives third information from the Internet of Things device, the third information is used to indicate the Internet of Things operation of the Internet of Things management device, and the third information includes the device identification and device credentials of the Internet of Things device; the Internet of Things management device determines that the Internet of Things device is in a non-authentication and authorization state; the Internet of Things management device sends a second request information to the Internet of Things server, the second request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device, and the second request information includes the device identification and device credentials; the Internet of Things management device receives a response information from the Internet of Things server, the response information is used to indicate that the Internet of Things device has passed the authentication and authorization, and the response information includes the first identification and first security credential configured by the Internet of Things server for the Internet of Things device, and the first identification and first security credential are used to indicate that the Internet of Things device has passed
  • the IoT management device when the IoT management device determines that the IoT device has not passed or completed authentication and authorization, it can proxy the IoT device to send request information to the IoT server, thereby completing the authentication and authorization of the IoT device.
  • the first information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the Internet of Things management device to send the first information to the Internet of Things server.
  • the method before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device receives verification information from the Internet of Things gateway device, the verification information is used to request the Internet of Things management device to determine that the Internet of Things device has passed the authentication authorization, and the verification information includes a first identifier and a first security credential; the Internet of Things management device sends second feedback information to the Internet of Things gateway device, and the second feedback information is used to indicate that the Internet of Things device has passed the authentication authorization.
  • an authentication and authorization method which includes: an Internet of Things device sends a request message to an Internet of Things gateway device, the request message is used to request authentication and authorization for the Internet of Things device, and the request message includes a device identification and a device credential of the Internet of Things device; the Internet of Things device receives a response message from the Internet of Things gateway device, the response message is used to indicate that the Internet of Things device has passed the authentication and authorization, and the response message includes a first identification and a first security credential configured by the Internet of Things authentication device for the Internet of Things device.
  • the present application supports the IoT gateway device forwarding specific types of information sent by the IoT device when the IoT device is not yet a member of the IoT, such as request information for requesting authentication and authorization of the IoT device.
  • the present application supports the completion of authentication and authorization of the IoT device, so that the IoT device can perform IoT-related services.
  • the method also includes: the Internet of Things device sends first information to the Internet of Things gateway device, and the first information is used to instruct the Internet of Things management or the Internet of Things operation of the Internet of Things server device; the Internet of Things device receives the first indication information from the Internet of Things gateway device, and the first indication information is used to instruct the Internet of Things device to send request information.
  • the method also includes: the Internet of Things device sends second information to the Internet of Things gateway device, the second information includes a first identifier and a first security credential, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server.
  • the second information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things server; or the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things entity management function.
  • a method for authentication and authorization comprising: an Internet of Things device sends second information to an Internet of Things management device, the second information is used to instruct the Internet of Things operation of the Internet of Things management device; the Internet of Things device receives first indication information from the Internet of Things management device, the first indication information is used to instruct the Internet of Things device to send first request information to an Internet of Things server, the first request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device.
  • the method further includes: the Internet of Things device receives the address of the Internet of Things server from the Internet of Things management device, and the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information.
  • the first indication information includes an address of an Internet of Things server.
  • the method includes: the Internet of Things device sends third information to the Internet of Things management device, where the third information is used to indicate the Internet of Things operation of the Internet of Things management device, and the third information includes a device identification and a device credential of the Internet of Things device.
  • a communication device comprising: a transceiver unit for receiving request information from an Internet of Things device, the request information including a device identification and a device credential of the Internet of Things device; a processing unit for determining that the request information is used to request authentication and authorization for the Internet of Things device; a transceiver unit for sending request information to an Internet of Things authentication device, the Internet of Things authentication device being used to authenticate and authorize the Internet of Things device; a transceiver unit for sending response information to the Internet of Things device, the response information being used to indicate that the Internet of Things device has passed the authentication and authorization, the response information including a first identification and a first security credential configured by the Internet of Things authentication device for the Internet of Things device, the first identification and the first security credential being used to indicate that the communication device has passed the authentication and authorization.
  • the transceiver unit is used to receive first information from an Internet of Things device, and the first information is used to instruct the Internet of Things operation of an Internet of Things management device or an Internet of Things server; the processing unit is used to determine that the Internet of Things device is in a non-authentication and authorization state; the transceiver unit is used to send first indication information to the Internet of Things device, and the first indication information is used to instruct the Internet of Things device to send request information.
  • the transceiver unit is used to receive second information from the Internet of Things device, the second information includes a first identifier and a first security credential, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server; the processing unit is used to determine whether the Internet of Things device has passed the authentication authorization; the transceiver unit is used to send the second information to the Internet of Things management device or the Internet of Things server.
  • the transceiver unit is used to send a first identification and a first security credential to an Internet of Things authentication device; the transceiver unit is used to receive feedback information from the Internet of Things authentication device, and the feedback information is used to indicate that the Internet of Things device has passed the authentication authorization; the processing unit is used to determine whether the Internet of Things device has passed the authentication authorization based on the feedback information.
  • the transceiver unit is used to receive a second security credential from an IoT authentication device, where the second security credential is used to indicate that the IoT device has passed the authentication authorization; and the processing unit is used to determine whether the IoT device has passed the authentication authorization based on the second security credential.
  • the Internet of Things authentication device includes at least one of an Internet of Things management device and an Internet of Things server.
  • the second information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the communication device to send the second information to the Internet of Things server; or the second indication information is used to instruct the communication device to send the second information to the Internet of Things management device.
  • a communication device comprising: a transceiver unit, configured to receive first information from an Internet of Things device, the first information comprising a device identification and a device credential of the Internet of Things device; a processing unit, configured to determine that the Internet of Things device is in a non-authentication and authorization state; The transceiver unit is used to send a request message to the Internet of Things server, where the request message is used to request the Internet of Things server to authenticate and authorize the Internet of Things device, and the request message includes a device identifier and a device credential.
  • the transceiver unit is used to receive response information from the Internet of Things server, and the response information is used to indicate that the Internet of Things device has passed the authentication authorization.
  • the first information is used to indicate the Internet of Things operation of the Internet of Things device, and the transceiver unit is used to send the first information to the Internet of Things management device; or, the transceiver unit is used to send the first information to the Internet of Things server.
  • the transceiver unit is used to receive the address of the Internet of Things server from the Internet of Things management device.
  • a communication device including: a transceiver unit, used to receive first information from an Internet of Things gateway device, the first information is used to indicate an Internet of Things operation of an Internet of Things management device, the first information includes a first identifier and a first security credential, the first identifier and the first security credential are used to indicate that the Internet of Things device has passed the authentication authorization; a processing unit, used to determine that the Internet of Things device has passed the authentication authorization; a processing unit, used to execute the Internet of Things operation according to the first information.
  • the transceiver unit is used to send the address of the Internet of Things server to the Internet of Things device, the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information, and the first request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device;
  • the transceiver unit is used to send a first identifier and a first security credential to the Internet of Things server;
  • the transceiver unit is used to receive first feedback information from the Internet of Things server, and the first feedback information is used to indicate that the Internet of Things device has passed the authentication and authorization;
  • the processing unit is used to determine whether the Internet of Things device has passed the authentication and authorization based on the feedback information.
  • the transceiver unit is used to send the address of the IoT server to the IoT device, the address of the IoT server is used by the IoT device to determine the receiving target of the first request information, the first request information is used to request the IoT server to authenticate and authorize the IoT device; the transceiver unit is used to receive the second security credential from the IoT server, the second security credential is used to indicate that the IoT device has passed the authentication and authorization; the processing unit is used to determine whether the IoT device has passed the authentication and authorization based on the second security credential.
  • the transceiver unit is used to receive second information from the Internet of Things device, and the second information is used to indicate the Internet of Things operation of the communication device; the processing unit is used to determine that the Internet of Things device is in a non-authentication and authorization state; the transceiver unit is used to send first indication information to the Internet of Things device, and the first indication information is used to instruct the Internet of Things device to send first request information.
  • the first indication information includes an address of the Internet of Things server.
  • the transceiver unit is used to receive third information from the Internet of Things device, the third information is used to indicate the Internet of Things operation of the communication device, and the third information includes the device identification and device credentials of the Internet of Things device;
  • the processing unit is used to determine that the Internet of Things device is in a non-authentication and authorization state;
  • the transceiver unit is used to send second request information to the Internet of Things server, the second request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device, and the second request information includes the device identification and device credentials;
  • the transceiver unit is used to receive response information from the Internet of Things server, the response information is used to indicate that the Internet of Things device has passed the authentication and authorization, and the response information includes the first identification and first security credential configured by the Internet of Things server for the Internet of Things device.
  • the aforementioned Internet of Things operation for indicating the communication device is an Internet of Things operation that the Internet of Things device requests the communication device to perform.
  • the first information is used to indicate the Internet of Things invitation confirmation operation of the communication device, and the whether unit is also used to send Internet of Things invitation information to the Internet of Things device, and the Internet of Things invitation information is used to instruct the Internet of Things device to join the Internet of Things managed by the communication device; the processing unit is also used to add the Internet of Things device to the Internet of Things.
  • the first information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the communication device to send the first information to the Internet of Things server.
  • the transceiver unit is used to receive verification information from the Internet of Things gateway device, the verification information is used to request the Internet of Things management device to determine that the Internet of Things device has passed the authentication authorization, and the verification information includes a first identifier and a first security credential; the transceiver unit is used to send second feedback information to the Internet of Things gateway device, and the second feedback information is used to indicate that the Internet of Things device has passed the authentication authorization.
  • a communication device including: a transceiver unit, used to send request information to an Internet of Things gateway device, the request information is used to request authentication and authorization for the communication device, the request information includes a device identification and device credentials of the communication device; a transceiver unit, used to receive response information from the Internet of Things gateway device, the response information is used to indicate that the communication device has passed the authentication and authorization, and the response information includes a first identification and security credential configured for the communication device by the Internet of Things authentication device.
  • the transceiver unit is used to send first information to the Internet of Things gateway device, and the first information is used to instruct the Internet of Things operation of the Internet of Things management device or the Internet of Things server; the transceiver unit is used to receive first indication information from the Internet of Things gateway device, and the first indication information is used to instruct the communication device to send request information.
  • the transceiver unit is used to send second information to the Internet of Things gateway device, where the second information includes a first identifier and a security credential, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server.
  • the second information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things server; or the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things entity management function.
  • a communication device including: a transceiver unit, used to send second information to an Internet of Things management device, the second information is used to instruct the Internet of Things operation of the Internet of Things management device or the Internet of Things server; a transceiver unit, used to receive first indication information from the Internet of Things management device, the first indication information is used to instruct the communication device to send first request information to the Internet of Things server, the first request information is used to request the Internet of Things server to authenticate and authorize the communication device.
  • the transceiver unit is used to receive the address of an Internet of Things server from an Internet of Things management device, and the address of the Internet of Things server is used by the communication device to determine a receiving target of the first request information.
  • the first indication information includes an address of an Internet of Things server.
  • the transceiver unit is used to send third information to the Internet of Things management device, where the third information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server, and the third information includes the device identification and device credentials of the communication device.
  • a communication device comprising a processor, the processor being used to, by executing a computer program or instruction, or, through a logic circuit, enable the communication device to perform any method in the first aspect and any possible implementation of the first aspect; or, enable the communication device to perform any method in the second aspect and any possible implementation of the second aspect; or, enable the communication device to perform any method in the third aspect and any possible implementation of the third aspect; or, enable the communication device to perform any method in the fourth aspect and any possible implementation of the fourth aspect; or, enable the communication device to perform any method in the fifth aspect and any possible implementation of the fifth aspect.
  • the communication device further includes a memory, and the memory is used to store the computer program or instruction.
  • the communication device further includes a communication interface, and the communication interface is used to input and/or output signals.
  • a communication device comprising a logic circuit and an input-output interface, the input-output interface being used to input and/or output signals, the logic circuit being used to execute the method described in the first aspect and any possible implementation of the first aspect; or, the logic circuit being used to execute the method described in the second aspect and any possible implementation of the second aspect; or, the logic circuit being used to execute the method described in the third aspect and any possible implementation of the third aspect; or, the logic circuit being used to execute the method described in the fourth aspect and any possible implementation of the fourth aspect; or, the logic circuit being used to execute the method described in the fifth aspect and any possible implementation of the fifth aspect.
  • a computer-readable storage medium comprising a computer program or instructions, which, when the computer program or the instructions are run on a computer, causes the method described in the first aspect and any one of its possible implementations to be executed; or causes the method described in the second aspect and any one of its possible implementations to be executed; or causes the method described in the third aspect and any one of its possible implementations to be executed; or causes the method described in the fourth aspect and any one of its possible implementations to be executed; or causes the method described in the fifth aspect and any one of its possible implementations to be executed.
  • a computer program product comprising instructions, which, when executed on a computer, cause the method described in the first aspect and any one of its possible implementations to be executed; or, cause the method described in the second aspect and any one of its possible implementations to be executed; or, cause the method described in the third aspect and any one of its possible implementations to be executed; or, cause the method described in the fourth aspect and any one of its possible implementations to be executed; or, cause the method described in the fifth aspect and any one of its possible implementations to be executed.
  • a computer program which, when executed on a computer, enables the method described in the first aspect and any one of its possible implementations to be executed; or enables the method described in the second aspect and any one of its possible implementations to be executed; or enables the method described in the third aspect and any one of its possible implementations to be executed; or enables the method described in the fourth aspect and any one of its possible implementations to be executed; or enables the method described in the fifth aspect and any one of its possible implementations to be executed.
  • a communication system which includes an Internet of Things gateway device and an Internet of Things management device, the Internet of Things gateway device is used to execute the method described in the first aspect and any one of any possible implementations of the first aspect, or the Internet of Things gateway device is used to execute the method described in the second aspect and any one of any possible implementations of the second aspect, and the Internet of Things management device is used to execute the method described in the third aspect and any one of any possible implementations of the third aspect.
  • the communication system also includes an Internet of Things device, which is used to execute the method described in the fourth aspect and any one of the possible implementations of the fourth aspect; or, the Internet of Things device is used to execute the method described in the fifth aspect and any one of the possible implementations of the fifth aspect.
  • FIG. 1 is a schematic diagram of a communication system 100 applicable to an embodiment of the present application.
  • FIG. 2 is a schematic diagram of an interaction flow of a method 200 for authentication and authorization.
  • FIG. 3 is a schematic diagram of an interaction flow of a method 300 for authentication and authorization according to an embodiment of the present application.
  • FIG. 4 is a schematic diagram of an interaction flow of a method 400 for authentication and authorization according to an embodiment of the present application.
  • FIG. 5 is a schematic diagram of an interaction flow of a method 500 for authentication and authorization according to an embodiment of the present application.
  • FIG. 6 is a schematic diagram of an interactive process of a method 600 for authentication and authorization according to an embodiment of the present application.
  • FIG. 7 is a schematic block diagram of the structure of a communication device 700 according to an embodiment of the present application.
  • FIG8 is a schematic block diagram of the structure of a communication device 800 according to an embodiment of the present application.
  • FIG. 9 is a schematic block diagram of the structure of a communication device 900 according to an embodiment of the present application.
  • FIG. 10 is a schematic block diagram of the structure of a communication device 1000 according to an embodiment of the present application.
  • FIG. 11 is a schematic block diagram of the structure of a communication device 1100 according to an embodiment of the present application.
  • GSM global system of mobile communication
  • CDMA code division multiple access
  • WCDMA wideband code division multiple access
  • GPRS general packet radio service
  • LTE long term evolution
  • FDD frequency division duplex
  • TDD time division duplex
  • UMTS universal mobile telecommunication system
  • WiMAX worldwide interoperability for microwave access
  • 5G fifth generation
  • NR new radio
  • the terminal device in the embodiments of the present application may refer to user equipment (UE), access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device.
  • the terminal device may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a handheld device with wireless communication function, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a 5G network or a terminal device in a public land mobile network (PLMN), etc., and the embodiments of the present application are not limited to this.
  • SIP session initiation protocol
  • WLL wireless local loop
  • PDA personal digital assistant
  • the network device in the embodiments of the present application may be a device for communicating with a terminal device.
  • the network device may be a base station (base transceiver station, BTS) in a GSM system or a CDMA system, or a base station (nodeB, NB) in a WCDMA system, or an evolved base station (evolutional nodeB, eNB or eNodeB) in an LTE system, or a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the network device may be a relay station, an access point, an in-vehicle device, a wearable device, a network device in a 5G network, a network device in a PLMN network, or a network device in a non-public network, etc., and the embodiments of the present application are not limited thereto.
  • FIG1 is a schematic diagram of a communication system 100 applicable to an embodiment of the present application.
  • the communication system 100 includes 5GC and a personal IoT network (PIN).
  • 5GC mainly includes access and mobility management function (AMF), capability exposure function (NEF), user data User data repository (UDR), network repository function (NRF), unified data management (UDM), next generation (NG)-radio access network (RAN) equipment, policy control function (PCF), user plane function (UPF), data network (DN), etc.
  • AMF access and mobility management function
  • NEF capability exposure function
  • UDR user data User data repository
  • NRF network repository function
  • UDM unified data management
  • NG next generation
  • RAN radio access network
  • PCF policy control function
  • UPF user plane function
  • DN data network
  • PIN mainly includes PEGC, PEMC and PINE.
  • PEMC and PINE exchange information through P1 (based on non-3GPP or 3GPP access technology)
  • PINE and PEGC exchange information through P2 (based on non-3GPP access technology, 3GPP access technology or the Internet)
  • PEGC and PEMC exchange information through P3 (based on non-3GPP access technology or 3GPP short-distance communication technology such as 5G prose technology).
  • P1 based on non-3GPP or 3GPP access technology
  • PINE and PEGC exchange information through P2 (based on non-3GPP access technology, 3GPP access technology or the Internet)
  • PEGC and PEMC exchange information through P3 (based on non-3GPP access technology or 3GPP short-distance communication technology such as 5G prose technology).
  • Figure 1 is only a schematic description diagram, and the embodiment of the present application does not limit the number and types of network elements and functions (or devices) actually deployed in the communication system 100.
  • Radio access network equipment corresponds to different access networks in 5G, such as wired access, wireless base station access and other methods.
  • the RAN equipment in this application includes but is not limited to: next-generation base stations (gnodeB, gNB), evolved node B (evolved node B, eNB), radio network controller (radio network controller, RNC), node B (node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, or home node B, HNB), base band unit (base band unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, etc.
  • next-generation base stations nodeB, gNB
  • evolved node B evolved node B
  • eNB radio network controller
  • RNC radio network controller
  • node B node B
  • base station controller base station controller
  • BTS base transceiver
  • Unified data management (also called unified data management network element, unified data management entity, data management device, unified data management equipment) is a type of core network equipment, mainly used to process terminal equipment identification, access authentication, registration and mobility management. Unified data management equipment is a control plane device.
  • PCF Policy control function
  • policy control network element also known as policy control network element, policy control function network element, policy control equipment, policy control function entity, etc.
  • QoS quality of service
  • Session management function mainly performs session management, execution of control policies issued by PCF, UPF selection, UE IP address allocation and other functions.
  • Access and mobility management function (also known as access and mobility management function entity, access and mobility management equipment, access and mobility management network element, access management equipment, mobility management equipment) is a type of core network equipment, mainly used for mobility management and access management, etc., and can be used to implement other functions of mobility management entity (MME) functions except session management, such as lawful interception, or access authorization (or authentication), user equipment registration, mobility management, tracking area update process, reachability detection, selection of session management network element, mobile state transition management and other functions.
  • MME mobility management entity
  • session management such as lawful interception, or access authorization (or authentication), user equipment registration, mobility management, tracking area update process, reachability detection, selection of session management network element, mobile state transition management and other functions.
  • the access and mobility management network element can be an AMF network element.
  • future communications such as 6G
  • the access and mobility management network element can still be an AMF network element, or have other names, which are not limited in this application.
  • the AMF can provide Namf services.
  • User plane function (also known as user plane equipment, user plane function network element, user plane network element, user plane function entity): mainly includes the following functions: data packet routing and transmission, packet detection, service usage reporting, QoS processing, legal monitoring, uplink packet detection, downlink data packet storage and other user-plane related functions.
  • Network repository function (also known as network storage device, network repository function network element, network repository function entity): mainly used to support service discovery function. Receives a network element discovery request from a network element function or service communication proxy (SCP), and can feedback the network element discovery request information. At the same time, NRF is also responsible for maintaining information about available network functions and the services they support. It can also be understood as a network storage device. Among them, the discovery process is the process of addressing a specific NF or a specific service by the demand network element function (NF) with the help of NRF. NRF provides the IP address or fully qualified domain name (FQDN) or unified resource identifier (URI) of the corresponding NF instance or NF service instance.
  • FQDN fully qualified domain name
  • URI unified resource identifier
  • NRF can also implement the cross-PLMN discovery process by providing a network identifier (such as PLMN ID).
  • a network identifier such as PLMN ID
  • each network element needs to be registered in NRF, and some network element functions can be registered in NRF when they are first run.
  • the network repository function device can be a core network device.
  • Network exposure function (also called network exposure device, network exposure function entity, Network open function network element, network capability open function entity, network capability open function equipment, network capability open function network element, network capability open equipment, etc.): mainly used to support the opening of capabilities and events, such as securely opening the services and capabilities provided by 3GPP network functions to the outside world.
  • User database (user data repository, UDR) (also known as user database entity, user database network element, user database equipment, etc.) can have different data access authentication mechanisms for different types of data such as contract data and policy data to ensure the security of data access.
  • UDR user data repository
  • PIN element An IoT device in a PIN, which can be a 3GPP UE or a non-3GPP device, can discover a PIN or other PINEs in a PIN, and join or leave a PIN.
  • PIN element PINE
  • PINE gateway capability It is a role or capability of PINE, which can also be understood as PINE with gateway function, used to realize information interaction between other PINEs in PIN and 5GC, and provide data routing and forwarding for PINE.
  • PIN management capability It is a role or capability of PINE. It can also be understood as PINE with management function, which is used to implement PIN management, such as PIN creation, update, deletion, PINE addition and removal, and PEGC configuration management.
  • PINE, PGEC, and PEMC can be software modules running on UE devices or IoT devices.
  • a UE or device can have one or more of the above capabilities.
  • a UE can have the capabilities of PINE, PEGC, and PEMC. It can also be understood that a UE can serve as PINE, PEGC, and PEMC at the same time.
  • the PINE, PEGC and PEMC in the embodiments of the present application may also refer to PINE client, PEGC client and PEMC client.
  • PEMC client can be understood as PINE with PEMC capability
  • PEGC client can be understood as PINE with PEGC capability.
  • network elements and functions are independent physical devices.
  • the present application does not limit the specific forms of the above-mentioned network elements and functions. For example, they can be integrated in the same physical device, or they can be different physical devices.
  • network elements or devices can be combined.
  • the access and mobility management network element can be combined with the session management network element; the session management network element can be combined with the user plane network element.
  • the above functions and network elements may be network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or virtualized functions instantiated on a platform (e.g., a cloud platform).
  • a platform e.g., a cloud platform
  • FIG2 is an interactive flow chart of an authentication and authorization method 200.
  • the method 200 shown in FIG2 can be applied to the above-mentioned communication system 100.
  • the method 200 includes:
  • An application layer connection is established between S210, PINE1 and PEMC.
  • PEMC sends the local PIN configuration information (profile) to PINE1.
  • the PIN configuration information includes PIN identification (ID), PIN description (such as company name, location, or business type) and PEMC Internet protocol (IP) address and other information.
  • ID PIN identification
  • PIN description such as company name, location, or business type
  • IP Internet protocol
  • PINE1 sends a request message 1 to PEMC, which is used to request to join PIN.
  • the PEMC receives the request message 1 from the PINE1 and determines based on the request message 1 that the PINE1 requests to join the PIN.
  • the request message 1 sent by PINE1 to PEMC is used to request PEMC to add PINE1 to the PIN.
  • the request message 1 includes the security credentials assigned by the PIN server to PINE1 and the identification information of PINE1.
  • the identification information of PINE1 may include a generic public subscription identifier (GPSI), an application layer identifier (client ID) of PINE1, a location of PINE1, a PIN ID, and PIN configuration information.
  • the request information 1 also includes information about services that PINE1 can provide.
  • PEMC After receiving the request information 1, PEMC performs authentication and authorization on PINE1, and confirms whether PINE1 has the authority to join the PIN.
  • the authority of PEMC to perform authentication and authorization on PINE1 may be granted by the PIN server, and this application does not limit this.
  • PINE1 receives the response information 1 sent by the PEMC, and determines whether PINE1 can join the PIN based on the response information 1.
  • PEMC After determining that PINE1 can join the PIN, PEMC sends a response message 1 to PINE1 indicating that PINE1 has passed the authentication authorization.
  • Response message 1 includes access information of PINE1 (eg, user plane, WIFI name and password, etc.), which can be used by PINE1 to access services in the DN.
  • response information 1 may also include information such as PIN ID and IP address of PEGC.
  • PEMC notifies PEGC and PIN server that PINE1 joins PIN.
  • PEGC determines that PINE1 is a new member of PIN based on the notification information sent by PEMC
  • PINE1 can allow PINE1 to access the 5G server.
  • the PIN server determines that PINE1 is a new member of PIN based on the notification information sent by PEMC
  • PIN-related services include: PIN joining, PIN discovery, etc.
  • S260, PEMC, PEGC and PIN server update PIN configuration information.
  • the PEMC, PEGC, and PIN server After determining that PINE1 can join the PIN, the PEMC, PEGC, and PIN server update the local PIN configuration information and add PINE1 to the member list of the PIN.
  • PEMC in order to realize the authentication and authorization of PINE1 by PEMC, there needs to be direct communication between PINE1 and PEMC. If there is no direct communication between PINE1 and PEMC, PEMC cannot complete the authentication and authorization of PINE1. At this time, if PEGC receives PIN information sent by PINE1 (such as PIN discovery, PIN joining, etc.), PEGC directly discards the PIN information sent by PINE1 because PINE1 is not a member of PIN, resulting in PINE1 being unable to perform PIN-related services.
  • PIN information sent by PINE1 such as PIN discovery, PIN joining, etc.
  • the present application provides an authentication and authorization method and a communication device, which can support the completion of authentication and authorization of PINE1.
  • FIG3 is a schematic diagram of the interaction flow of the authentication and authorization method 300 of the embodiment of the present application.
  • the method 300 shown in FIG3 can be applied to the above-mentioned communication system 100, and can also be applied to other communication systems involving PIN.
  • the present application takes PIN as the Internet of Things as an example for description.
  • the PINE in the PIN is an Internet of Things device
  • the PEGC is an Internet of Things gateway device
  • the PEMC is an Internet of Things management device.
  • the method 300 includes:
  • the Internet of Things device 1 sends a request message A to the Internet of Things gateway device, which is used to request authentication and authorization for the Internet of Things device 1.
  • the IoT gateway device receives request information A from IoT device 1.
  • the request information A can be the Internet of Things registration information, the Internet of Things authentication information, the Internet of Things authorization information, or the request information A can also be a combination of the above-mentioned information, for example, the request information A is the Internet of Things authentication and authorization information, or the request information A is the Internet of Things registration and authentication information, or the request information A is the Internet of Things registration authentication and authorization information, etc.
  • the request information A is used to request authentication and authorization for the Internet of Things device 1 (which can also be understood as allowing the Internet of Things device 1 to perform specific Internet of Things operations), wherein the Internet of Things device 1 is any Internet of Things device that establishes a direct communication connection with the Internet of Things gateway device.
  • the request information A includes the device identification and device credentials of the IoT device 1.
  • the device identification and device credentials of the IoT device 1 can be used to represent the identity of the IoT device 1. It should be understood that the device identification and device credentials of the IoT device 1 are configured for the IoT device 1 by the device authentication server of the IoT device 1.
  • the device credentials can be a certificate and are set in the IoT device 1 by the manufacturer of the IoT device 1.
  • the Internet of Things gateway device determines that the request information A is used to request authentication authorization for the Internet of Things device 1.
  • the IoT gateway device when the IoT gateway device determines that the request information A is an information type (or data type) that the IoT gateway device can forward, the IoT gateway device can determine to forward the request information A instead of rejecting or discarding the request information A.
  • the present application supports allowing the IoT gateway device to identify and forward IoT information sent to it by IoT device 1.
  • IoT information is the signaling of IoT applications or IoT services, which may include IoT registration information, IoT login information, IoT authentication information, IoT authorization information, IoT connection information, IoT discovery information, IoT discovery information, or IoT joining information.
  • the IoT information described above may be IoT application layer information, which includes IoT header information and payload.
  • the IoT header information includes an information element (IE) for indicating the IoT information type.
  • IE information element
  • the above-mentioned IoT information is information obtained by extending application layer information such as hypertext transfer protocol (HTTP) or session initiation protocol (SIP).
  • HTTP or SIP information includes an IE for indicating the type of IoT information.
  • the IoT gateway device receives request information A from the IoT device, the IoT gateway device parses the received request information A.
  • the IoT gateway device can determine to forward the request information A.
  • the IoT gateway device 1 does not complete the authentication and authorization, and the IoT gateway device rejects or discards any IoT information sent by the IoT device 1 to the IoT gateway device because the IoT device 1 is not a member of the IoT, resulting in the inability to perform IoT-related operations (or IoT-related services).
  • the IoT gateway device sends a request message A to the IoT authentication device.
  • the IoT authentication device can be used to perform authentication and authorization on the IoT device 1. Therefore, the IoT gateway device forwards the request information A sent by the IoT device 1 to the IoT authentication device, and the IoT authentication device performs authentication and authorization on the IoT device 1.
  • the Internet of Things authentication device can be an Internet of Things management device or an Internet of Things server, which is not limited in this application.
  • the IoT gateway device sends a request message A to the IoT authentication device, including:
  • the IoT gateway device sends request information A to the IoT server.
  • the IoT gateway device determines that the IoT is not local, or understands that the IoT is not a local business (for example, when the IoT gateway device receives the address of the IoT server configured by the IoT management device, or the request information A carries the address of the IoT server (for example, the destination address in the request information A is the address of the IoT server), or the request message A carries the identification information of the application or business (such as domain name, uniform resource locator (URL), etc.) which can be further parsed to obtain the address of the IoT server), the IoT gateway device determines the IoT server according to the request information A or the local IoT configuration information, and sends the request information A to the IoT server, and the IoT server performs the authentication and authorization of the IoT device 1. For example, the IoT server completes the legitimacy check of the IoT device 1 by interacting with the device authentication server of the IoT device 1.
  • the IoT server configures the IoT device 1 with a first identifier and a security credential 1 (e.g., a token, a service code, or a credential, etc.), and carries the first identifier and the security credential 1, etc. in the response information A.
  • the first identifier is used to identify the IoT device 1.
  • the first identifier may be an application layer identifier (application layer id) 1, which is used to identify the IoT device 1 at the application layer (through authentication and authorization), and may be a PINE client ID, a PINE ID, or a PIN user ID, etc.
  • the first identifier may also be other identifiers, such as a physical layer identifier, a link layer identifier, etc., which is not limited in this application.
  • first identification and security credential 1 configured by the IoT server for the IoT device 1 can be used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server for the IoT device 1.
  • first identification and security credential 2 can also be used as credentials for the IoT device 1 to access other devices in the IoT.
  • the IoT server After completing the authentication and authorization of the IoT device 1, the IoT server sends a response message A to the IoT gateway device, which is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server.
  • the IoT gateway device sends a request message A, including:
  • the Internet of Things gateway device sends a request message A to the Internet of Things management device.
  • the IoT gateway device determines that the IoT is local, or understands that the IoT is a local service (for example, when the IoT gateway device has never received the address of the IoT server configured by the IoT management device, or the request information A carries the identifier of the IoT management device (for example, IP address, generic public subscription identifier (GPSI), medium access control (MAC) address, domain name or other information that can be used to identify the IoT management device) (for example, the destination address in the request information A is the address of the IoT management device, or the request message A carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT management device), the IoT gateway device sends request information A to the IoT management device, and the IoT management device performs authentication and authorization on the IoT device 1.
  • the description of the IoT management device performing authentication and authorization on the IoT device 1 can refer to
  • the Internet of Things management device After completing the authentication and authorization of the Internet of Things device 1, the Internet of Things management device sends a response message A to the Internet of Things gateway device, which is used to indicate that the Internet of Things device 1 has passed the authentication and authorization of the Internet of Things management device for the Internet of Things device 1.
  • the IoT gateway device sends response information A to IoT device 1, which is used to indicate that IoT device 1 has passed the authentication authorization.
  • the IoT device 1 receives the response information A from the IoT gateway device, and determines that the IoT device 1 has passed the authentication authorization based on the response information A.
  • the response information A includes the security credential 1 and the first identifier.
  • the present application supports the IoT gateway device forwarding specific types of IoT information sent by IoT device 1 when IoT device 1 is not yet a member of the IoT, such as request information A for requesting authentication and authorization for IoT device 1.
  • request information A for requesting authentication and authorization for IoT device 1.
  • the present application supports the completion of authentication and authorization for IoT device 1, so that IoT device 1 can perform related operations of the IoT.
  • method 300 further includes:
  • Internet of Things device 1 sends Internet of Things information #1 (eg, first information) to an Internet of Things gateway device.
  • Internet of Things information #1 eg, first information
  • the IoT gateway device receives IoT information #1 from IoT device 1.
  • the IoT information #1 is used to indicate the IoT operation of the IoT management device or IoT server.
  • IoT information #1 includes information of IoT operation.
  • IoT operation includes: IoT join (PIN join), IoT discovery (PIN discovery), or IoT invite confirmation (PIN invite ack), etc.
  • the information of IoT operation indicates IoT operation.
  • IoT information #1 may be an IoT join request message (carrying at least one of the device identification or the first identification of IoT 1), an IoT discovery request message (carrying at least one of the device identification or the first identification of IoT 1), and an IoT invite confirmation message (carrying at least one of the device identification or the first identification of IoT 1), etc.
  • the IoT gateway device determines that the IoT device 1 is in a non-authentication and authorization state.
  • the IoT gateway device After receiving IoT information #1, the IoT gateway device determines that IoT device 1 is in a non-authentication and authorization state (for example, when the IoT gateway device finds that IoT information #1 does not carry the first identification and/or security credential 1, the IoT gateway device determines that IoT device 1 is in a non-authentication and authorization state), that is, the IoT gateway device determines that IoT device 1 has not completed the authentication and authorization at the IoT authentication device, which can be further understood as: the IoT gateway device determines that IoT device 1 is not allowed to perform the IoT operation indicated by IoT information #1. Accordingly, the IoT gateway device refuses to forward IoT information #1.
  • a non-authentication and authorization state for example, when the IoT gateway device finds that IoT information #1 does not carry the first identification and/or security credential 1, the IoT gateway device determines that IoT device 1 is in a non-authentication and authorization state
  • the IoT gateway device sends indication information 1 (for example, first indication information) to IoT device 1, which is used to instruct IoT device 1 to send request information A.
  • indication information 1 for example, first indication information
  • IoT device 1 receives indication information 1, and determines based on indication information 1 that request information A needs to be sent.
  • the IoT gateway device may refuse to forward IoT information #1 and send indication information 1 to IoT device 1, which is used to indicate to IoT device 1 that it needs to complete authentication and authorization. Accordingly, IoT device 1 performs authentication and authorization under the instruction of indication information 1.
  • IoT device 1 sends the aforementioned request information A to the IoT gateway device, and the IoT gateway device forwards the request information A.
  • the IoT gateway device may carry indication information 1 in the response information of IoT information #1 sent to IoT device 1, for example, the indication information 1 is carried in the response information of IoT joining request information, the response information of IoT discovery request information, or the response information of IoT invitation confirmation information.
  • the indication information 1 may be an indicator in the above information, and in specific encoding, may be a bit value in the information, or may be a parameter occupying several bits.
  • IoT device 1 when there is direct communication between IoT device 1 and IoT management device, IoT device 1 sends request information A to IoT management device, and IoT management device performs authentication and authorization on IoT device 1.
  • IoT device 1 when there is no direct communication between IoT device 1 and the IoT management device, IoT device 1 sends request information A to the IoT gateway device, and the IoT gateway device forwards the request information A, thereby completing the authentication and authorization of IoT device 1, so that IoT device 1 can perform related operations of the IoT.
  • the present application supports the IoT device 1 to perform authentication and authorization of the IoT device 1 under the instruction of the IoT gateway device.
  • method 300 further includes:
  • IoT device 1 sends IoT information #2 (eg, second information) to the IoT gateway device, which includes the first identifier and security credential 1.
  • IoT information #2 eg, second information
  • IoT gateway device receives IoT information #2.
  • IoT information #2 is used to indicate the IoT operation of the IoT management device or IoT server.
  • IoT information #2 includes information about IoT operations.
  • IoT operations include: IoT joining, IoT discovery, or IoT invitation confirmation, etc.
  • the information about IoT operations indicates IoT operations.
  • IoT information #2 can be an IoT joining request message (carrying the device identifier of IoT 1 or the first identifier of IoT 1).
  • an Internet of Things discovery request message (carrying at least one of the device identifier or the first identifier of Internet of Things 1) and an Internet of Things invitation confirmation message (carrying at least one of the device identifier or the first identifier of Internet of Things 1), etc.
  • S350 The IoT gateway device determines that the IoT device 1 passes the authentication and authorization.
  • the IoT gateway device determines that the IoT device 1 passes the authentication authorization, which can be further understood as: the IoT gateway device determines that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2, which can be implemented in the following two ways:
  • the Internet of Things gateway device sends a first identification and security credential 1 to the Internet of Things authentication device (which includes an Internet of Things management device or an Internet of Things server).
  • the Internet of Things authentication device which includes an Internet of Things management device or an Internet of Things server.
  • the IoT authentication device can be used to perform authentication and authorization on the IoT device 1, and after completing the authentication and authorization on the IoT device 1, the IoT authentication device configures the first identification and security credential 1 for the IoT device 1.
  • the IoT gateway device sends a first identification and security credential 1 to the IoT authentication device in an IoT request message, where the IoT request message may be any one or more of IoT authorization information, IoT authentication information, and IoT authentication authorization request information.
  • the IoT gateway device receives feedback information 1 from the IoT authentication device, and determines that the IoT device 1 passes the authentication authorization based on the feedback information 1.
  • the IoT authentication device determines that the IoT device 1 has passed the authentication authorization of the IoT authentication device for the IoT device 1 based on the first identification and security credential 1 sent by the IoT gateway device. Further, the IoT authentication device determines that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
  • the IoT authentication device sends feedback information 1 to the IoT gateway device, which is used to indicate to the IoT gateway device that the IoT device 1 has passed the authentication authorization of the IoT authentication device for the IoT device 1.
  • the feedback information 1 includes authorization for the IoT device 1 to perform the IoT operation indicated by the IoT information #2, that is, the security credential 1 and/or the first identifier can indicate that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
  • the IoT authentication device carries feedback information 1 in the response information of the IoT request information sent to the IoT gateway device.
  • the feedback information 1 may be a set of parameters, an indicator, or a value of a specific bit in the information.
  • the IoT gateway device obtains feedback information 1 through interaction with the IoT authentication device, and completes the confirmation of whether the IoT device 1 has passed the authentication authorization according to the feedback information 1. Further, the IoT gateway device can determine, according to the feedback information 1, whether the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
  • the IoT gateway device receives security credential 2 (eg, second security credential) from the IoT authentication device, which is used to indicate that the IoT device 1 has passed the authentication authorization of the IoT authentication device for the IoT device 1.
  • security credential 2 eg, second security credential
  • the security credential 2 is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT authentication device to the IoT device 1.
  • it may further include allowing the IoT device 1 to perform the IoT operation indicated by the IoT information #2.
  • the IoT authentication device configures the security credential 2 for the IoT device 1, which is used to indicate to the IoT gateway device that the IoT device 1 has passed the authentication and authorization of the IoT authentication device to the IoT device 1.
  • the IoT authentication device sends the security credential 2 associated with the IoT device 1 to the IoT gateway device.
  • the IoT gateway device may also request the IoT authentication device for the security credential 2 associated with the IoT device 1 after receiving the IoT information #2 of the IoT device 1, and the IoT authentication device sends the security credential 2 to the IoT gateway device; or the IoT authentication device actively sends the security credential 2 associated with the IoT device 1 to the IoT gateway device serving the IoT device 1 after completing the authentication and authorization of the IoT device 1.
  • the IoT authentication device may also send security credentials 2 to the IoT device 1. Accordingly, the IoT device 1 carries security credentials 2 in the IoT information (e.g., IoT information #2) sent to the IoT gateway device, so that the IoT gateway device determines that the IoT device 1 has passed the authentication authorization.
  • the IoT information e.g., IoT information #2
  • the security credential 2 is associated with a device identification and/or a device credential of the IoT device 1 .
  • the IoT gateway device determines that the IoT device 1 has passed the authentication authorization based on the security certificate 2.
  • security certificate 2 is used to indicate that IoT device 1 has passed the authentication and authorization of IoT device 1 by IoT authentication device, which further includes allowing IoT device 1 to execute IoT operation indicated by IoT information #2.
  • the IoT gateway device determines whether the IoT device 1 has passed the authentication authorization based on the security certificate 2 issued by the IoT authentication device. For example, the IoT gateway device determines whether the IoT device 1 is the IoT device associated with the security certificate 2 based on the security certificate 2. If so, it is determined that the IoT device 1 has passed the authentication authorization. If not, it is determined that the IoT device 1 has not passed or completed the authentication authorization.
  • the IoT gateway device completes the confirmation of whether the IoT device 1 has passed the authentication authorization by interacting with the IoT authentication device.
  • the IoT gateway device sends IoT information #2 to the IoT management device or the IoT server.
  • the IoT gateway device can forward the IoT information #2 to the IoT authentication device.
  • the IoT information #2 includes at least one of an IoT identifier and indication information 2 (e.g., second indication information).
  • the IoT identifier and indication information 2 can both be used to indicate whether the IoT gateway device forwards the IoT information #2 to the IoT management device or the IoT server.
  • the IoT gateway device sends IoT information #2 to the IoT authentication device, including:
  • the IoT gateway device sends IoT information #2 to the IoT server.
  • IoT information #2 when IoT information #2 indicates IoT discovery, IoT information #2 includes indication information 2 (which may not include an IoT identifier), which is used to instruct the IoT gateway device to send IoT information #2 to the IoT server; when IoT information #2 indicates IoT joining or IoT invitation confirmation, IoT information #2 includes indication information 2 and/or an IoT identifier, and indication information 2 and/or an IoT identifier are used to instruct the IoT gateway device to send IoT operation information #2 to the IoT server.
  • indication information 2 which may not include an IoT identifier
  • IoT information #2 when IoT information #2 indicates IoT joining or IoT invitation confirmation, IoT information #2 includes indication information 2 and/or an IoT identifier, and indication information 2 and/or an IoT identifier are used to instruct the IoT gateway device to send IoT operation information #2 to the IoT server.
  • the IoT gateway device retrieves the local IoT configuration information according to the IoT identifier in IoT information #2, and searches in the IoT configuration information whether it contains indication information indicating whether the IoT is local. If it contains indication information indicating that the IoT is on the cloud or IoT server side, the IoT gateway device determines that the IoT is not local, and the IoT gateway device sends IoT information #2 to the IoT server.
  • the IoT server performs the IoT operation of the IoT server indicated by IoT information #2 according to IoT information #2. For example, if IoT information #2 indicates IoT discovery, the IoT server returns an IoT list; if IoT information #2 indicates IoT joining or IoT invitation confirmation, and IoT information #2 also includes at least one IoT identifier, the IoT server adds the IoT device to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT server updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
  • the IoT gateway device determines whether to send IoT information #2 to the IoT server based on whether the IoT is local. For example, the IoT gateway device determines that the IoT is not local, or understands that the IoT is not a local service (for example, when the IoT gateway device receives the address of the IoT server configured by the IoT management device, or the IoT information #2 carries the address of the IoT server (for example, the destination address in IoT information #2 is the address of the IoT server), or the IoT information #2 carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT server), the IoT gateway device determines the IoT server based on IoT information #2 or the local IoT configuration information, and then sends IoT information #2 to the IoT server.
  • the IoT gateway device determines the IoT server based on IoT information #2 or the local
  • the IoT server performs the IoT operation of the IoT server indicated by IoT information #2 according to IoT information #2. For example, if IoT information #2 indicates IoT discovery, the IoT server returns the IoT list; if IoT information #2 indicates IoT joining or IoT invitation confirmation, and IoT information #2 also includes at least one IoT identifier, the IoT server adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT server updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
  • IoT device 1 indicates to the IoT gateway device through indication information 2 in IoT information #2 that it needs to send IoT information #2 to the IoT server.
  • indication information 2 can also be used to indicate whether the Internet of Things is local. For example, when indication information 2 is used to indicate that the Internet of Things is local, the Internet of Things gateway device sends Internet of Things information #2 to the Internet of Things management device; or, when indication information 2 is used to indicate that the Internet of Things is not local, the Internet of Things gateway device sends Internet of Things information #2 to the Internet of Things server.
  • the IoT gateway device sends IoT information #2, including:
  • the IoT gateway device sends IoT information #2 to the IoT management device.
  • the IoT information #2 when the IoT information #2 indicates that the IoT is discovered, the IoT information #2 includes indication information 2 (which may not include the IoT tag). Identification), which is used to instruct the IoT gateway device to send IoT information #2 to the IoT management device; when IoT information #2 indicates IoT joining or IoT invitation confirmation, IoT information #2 includes indication information 2 and/or IoT identification, and indication information 2 and/or IoT identification are used to instruct the IoT gateway device to send IoT information #2 to the IoT management device.
  • indication information 2 which may not include the IoT tag.
  • Identification which is used to instruct the IoT gateway device to send IoT information #2 to the IoT management device
  • IoT information #2 when IoT information #2 indicates IoT joining or IoT invitation confirmation, IoT information #2 includes indication information 2 and/or IoT identification, and indication information 2 and/or IoT identification are used to instruct the IoT gateway device to send IoT information
  • the IoT gateway device retrieves the local IoT configuration information according to the IoT identification in IoT information #2, and searches the IoT configuration information for whether it contains indication information of whether the IoT is local. If it does not contain indication information indicating that the IoT is on the cloud or server side, the IoT gateway device determines that the IoT is local, and the IoT gateway device sends IoT information #2 to the IoT management device.
  • the IoT management device performs the IoT operation of the IoT management device indicated by IoT information #2 according to IoT information #2. For example, if IoT information #2 indicates IoT discovery, the IoT management device returns the IoT list of the local or IoT server; if IoT information #2 indicates IoT joining or IoT invitation confirmation, and IoT information #2 also includes at least one IoT identifier, the IoT management device adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT management device updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
  • the IoT gateway device determines whether to send IoT information #2 to the IoT management device based on whether the IoT is local. For example, the IoT gateway device determines that the IoT is local, or understands that the IoT is a local service (for example, when the IoT gateway device has never received the address of the IoT server configured by the IoT management device, or the IoT information #2 carries the identifier of the IoT management device (IP address, generic public subscription identifier (GPSI), medium access control (MAC) address, domain name or other information that can be used to identify the IoT management device) (for example, the destination address in the IoT information #2 is the address of the IoT management device), or the IoT information #2 carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT management device), the IoT gateway device determines the IoT management device based on the IoT
  • IP address
  • the IoT management device performs the IoT operation of the IoT management device indicated by IoT information #2 according to IoT information #2. For example, if IoT information #2 indicates IoT discovery, the IoT management device returns the IoT list of the local or IoT server; if IoT information #2 indicates IoT joining or IoT invitation confirmation, and IoT information #2 also includes at least one IoT identifier, the IoT management device adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT management device updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
  • the IoT device indicates to the IoT gateway device through indication information 2 in IoT information #2 that it needs to send IoT information #2 to the IoT management device.
  • the IoT operation of the IoT management device indicated by the IoT information #2 is requested by IoT device 1 to be executed by the IoT management device.
  • the IoT device can request the IoT management device to execute the IoT operation requested by the IoT device, which can enhance the flexibility of executing the IoT operation of the IoT device.
  • IoT management device can directly send IoT invitation information to IoT device 1, and the IoT invitation information is used to indicate that IoT device 1 joins the IoT managed by the IoT management device; accordingly, the IoT management device can join IoT device 1 to the IoT according to IoT information #2.
  • the IoT management device can send the above-mentioned IoT invitation information to IoT device 1 through the forwarding of the IoT gateway device, which is not limited in this application. In this way, the operation of the IoT device can be simplified, and the IoT management device can actively control the IoT device to join the IoT, thereby enhancing the centralized management function of the IoT management device.
  • the actions performed by the IoT management device can also be performed by the IoT server, and this application does not limit this. A unified explanation is given here, and no further description is given later.
  • the present application supports the IoT gateway device to complete the confirmation of whether the IoT device 1 has passed the authentication authorization, thereby ensuring the security of information interaction between other devices in the IoT.
  • FIG. 3 The method shown in FIG. 3 will be further described below in conjunction with FIG. 4 .
  • FIG4 is an interactive flow chart of a method 400 for authentication and authorization in an embodiment of the present application.
  • the method 400 shown in FIG4 can be applied to the above-mentioned communication system 100, and can also be applied to other communication systems involving the Internet of Things.
  • the method 400 includes:
  • the Internet of Things management device performs registration authentication and authorization for the Internet of Things server.
  • the IoT management device first completes the authentication and authorization at the IoT server. After authorization, the IoT server configures the IoT management device with security credentials 3. Optionally, the IoT server also configures the IoT management device with an application layer identifier 3. The application layer identifier 3 may also be pre-configured in the IoT management device, which is not limited in this application.
  • S402 Establish a communication connection between the IoT management device and the IoT gateway device.
  • a communication connection is established between the IoT management device and the IoT gateway device.
  • a communication connection can be established between the IoT management device and the IoT gateway device based on PC5, Wi-Fi or Bluetooth (BT).
  • the IoT management device sends the address of the IoT server to the IoT gateway device.
  • the IoT management device may send the address of the IoT server to the IoT gateway device through the IoT server (PIN sever) configuration information, or may send the address of the IoT server to the IoT gateway device through the IoT announcement (PIN announcement) information (which includes the IoT ID, IoT server address, and IoT management device ID/address) or the IoT invitation (PIN invite) information (which includes the IoT ID, IoT server address, and other description information of the IoT).
  • PIN announcement which includes the IoT ID, IoT server address, and IoT management device ID/address
  • IoT invitation (PIN invite) information which includes the IoT ID, IoT server address, and other description information of the IoT.
  • the IoT gateway device performs authentication and authorization on the IoT server.
  • the IoT gateway device may send a request message S for authentication and authorization to the IoT server based on the address of the IoT server sent by the IoT management device.
  • the request information S sent by the IoT gateway device to the IoT server includes the device identification and device credentials of the IoT gateway device. After completing the registration, authentication and authorization of the IoT gateway device, the IoT server configures the security credentials 4 for the IoT gateway device.
  • the Internet of Things server further configures the Internet of Things gateway device with an application layer identifier 4.
  • the application layer identifier 4 may also be pre-configured in the Internet of Things gateway device, which is not limited in the present application.
  • IoT device 1 discovers the IoT management device and the IoT gateway device, and establishes a communication connection with the two (such as PC5, Wi-Fi or Bluetooth).
  • this application does not limit the order in which IoT device 1 discovers the IoT management device and the IoT gateway device.
  • IoT device 1 first discovers the IoT management device, obtains the information of the IoT gateway device from the IoT management device, and then establishes a communication connection with the IoT management device.
  • the communication between IoT device 1 and the IoT management device can be interrupted.
  • the Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device 1.
  • the address of the Internet of Things server sent by the Internet of Things device 1 through the Internet of Things management device can send request information A to the Internet of Things server during authentication and authorization, and the request information A is forwarded by the Internet of Things gateway device.
  • the address of the Internet of Things server can be used by the Internet of Things device 1 to determine the receiving target of the request information A.
  • IoT device 1 sends request information A to the IoT gateway device.
  • the IoT gateway device determines that the request information A is used to request authentication authorization for the IoT device 1 .
  • the IoT gateway device sends request information A to the IoT authentication device.
  • the IoT gateway device sends response information A to IoT device 1.
  • IoT device 1 sends IoT information #2 to the IoT authentication device.
  • the IoT device After completing the authentication and authorization of the IoT device 1, the IoT device sends IoT information #2 to the IoT authentication device.
  • IoT information #2 can be found in the previous text, and will not be repeated here.
  • the method 400 further includes: include:
  • the IoT gateway device determines that IoT device 1 passes authentication and authorization.
  • the method 400 further includes:
  • the IoT gateway device sends IoT information #2 to the IoT server.
  • the IoT gateway device After the IoT gateway device determines that the IoT device 1 has passed the aforementioned authentication and authorization, the IoT gateway device sends IoT information #2 to the IoT server.
  • IoT information #2 For details, please refer to the description of S370a, which will not be repeated here.
  • the method 400 may further include:
  • the IoT gateway device sends IoT information #2 to the IoT management device.
  • the IoT gateway device After the IoT gateway device determines that the IoT device 1 has passed the aforementioned authentication and authorization, the IoT gateway device sends IoT information #2 to the IoT management device. For details, please refer to the description of S370b, which will not be repeated here.
  • IoT gateway device sends IoT information #2 to the IoT server or the IoT management device can be determined based on the indication information 2 and/or IoT identifier carried in the IoT information #2. For details, please refer to the previous description and will not be repeated here.
  • the method 400 further includes:
  • the IoT management device determines that IoT device 1 passes the authentication and authorization.
  • the IoT management device determines that IoT device 1 passes authentication and authorization, which can be further understood as: the IoT management device determines that IoT device 1 is allowed to perform the IoT operation indicated by IoT information #2, which can be implemented in the following two ways:
  • the Internet of Things management device sends a first identification and security certificate 1 to the Internet of Things server.
  • the IoT server can be used to perform authentication and authorization on the IoT device, and after completing the authentication and authorization of the IoT device 1, the IoT server configures the first identification and security credential 1 for the IoT device 1.
  • the IoT management device sends a first identification and security credentials to the IoT server in an IoT request message, where the IoT request message may be any one or more of IoT authorization information, IoT authentication information, IoT authentication authorization request information, etc.
  • the IoT management device receives feedback information 2 from the IoT server, and determines, based on the feedback information 2, that the IoT device 1 has passed the authentication and authorization.
  • the IoT server determines that the IoT device 1 has passed the IoT server's authentication and authorization of the IoT device 1 based on the first identification and security credential 1 sent by the IoT management device. Further, the IoT server determines that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
  • the IoT server sends feedback information 2 to the IoT management device, which is used to indicate to the IoT management device that the IoT device 1 has passed the authentication authorization of the IoT server for the IoT device 1.
  • the feedback information 2 includes the authorization for the IoT device 1 to perform the IoT operation indicated by the IoT information #2 (or, it can also be understood as including the authorization for the IoT operation that the IoT device 1 requests the IoT management device or the IoT server to perform, and this application does not limit this expression), that is, the security certificate 1 and/or the first identification indicate that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
  • the IoT server carries feedback information 2 in the response information of the IoT request information sent to the IoT management device.
  • the feedback information 2 may be a set of parameters, or an indicator, or a value of a specific bit in the information.
  • the IoT management device obtains feedback information 2 through interaction with the IoT server, and completes the confirmation of whether IoT device 1 has passed the authentication authorization according to feedback information 2. Further, the IoT management device can determine, according to feedback information 2, whether IoT device 1 is allowed to perform the IoT operation indicated by IoT information #2.
  • the IoT management device receives the security certificate 2 from the IoT server, which is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server.
  • the security credential 2 is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server. Among them, it may further include allowing the IoT device 1 to execute the IoT indicated by the IoT information #2. After completing the authentication and authorization of the IoT device 1, the IoT server configures the security credential 2 for the IoT device 1, which is used to indicate to the IoT management device that the IoT device 1 has passed the authentication and authorization of the IoT server to the IoT device 1.
  • the IoT server sends the security credential 2 associated with IoT device 1 to the IoT management device.
  • the IoT management device may also request the security credential 2 associated with IoT device 1 from the IoT server, and the IoT server sends the security credential 2 to the IoT management device; or after completing the authentication and authorization of IoT device 1, the IoT server actively sends the security credential 2 associated with IoT device 1 to the IoT management device serving IoT device 1.
  • the IoT server may also send security credentials 2 to the IoT device 1.
  • the IoT device 1 carries security credentials 2 in the IoT information (e.g., IoT information #2) sent to the IoT management device, so that the IoT management device determines that the IoT device 1 has passed the authentication authorization.
  • the security credential 2 is associated with a device identification and/or a device credential of the IoT device 1 .
  • the IoT management device determines that the IoT device 1 has passed the authentication authorization based on the security certificate 2.
  • the security credential 2 is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server, further including allowing the IoT device 1 to perform the IoT operation indicated by the IoT information #2.
  • the IoT management device determines whether the IoT device 1 has passed the authentication and authorization based on the security credential 2 issued by the IoT server. For example, the IoT management device determines whether the IoT device 1 is the IoT device associated with the security credential 2 based on the security credential 2. If so, it is determined that the IoT device 1 has passed the authentication and authorization. If not, it is determined that the IoT device 1 has not passed or completed the authentication and authorization.
  • the IoT management device can directly determine whether IoT device 1 has passed the authentication and authorization, and there is no need to interact with the IoT server to determine whether IoT device 1 has passed the authentication and authorization.
  • the IoT management device completes the confirmation of whether the IoT device 1 has passed the authentication and authorization by interacting with the IoT server.
  • the IoT management device performs IoT operations according to IoT information #2.
  • IoT management device if IoT information #2 includes IoT discovery, the IoT management device returns the IoT list of the local or IoT server; if IoT information #2 includes IoT joining or IoT invitation confirmation, the IoT management device adds IoT device 1 to the IoT and adds it to the member list of the IoT. More specifically, the IoT management device updates the current IoT configuration information and then adds the relevant information of IoT device 1 (e.g., the application layer client ID of IoT device 1, device identification, whether it can be discovered, and the services it can provide, etc.).
  • the relevant information of IoT device 1 e.g., the application layer client ID of IoT device 1, device identification, whether it can be discovered, and the services it can provide, etc.
  • the IoT management device can directly send IoT invitation information to IoT device 1, and the IoT invitation information is used to indicate that IoT device 1 joins the IoT managed by the IoT management device; accordingly, the IoT management device can join IoT device 1 to the IoT according to IoT information #2.
  • the IoT management device can send the above-mentioned IoT invitation information to IoT device 1 through the forwarding of the IoT gateway device, which is not limited in this application. In this way, the operation of the IoT device can be simplified, and the IoT management device can actively control the IoT device to join the IoT, thereby enhancing the centralized management function of the IoT management device.
  • FIG. 3 The method shown in FIG. 3 will be further described below in conjunction with FIG. 5 .
  • FIG5 is an interactive flow chart of a method 500 for authentication and authorization in an embodiment of the present application.
  • the method 500 shown in FIG5 can be applied to the above-mentioned communication system 100, and can also be applied to other communication systems involving the Internet of Things.
  • the method 500 includes:
  • IoT device 1 sends IoT information #1 to the IoT gateway device.
  • the IoT gateway device receives IoT information #1 from IoT device 1.
  • the IoT gateway device determines that the IoT device 1 is in a non-authentication and authorization state.
  • the IoT gateway device sends a request message B to the IoT server, which is used to request authentication and authorization for the IoT device 1.
  • the request information B sent by the IoT gateway device to the IoT server includes the device identification and device credentials of the IoT device 1.
  • the description of the request information B can be found in the aforementioned request information A, which will not be repeated here.
  • the IoT server sends a response message B to the IoT gateway device, which is used to indicate that the IoT device 1 has passed the authentication authorization.
  • the IoT gateway device sends IoT information #1 to the IoT authentication device.
  • the IoT gateway device forwards IoT information #1.
  • the IoT information #1 includes at least one of an IoT identifier and indication information 3.
  • the IoT identifier and indication information 3 are used to instruct the IoT gateway device to forward the IoT information #1 to the IoT management device/IoT server.
  • the IoT gateway device sends IoT information #1 to the IoT server.
  • IoT information #1 when IoT information #1 indicates IoT discovery, IoT information #1 includes indication information 3 (which may not include IoT identification), which is used to indicate that IoT information #1 is sent to the IoT server; when IoT information #1 indicates IoT joining or IoT invitation confirmation, IoT information #1 includes indication information 3 and/or IoT identification, which is used to indicate that IoT information #1 is sent to the IoT server.
  • the IoT gateway device retrieves the local IoT configuration information according to the IoT identification in IoT information #1, and searches the IoT configuration information for whether it contains indication information indicating whether the IoT is local. If it contains indication information indicating that the IoT is on the cloud or server side, the IoT gateway device determines that the IoT is not local, and the IoT gateway device sends IoT information #1 to the IoT server.
  • the IoT server performs the IoT operation of the IoT server indicated by IoT information #1 according to IoT information #1. For example, if IoT information #1 indicates IoT discovery, the IoT server returns the IoT list; if IoT information #1 indicates IoT joining or IoT invitation confirmation, and IoT information #1 also includes at least one IoT identifier, the IoT server adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT server updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
  • the IoT gateway device determines whether to send IoT information #1 to the IoT server based on whether the IoT is local. For example, the IoT gateway device determines that the IoT is not local, or understands that the IoT is not a local service (for example, when the IoT gateway device receives the address of the IoT server configured by the IoT management device, or the IoT information #1 carries the address of the IoT server (for example, the destination address in IoT information #1 is the address of the IoT server), or the IoT information #1 carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT server), the IoT gateway device determines the IoT server based on IoT information #1 or the local IoT configuration information, and sends IoT information #1 to the IoT server. Accordingly, the IoT server processes IoT information #1. Accordingly, the IoT management
  • the IoT device sends IoT information #1 to the IoT server through indication information 3 in IoT information #1.
  • the IoT gateway device sends IoT information #1 to the IoT management device.
  • IoT information #1 when IoT information #1 indicates IoT discovery, IoT information #1 includes indication information 3 (which may not include IoT identification), which is used to indicate that IoT information #1 is sent to the IoT management device; when IoT information #1 indicates IoT joining or IoT invitation confirmation, IoT information #1 includes indication information 3 and/or IoT identification, which is used to indicate that IoT information #1 is sent to the IoT management device.
  • the IoT gateway device retrieves the local IoT configuration information according to the IoT identification in IoT information #1, and searches the IoT configuration information for whether it contains indication information indicating whether the IoT is local. If it does not contain indication information indicating that the IoT is on the cloud or server side, the IoT gateway device determines that the IoT is local, and the IoT gateway device sends IoT information #1 to the IoT management device.
  • the IoT management device performs the IoT operation of the IoT management device indicated by IoT information #1 according to IoT information #1. For example, if IoT information #1 indicates IoT discovery, the IoT management device returns the IoT list of the local or IoT server; if IoT information #1 indicates IoT joining or IoT invitation confirmation, and IoT information #1 also includes at least one IoT identifier, the IoT management device adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT management device updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
  • the IoT gateway device determines whether to send IoT information #1 to the IoT management device based on whether the IoT is local. For example, the IoT gateway device determines that the IoT is local, or understands that the IoT is a local service (for example, when the IoT gateway device has never received the address of the IoT server configured by the IoT management device, or the IoT information #1 carries the identifier of the IoT management device (IP address, GPSI, MAC address, domain name or other information that can be used to identify the IoT management device) (for example, the destination address in IoT information #1 is the address of the IoT management device), or the IoT information #1 carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT management device), the IoT gateway device determines whether to send IoT information #1 to the IoT management device based on the IoT.
  • the Internet of Things information #1 or the local Internet of Things configuration information determines the Internet of Things management device
  • the Internet of Things information #1 is sent to the Internet of Things management device. Accordingly, the Internet of Things management device processes the Internet of Things information #1. The specific processing method can be seen above and will not be repeated here.
  • the IoT device instructs the IoT gateway device to send IoT information #1 to the IoT management device through indication information 3 in IoT information #1.
  • indication information 3 can also be used to indicate whether the Internet of Things is local.
  • the Internet of Things gateway device sends Internet of Things information #1 to the Internet of Things management device; or, when indication information 3 is used to indicate that the Internet of Things is not local, the Internet of Things gateway device sends Internet of Things information #1 to the Internet of Things server.
  • the IoT gateway device sends a request message B to the IoT management device, which is used to request authentication and authorization for the IoT device 1.
  • the specific content can be found in the above description, which will not be repeated here.
  • the present application supports that after the IoT gateway device confirms that IoT device 1 has not completed authentication and authorization, it can proxy IoT device 1 to send request information for authentication and authorization of IoT device 1 to the IoT server, support the completion of authentication and authorization of IoT device 1, and enable IoT device 1 to perform related operations of the IoT.
  • FIG6 is an interactive flow chart of a method 600 for authentication and authorization in an embodiment of the present application.
  • the method 600 shown in FIG6 can be applied to the above-mentioned communication system 100, and can also be applied to other communication systems involving the Internet of Things.
  • the method 600 includes:
  • the IoT gateway device sends IoT information #3 to the IoT management device.
  • the IoT management device receives IoT information #3 sent by IoT device 1 and forwarded by the IoT gateway device.
  • the description of IoT information #3 can be found in the description of IoT information #2, which will not be repeated here.
  • S620 The IoT management device determines that IoT device 1 passes authentication and authorization.
  • the IoT management device performs IoT operations according to IoT information #3.
  • the present application supports the Internet of Things management device to complete the confirmation of whether the Internet of Things device 1 has passed the authentication authorization, thereby ensuring the security of information interaction between other devices in the Internet of Things.
  • method 600 further includes:
  • the Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device 1.
  • IoT device 1 sends IoT information #4 to the IoT management device.
  • the IoT management device receives IoT information #4 from IoT device 1.
  • the description of IoT information #4 can be found in the description of IoT information #1, which will not be repeated here.
  • the Internet of Things management device determines that the Internet of Things device 1 is in a non-authentication and authorization state.
  • the Internet of Things management device sends instruction information 2 to the Internet of Things device 1, which is used to instruct the Internet of Things device 1 to send request information A.
  • the present application supports that after the IoT management device confirms that IoT device 1 has not completed authentication and authorization, it can send instruction information to IoT device 1.
  • IoT device 1 completes the authentication and authorization process for IoT device 1 under the instruction of the instruction information sent by the IoT management device, so that IoT device 1 can perform related operations of the IoT.
  • the Internet of Things management device sends a request message C to the Internet of Things server, which is used to request authentication and authorization for the Internet of Things device 1.
  • the present application supports that after the IoT management device confirms that IoT device 1 has not completed authentication and authorization, it can proxy IoT device 1 to send request information for authentication and authorization of IoT device 1 to the IoT server, support the completion of authentication and authorization of IoT device 1, and enable IoT device 1 to perform related operations of the IoT.
  • the terminal and the network device may include a hardware structure and/or a software module, and implement the above functions in the form of a hardware structure, a software module, or a hardware structure plus a software module. Whether one of the above functions is executed in the form of a hardware structure, a software module, or a hardware structure plus a software module depends on the specific application and design constraints of the technical solution.
  • Fig. 7 is a schematic block diagram of a communication device 700 according to an embodiment of the present application.
  • the communication device 700 includes a processor 710 and a communication interface 720, and the processor 710 and the communication interface 720 are interconnected via a bus 730.
  • the communication device 700 shown in Fig. 7 may be a network device or a terminal device.
  • the communication device 700 further includes a memory 740 .
  • the memory 740 includes, but is not limited to, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), or portable read-only memory (CD-ROM), and the memory 740 is used for related instructions and data.
  • RAM random access memory
  • ROM read-only memory
  • EPROM erasable programmable read-only memory
  • CD-ROM portable read-only memory
  • Processor 710 may be one or more central processing units (CPUs). When processor 710 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.
  • CPUs central processing units
  • the processor 710 in the communication device 700 is used to read the computer program or instructions stored in the memory 740, and illustratively, perform the following operations: receive request information A from the Internet of Things device 1, the request information A includes the device identification and device credentials of the Internet of Things device 1; determine that the request information A is used to request authentication and authorization for the Internet of Things device 1; send the request information A to the Internet of Things authentication device; send response information A to the Internet of Things device 1, the response information A is used to indicate that the Internet of Things device 1 has passed the authentication and authorization, and the response information A includes the first identification and security credential 1 configured by the Internet of Things authentication device for the Internet of Things device 1.
  • the following operations can be performed: receiving IoT information #1 from IoT device 1; determining that IoT device 1 is in a non-authentication and authorization state; and sending indication information 1 to IoT device 1, which is used to instruct IoT device 1 to send request information A.
  • the following operations may be performed: receiving IoT information #2 from IoT device 1, which includes a first identifier and security credential 1; determining that IoT device 1 passes authentication authorization; and sending IoT information #2 to an IoT authentication device.
  • the communication device 700 is an Internet of Things gateway device, it will be responsible for executing the methods or steps related to the Internet of Things gateway device in the above method embodiments.
  • the processor 710 in the communication device 700 is used to read the computer program or instructions stored in the memory 740, and illustratively, perform the following operations: receive Internet of Things information #3 from the Internet of Things gateway device, the Internet of Things information #3 includes a first identifier and a security credential 1, the first identifier and the security credential 1 are used to indicate that the Internet of Things device 1 has passed the authentication authorization; determine that the Internet of Things device 1 has passed the authentication authorization; and perform corresponding Internet of Things operations according to the Internet of Things information #3.
  • the communication device 700 is an Internet of Things management device, it will be responsible for executing the methods or steps related to the Internet of Things management device in the above method embodiments.
  • the processor 710 in the communication device 700 is used to read the computer program or instructions stored in the memory 740, and illustratively, perform the following operations: send a request message A to the Internet of Things gateway device, the request message A is used to request authentication authorization for the Internet of Things device 1, and the request message A includes the device identification and device certificate of the Internet of Things device 1; receive a response message A sent from the Internet of Things gateway device, the response message A is used to indicate that the Internet of Things device 1 has passed the authentication authorization, and the response message A includes the first identification and security certificate 1 configured by the Internet of Things authentication device for the Internet of Things device 1.
  • the communication device 700 is an IoT device 1, it will be responsible for executing the methods or steps related to the IoT device 1 in the above method embodiments.
  • Fig. 8 is a schematic block diagram of a communication device 800 according to an embodiment of the present application.
  • the communication device 800 includes a transceiver unit 810 and a processing unit 820.
  • the transceiver unit 810 and the processing unit 820 are exemplarily introduced below.
  • the transceiver unit 810 may include a sending unit and a receiving unit, which are respectively used to implement the sending or receiving functions in the above method embodiments; it may further include a processing unit, which is used to implement functions other than sending or receiving.
  • the transceiver unit 810 is used to receive a request from an IoT device.
  • Information A request information A includes the device identification and device credentials of the Internet of Things device 1; the processing unit 820 is used to determine that the request information A is used to request authentication and authorization for the Internet of Things device 1; the transceiver unit 810 is also used to send the request information A to the Internet of Things authentication device; the transceiver unit 810 is also used to send the response information A to the Internet of Things device 1, the response information A is used to indicate that the Internet of Things device 1 has passed the authentication and authorization, and the response information A includes the first identification and security credential 1 configured by the Internet of Things authentication device for the Internet of Things device 1.
  • the processing unit 820 is used to execute the contents of the steps involving processing, coordination, etc. in the IoT gateway device. For example, the processing unit 820 is used to determine whether the IoT device 1 passes the authentication authorization.
  • the transceiver unit 810 is used to receive IoT information #3 from the IoT gateway device, where the IoT information #3 includes a first identifier and a security credential 1, and the first identifier and the security credential 1 are used to indicate that the IoT device 1 has passed the authentication authorization; the processing unit 820 is used to determine that the IoT device 1 has passed the authentication authorization; the processing unit 820 is also used to perform corresponding IoT operations according to the IoT information #3.
  • the transceiver unit 810 When the communication device 800 is an Internet of Things device 1, the transceiver unit 810 is used to send a request message A to the Internet of Things gateway device, where the request message A is used to request authentication and authorization for the Internet of Things device 1, and the request message A includes the device identification and device certificate of the Internet of Things device 1; the transceiver unit 810 is also used to receive a response message A sent from the Internet of Things gateway device, where the response message A is used to indicate that the Internet of Things device 1 has passed the authentication and authorization, and the response message A includes the first identification and security certificate 1 configured for the Internet of Things device 1.
  • the communication device 800 further includes a storage unit 830, and the storage unit 830 is used to store a program or code for executing the aforementioned method.
  • the communication device 800 when the communication device 800 is an IoT gateway device, it will be responsible for executing the methods or steps related to the IoT gateway device in the aforementioned method embodiment; when the communication device 800 is an IoT management device, it will be responsible for executing the methods or steps related to the IoT management device in the aforementioned method embodiment; when the communication device 800 is an IoT device 1, it will be responsible for executing the methods or steps related to the IoT device 1 in the aforementioned method embodiment.
  • each operation of FIG. 8 may also refer to the corresponding description of the method shown in the above embodiment, which will not be repeated here.
  • the device embodiments shown in Figures 7 and 8 are used to implement the contents described in the aforementioned method embodiments Figures 3 to 6. Therefore, the specific execution steps and methods of the devices shown in Figures 7 and 8 can refer to the contents described in the aforementioned method embodiments.
  • the above-mentioned transceiver unit may include a sending unit and a receiving unit.
  • the sending unit is used to perform a sending action of the communication device
  • the receiving unit is used to perform a receiving action of the communication device.
  • the embodiment of the present application combines the sending unit and the receiving unit into one transceiver unit. A unified description is given here, and no further description is given later.
  • Fig. 9 is a schematic diagram of a communication device 900 according to an embodiment of the present application.
  • the communication device 900 may be used to implement the functions of the PECG/IoT management device or the IoT device in the above method.
  • the communication device 900 includes: an input/output interface 920 and a processor 910.
  • the input/output interface 920 may be an input/output circuit.
  • the processor 910 may be a signal processor, a chip, or other integrated circuit that can implement the method of the present application.
  • the input/output interface 920 is used for inputting or outputting signals or data.
  • the input/output interface 920 is used to receive request information A from the IoT device, the request information A includes the device identification and device credentials of the IoT device 1; send request information A to the IoT authentication device; send response information A to the IoT device 1, the response information A is used to indicate that the IoT device 1 has passed the authentication authorization, and the response information A includes the first identification and security credentials 1 configured for the IoT device 1.
  • the processor 910 is used to execute some or all steps of any one of the methods provided in the embodiments of the present application. Exemplarily, the processor 910 is used to determine that the request information A is used to request authentication authorization for the IoT device 1 and that the IoT device 1 has passed the authentication authorization, and so on.
  • the input/output interface 920 is used to receive IoT information #3 from the IoT gateway device, where IoT information #3 includes a first identifier and a security credential 1, and the first identifier and security credential 1 are used to indicate that the IoT device 1 has passed the authentication authorization.
  • the processor 910 is used to execute some or all of the steps of any one of the methods provided in the embodiments of the present application. Exemplarily, the processor 910 is used to determine that the IoT device 1 has passed the authentication authorization and to perform corresponding IoT operations according to the IoT information #3, etc.
  • the input-output interface 920 is used to send a request message A to the Internet of Things gateway device, the request message A is used to request authentication and authorization for the Internet of Things device 1, and the request message A includes the device identification and device certificate of the Internet of Things device 1; the input-output interface 920 is used to receive a response message A sent from the Internet of Things gateway device, the response message A is used to indicate that the Internet of Things device 1 has passed the authentication and authorization, and the response message A includes the first identification and security certificate 1 configured for the Internet of Things device 1.
  • the processor 910 executes instructions stored in the memory to implement the network device or terminal device to implement function.
  • the communication device 900 also includes a memory.
  • processor and memory are integrated together.
  • the memory is outside the communication device 900 .
  • the processor 910 may be a logic circuit, and the processor 910 inputs/outputs messages or signals through the input/output interface 920.
  • the logic circuit may be a signal processor, a chip, or other integrated circuit that can implement the method of the embodiment of the present application.
  • FIG. 9 The above description of the device in FIG. 9 is only an exemplary description.
  • the device can be used to execute the method described in the above embodiment.
  • FIG10 is a schematic block diagram of a communication device 1000 of an embodiment of the present application.
  • the communication device 1000 may be a network device or a chip (if the IoT gateway device/IoT management device/IoT device is a network device).
  • the communication device 1000 may be used to perform the operations performed by the network device in the method embodiments shown in FIGS. 3 to 6 above.
  • FIG. 10 shows a simplified schematic diagram of the base station structure.
  • the base station includes a part 1010, a part 1020, and a part 1030.
  • Part 1010 is mainly used for baseband processing, controlling the base station, etc.;
  • Part 1010 is usually the control center of the base station, which can usually be called a processor, and is used to control the base station to perform the processing operations on the network device side in the above method embodiment.
  • Part 1020 is mainly used to store computer program code and data.
  • Part 1030 is mainly used for receiving and transmitting radio frequency signals and converting radio frequency signals into baseband signals; Part 1030 can usually be called a transceiver module, a transceiver, a transceiver circuit, or a transceiver, etc.
  • the transceiver module of part 1030 which can also be called a transceiver or a transceiver, etc., includes an antenna 1033 and a radio frequency circuit (not shown in FIG. 10), wherein the radio frequency circuit is mainly used for radio frequency processing.
  • the device for implementing the receiving function in part 1030 may be regarded as a receiver, and the device for implementing the transmitting function may be regarded as a transmitter, that is, part 1030 includes a receiver 1032 and a transmitter 1031.
  • the receiver may also be referred to as a receiving module, a receiver, or a receiving circuit, etc.
  • the transmitter may be referred to as a transmitting module, a transmitter, or a transmitting circuit, etc.
  • Part 1010 and part 1020 may include one or more single boards, each of which may include one or more processors and one or more memories.
  • the processor is used to read and execute the program in the memory to realize the baseband processing function and the control of the base station. If there are multiple single boards, each single board can be interconnected to enhance the processing capability. As an optional implementation, multiple single boards may share one or more processors, or multiple single boards may share one or more memories, or multiple single boards may share one or more processors at the same time.
  • the transceiver module of part 1030 is used to execute the transceiver-related processes executed by the network device in the embodiments shown in Figures 3 to 6.
  • the processor of part 1010 is used to execute the processing-related processes executed by the network device in the embodiments shown in Figures 3 to 6.
  • the processor of part 1010 is used to execute processes related to the processing performed by the communication device in the embodiments shown in Figures 3 to 6.
  • the transceiver module of part 1030 is used to execute the transceiver-related processes performed by the communication device in the embodiments shown in Figures 3 to 6.
  • FIG. 10 is merely an example and not a limitation, and the network device including the processor, memory, and transceiver described above may not rely on the structures shown in FIG. 7 to FIG. 9 .
  • the chip When the communication device 1000 is a chip, the chip includes a transceiver, a memory and a processor.
  • the transceiver may be an input/output circuit or a communication interface;
  • the processor may be a processor, a microprocessor or an integrated circuit integrated on the chip.
  • the sending operation of the network device in the above method embodiment may be understood as the output of the chip, and the receiving operation of the network device in the above method embodiment may be understood as the input of the chip.
  • FIG11 is a schematic block diagram of a communication device 1100 of an embodiment of the present application.
  • the communication device 1100 may be a terminal device, a processor of a terminal device, or a chip (if the IoT gateway device/IoT management device/IoT device is a terminal device).
  • the communication device 1100 may be used to perform the operations performed by the terminal device or the communication device in the above method embodiment.
  • FIG11 shows a simplified schematic diagram of the structure of the terminal device.
  • the terminal device includes a processor, a memory, and a transceiver.
  • the memory can store computer program codes
  • the transceiver includes a transmitter 1131, a receiver 1132, a radio frequency circuit (not shown in FIG11), an antenna 1133, and an input/output device (not shown in FIG11).
  • the processor is mainly used to process communication protocols and communication data, control terminal equipment, execute software programs, process software program data, etc.
  • the memory is mainly used to store software programs and data.
  • the RF circuit is mainly used to convert baseband signals and RF signals and process RF signals.
  • the antenna is mainly used to send and receive RF signals in the form of electromagnetic waves.
  • Input and output devices For example, Touch screens, display screens, keyboards, etc. are mainly used to receive data input by users and output data to users. It should be noted that some types of terminal devices may not have input and output devices.
  • the processor When data needs to be sent, the processor performs baseband processing on the data to be sent, and then outputs the baseband signal to the RF circuit.
  • the RF circuit performs RF processing on the baseband signal and then sends the RF signal outward in the form of electromagnetic waves through the antenna.
  • the RF circuit receives the RF signal through the antenna, converts the RF signal into a baseband signal, and outputs the baseband signal to the processor.
  • the processor converts the baseband signal into data and processes the data.
  • the memory may also be referred to as a storage medium or a storage device, etc.
  • the memory may be set independently of the processor or integrated with the processor, and the embodiments of the present application do not limit this.
  • the antenna and the radio frequency circuit with transceiver functions can be regarded as the transceiver module of the terminal device, and the processor with processing function can be regarded as the processing module of the terminal device.
  • the terminal device includes a processor 1110, a memory 1120 and a transceiver 1130.
  • the processor 1110 may also be referred to as a processing unit, a processing board, a processing module, a processing device, etc.
  • the transceiver 1130 may also be referred to as a transceiver unit, a transceiver, a transceiver device, etc.
  • the device for implementing the receiving function in the transceiver 1130 may be regarded as a receiving module, and the device for implementing the transmitting function in the transceiver 1130 may be regarded as a transmitting module, that is, the transceiver 1130 includes a receiver and a transmitter.
  • a transceiver may sometimes be referred to as a transceiver, a transceiver module, or a transceiver circuit, etc.
  • a receiver may sometimes be referred to as a receiver, a receiving module, or a receiving circuit, etc.
  • a transmitter may sometimes be referred to as a transmitter, a transmitting module, or a transmitting circuit, etc.
  • the processor 1110 is used to perform processing actions on the terminal device side in the embodiments shown in Figures 3 to 6 and the transceiver 1130 is used to perform transceiver actions on the terminal device side in Figures 3 to 6.
  • the processor 1110 is used to perform processing actions on the terminal device side in the embodiments shown in Figures 3 to 6 and the transceiver 1130 is used to perform transceiver actions on the terminal device side in Figures 3 to 6.
  • FIG. 11 is merely an example and not a limitation, and the above-mentioned terminal device including the transceiver module and the processing module may not rely on the structures shown in FIG. 7 to FIG. 9 .
  • the chip When the communication device 1100 is a chip, the chip includes a processor, a memory and a transceiver.
  • the transceiver may be an input/output circuit or a communication interface;
  • the processor may be a processing module or a microprocessor or an integrated circuit integrated on the chip.
  • the sending operation of the terminal device in the above method embodiment may be understood as the output of the chip, and the receiving operation of the terminal device in the above method embodiment may be understood as the input of the chip.
  • the present application also provides a chip, including a processor, for calling and executing instructions stored in a memory from the memory, so that a communication device equipped with the chip executes the methods in the above examples.
  • the present application also provides another chip, including: an input interface, an output interface, and a processor, wherein the input interface, the output interface, and the processor are connected via an internal connection path, and the processor is used to execute the code in the memory, and when the code is executed, the processor is used to execute the method in each of the above examples.
  • the chip also includes a memory, and the memory is used to store computer programs or codes.
  • the present application also provides a processor, which is coupled to a memory and is used to execute the methods and functions involving a network device or a terminal device in any of the above embodiments.
  • a computer program product including instructions is provided.
  • the method of the above embodiment is implemented.
  • the present application also provides a computer program.
  • the computer program is executed in a computer, the method of the above embodiment is implemented.
  • a computer-readable storage medium stores a computer program, and when the computer program is executed by a computer, the method described in the above embodiment is implemented.
  • a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, and c can be single or multiple.
  • the size of the serial numbers of the above-mentioned processes does not mean the order of execution.
  • the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
  • the size of the serial number of each process does not mean the order of execution.
  • the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the computer software product is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of each embodiment of the present application.
  • the aforementioned storage medium includes: various media that can store program codes, such as USB flash drives, mobile hard drives, ROM, RAM, magnetic disks, or optical disks.

Abstract

Provided in the present application are an authentication and authorization method and a communication apparatus. The method can be applied to the authentication and authorization of the Internet of Things. The method comprises: an Internet of Things gateway device determining that request information sent by an Internet of Things device is used for requesting authentication and authorization for the Internet of Things device, wherein the request information comprises a device identifier and a device certificate of the Internet of Things device; the Internet of Things gateway device forwarding the request information to an Internet of Things authentication device, wherein the Internet of Things authentication device is used for performing authentication and authorization on the Internet of Things device; and the Internet of Things gateway device sending response information to the Internet of Things device, wherein the response information is used for indicating that the Internet of Things device passes the authentication and authorization, and the response information comprises a first identifier and a first security certificate, which are configured for the Internet of Things device by the Internet of Things authentication device. By means of the technical solution, the present application can support the completion of the authentication and authorization of an Internet of Things device.

Description

认证授权的方法与通信装置Authentication and authorization method and communication device
本申请要求于2022年10月10日提交中国国家知识产权局、申请号为202211234895.6、申请名称为“认证授权的方法与通信装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of China on October 10, 2022, with application number 202211234895.6 and application name “Authentication and Authorization Method and Communication Device”, all contents of which are incorporated by reference in this application.
技术领域Technical Field
本申请涉及通信技术领域,更具体地,涉及一种认证授权的方法与通信装置。The present application relates to the field of communication technology, and more specifically, to an authentication and authorization method and a communication device.
背景技术Background technique
第三代合作伙伴项目(3rd generation partnership project,3GPP)正在探讨个人万物互联网络(personal internet of thing networks,PIN)这一课题。其中,PIN主要包括三种功能,分别是:物联网管理设备(PIN element management capability,PEMC)、物联网设备(PIN element,PINE)以及物联网管理设备(PIN element gateway capability,PEGC)。其中,物联网网关设备能够用于执行PIN中的其他功能与第五代移动通信技术(5th generation,5G)核心网(core network,CN)之间的信息交互,物联网管理设备能够用于执行物联网设备的加入与移出等管理。The 3rd generation partnership project (3GPP) is exploring the topic of personal internet of things networks (PIN). PIN mainly includes three functions: PIN element management capability (PEMC), PIN element (PINE) and PIN element gateway capability (PEGC). The IoT gateway device can be used to perform other functions in PIN and exchange information with the core network (CN) of the fifth generation mobile communication technology (5th generation, 5G), and the IoT management device can be used to perform management such as adding and removing IoT devices.
目前,物联网设备在某些场景下还无法开展物联网相关的业务,亟需提供相应的解决方案。At present, IoT devices are still unable to carry out IoT-related businesses in certain scenarios, and corresponding solutions are urgently needed.
发明内容Summary of the invention
本申请提供一种认证授权的方法与通信装置,能够支持完成对物联网设备的认证授权。The present application provides an authentication and authorization method and a communication device, which can support the completion of authentication and authorization of Internet of Things devices.
第一方面,提供了一种认证授权的方法,该方法包括:物联网网关设备接收来自于物联网设备的请求信息,该请求信息包括物联网设备的设备标识与设备凭证;物联网网关设备确定请求信息用于请求对物联网设备的认证授权;物联网网关设备向物联网认证设备发送请求信息,物联网认证设备用于对物联网设备进行认证授权;物联网网关设备向物联网设备发送响应信息,该响应信息用于指示物联网设备通过认证授权,该响应信息包括物联网认证设备为物联网设备配置的第一标识与第一安全凭证,第一标识与第一安全凭证用于指示物联网设备通过认证授权。In a first aspect, a method for authentication and authorization is provided, the method comprising: an Internet of Things gateway device receives request information from an Internet of Things device, the request information comprising a device identification and a device credential of the Internet of Things device; the Internet of Things gateway device determines that the request information is used to request authentication and authorization for the Internet of Things device; the Internet of Things gateway device sends request information to an Internet of Things authentication device, and the Internet of Things authentication device is used to authenticate and authorize the Internet of Things device; the Internet of Things gateway device sends response information to the Internet of Things device, the response information is used to indicate that the Internet of Things device has passed the authentication and authorization, the response information comprising a first identification and a first security credential configured by the Internet of Things authentication device for the Internet of Things device, and the first identification and the first security credential are used to indicate that the Internet of Things device has passed the authentication and authorization.
通过上述技术方案,本申请支持在物联网设备还不是物联网(也可以理解为PIN)的成员时,物联网网关设备转发物联网设备发送的特定类型的信息,譬如,用于请求对物联网设备进行认证授权的请求信息等,如此,在物联网设备与物联网管理设备之间没有直连通信时,本申请支持能够完成对物联网设备的认证授权,使得物联网设备能够进行物联网的相关业务。Through the above technical solution, the present application supports the IoT gateway device forwarding specific types of information sent by the IoT device when the IoT device is not yet a member of the IoT (also understood as PIN), such as request information for requesting authentication and authorization of the IoT device. In this way, when there is no direct communication between the IoT device and the IoT management device, the present application supports the completion of authentication and authorization of the IoT device, so that the IoT device can perform IoT-related services.
一种可能的实现方式中,该方法还包括:物联网网关设备接收来自于物联网设备的第一信息,第一信息用于指示物联网管理设备或者物联网服务器的物联网操作;物联网网关设备确定物联网设备处于非认证授权状态;物联网网关设备向物联网设备发送第一指示信息,第一指示信息用于指示物联网设备发送请求信息。In a possible implementation, the method also includes: the Internet of Things gateway device receives first information from the Internet of Things device, the first information is used to instruct the Internet of Things operation of the Internet of Things management device or the Internet of Things server; the Internet of Things gateway device determines that the Internet of Things device is in a non-authentication and authorization state; the Internet of Things gateway device sends first indication information to the Internet of Things device, and the first indication information is used to instruct the Internet of Things device to send request information.
具体来说,物联网网关设备确定物联网设备没有通过或者完成认证授权时,则可以拒绝转发第一信息,并发送第一指示信息,用于指示物联网设备需要完成认证授权。相应地,物联网设备在第一指示信息的指示下进行认证授权。Specifically, when the IoT gateway device determines that the IoT device has not passed or completed authentication and authorization, it may refuse to forward the first information and send a first indication information to indicate that the IoT device needs to complete authentication and authorization. Accordingly, the IoT device performs authentication and authorization under the instruction of the first indication information.
通过上述技术方案,本申请支持物联网设备在物联网网关设备的指示下进行物联网设备的认证授权。Through the above technical solution, this application supports IoT devices to perform authentication and authorization of IoT devices under the instruction of IoT gateway devices.
一种可能的实现方式中,该方法还包括:物联网网关设备接收来自于物联网设备的第二信息,第二信息包括第一标识与第一安全凭证,第二信息用于指示物联网管理设备或者物联网服务器的物联网操作;物联网网关设备确定物联网设备通过认证授权;物联网网关设备向物联网管理设备或者物联网服务器发送第二信息。In one possible implementation, the method also includes: the Internet of Things gateway device receives second information from the Internet of Things device, the second information includes a first identifier and a first security credential, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server; the Internet of Things gateway device determines that the Internet of Things device passes the authentication authorization; the Internet of Things gateway device sends the second information to the Internet of Things management device or the Internet of Things server.
通过上述技术方案,本申请支持在物联网设备完成认证授权之后进行物联网的相关操作(或者是相关业务)。 Through the above technical solution, this application supports performing IoT related operations (or related services) after the IoT device completes authentication and authorization.
一个可能的实现方式中,物联网网关设备确定物联网设备通过认证授权,包括:物联网网关设备向物联网认证设备发送第一标识与第一安全凭证;物联网网关设备接收来自于物联网认证设备的反馈信息,反馈信息用于指示物联网设备通过认证授权;物联网网关设备根据反馈信息确定物联网设备通过认证授权。In one possible implementation, the IoT gateway device determines that the IoT device has passed authentication and authorization, including: the IoT gateway device sends a first identification and a first security credential to the IoT authentication device; the IoT gateway device receives feedback information from the IoT authentication device, and the feedback information is used to indicate that the IoT device has passed authentication and authorization; the IoT gateway device determines that the IoT device has passed authentication and authorization based on the feedback information.
具体来说,物联网网关设备通过与物联网服务器之间的信息交互确定物联网设备是否通过认证授权。Specifically, the IoT gateway device determines whether the IoT device has passed authentication and authorization through information interaction with the IoT server.
一个可能的实现方式中,物联网网关设备确定物联网设备通过认证授权,包括:或者,物联网网关设备接收来自于物联网认证设备的第二安全凭证,第二安全凭证用于指示物联网设备通过认证授权;物联网网关设备根据第二安全凭证确定物联网设备通过认证授权。In one possible implementation, the IoT gateway device determines that the IoT device has passed authentication and authorization, including: or, the IoT gateway device receives a second security credential from the IoT authentication device, the second security credential is used to indicate that the IoT device has passed authentication and authorization; the IoT gateway device determines that the IoT device has passed authentication and authorization based on the second security credential.
具体来说,物联网网关设备通过与物联网服务器之间的信息交互确定物联网设备是否通过认证授权。Specifically, the IoT gateway device determines whether the IoT device has passed authentication and authorization through information interaction with the IoT server.
一种可能的实现方式中,物联网认证设备包括物联网管理设备与物联网服务器中的至少一项。In a possible implementation, the Internet of Things authentication device includes at least one of an Internet of Things management device and an Internet of Things server.
具体来说,在本申请实施例中,物联网管理设备与物联网服务器均可以实现对物联网设备的认证授权。因此,物联网网关设备可以向物联网管理设备或者物联网服务器转发物联网设备发送的请求信息。Specifically, in the embodiment of the present application, both the IoT management device and the IoT server can implement authentication and authorization for the IoT device. Therefore, the IoT gateway device can forward the request information sent by the IoT device to the IoT management device or the IoT server.
一种可能的实现方式中,第二信息还包括以下至少一项:物联网标识,或者,第二指示信息;第二指示信息用于指示物联网网关设备向物联网服务器发送第二信息;或者,第二指示信息用于指示物联网网关设备向物联网管理设备发送第二信息。In one possible implementation, the second information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things server; or the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things management device.
第二方面,提供了一种认证授权的方法,该方法包括:物联网网关设备接收来自于物联网设备的第一信息,第一信息包括物联网设备的设备标识与设备凭证;物联网网关设备确定物联网设备处于非认证授权状态;物联网网关设备向物联网服务器发送请求信息,该请求信息用于请求物联网服务器对物联网设备的认证授权,该请求信息包括设备标识与设备凭证。In a second aspect, a method for authentication and authorization is provided, the method comprising: an Internet of Things gateway device receives first information from an Internet of Things device, the first information comprising a device identification and a device credential of the Internet of Things device; the Internet of Things gateway device determines that the Internet of Things device is in a non-authentication and authorization state; the Internet of Things gateway device sends a request message to an Internet of Things server, the request message being used to request the Internet of Things server to authenticate and authorize the Internet of Things device, the request message comprising a device identification and a device credential.
具体来说,物联网网关设备确定物联网设备没有通过或者完成认证授权时,则可以代理物联网设备向物联网服务器发送请求信息,从而完成对物联网设备的认证授权。Specifically, when the IoT gateway device determines that the IoT device has not passed or completed authentication and authorization, it can proxy the IoT device to send request information to the IoT server, thereby completing the authentication and authorization of the IoT device.
一种可能的实现方式中,该方法还包括:物联网网关设备接收来自于物联网服务器的响应信息,响应信息用于指示物联网设备通过认证授权。In a possible implementation, the method further includes: the Internet of Things gateway device receives response information from the Internet of Things server, where the response information is used to indicate that the Internet of Things device has passed the authentication authorization.
一种可能的实现方式中,该第一信息用于指示物联网设备的物联网操作,该方法还包括:物联网网关设备向物联网管理设备发送第一信息;或者,物联网网关设备向物联网服务器发送第一信息。In a possible implementation, the first information is used to indicate the IoT operation of the IoT device, and the method also includes: the IoT gateway device sends the first information to the IoT management device; or, the IoT gateway device sends the first information to the IoT server.
一种可能的实现方式中,该方法还包括:物联网网关设备接收来自于物联网管理设备的物联网服务器的地址。In a possible implementation, the method further includes: the Internet of Things gateway device receives the address of the Internet of Things server from the Internet of Things management device.
第三方面,提供了一种认证授权的方法,该方法包括:物联网管理设备接收来自于物联网网关设备的第一信息,第一信息用于指示物联网管理设备的物联网操作,第一信息包括第一标识与第一安全凭证,第一标识与第一安全凭证用于指示物联网设备通过认证授权;物联网管理设备确定物联网设备通过该认证授权;物联网管理设备根据第一信息进行该物联网操作。According to a third aspect, a method for authentication and authorization is provided, the method comprising: an Internet of Things management device receives first information from an Internet of Things gateway device, the first information is used to indicate an Internet of Things operation of the Internet of Things management device, the first information comprises a first identifier and a first security credential, the first identifier and the first security credential are used to indicate that the Internet of Things device passes the authentication and authorization; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization; the Internet of Things management device performs the Internet of Things operation according to the first information.
通过上述技术方案,本申请支持物联网管理设备完成对物联网设备是否通过认证授权的确认,进而确保物联网中的其他设备之间的信息交互安全。Through the above technical solution, this application supports the IoT management device to complete the confirmation of whether the IoT device has passed the authentication authorization, thereby ensuring the security of information interaction between other devices in the IoT.
一种可能的实现方式中,物联网管理设备接收来自于物联网网关设备的第一信息之前,该方法还包括:物联网管理设备向物联网设备发送物联网服务器的地址,物联网服务器的地址用于物联网设备确定第一请求信息的接收目标,第一请求信息用于请求物联网服务器对物联网设备进行认证授权;物联网管理设备确定物联网设备通过认证授权,包括:物联网管理设备向物联网服务器发送第一标识与第一安全凭证;物联网管理设备接收来自于物联网服务器的第一反馈信息,第一反馈信息用于指示物联网设备通过认证授权;物联网管理设备根据反馈信息确定物联网设备通过认证授权;或者,物联网管理设备接收来自于物联网服务器的第二安全凭证,第二安全凭证用于指示物联网设备通过认证授权;物联网管理设备根据第二安全凭证确定物联网设备通过认证授权。In one possible implementation, before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device, the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information, and the first request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization, including: the Internet of Things management device sends a first identifier and a first security credential to the Internet of Things server; the Internet of Things management device receives first feedback information from the Internet of Things server, the first feedback information is used to indicate that the Internet of Things device passes the authentication and authorization; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization based on the feedback information; or, the Internet of Things management device receives a second security credential from the Internet of Things server, the second security credential is used to indicate that the Internet of Things device passes the authentication and authorization; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization based on the second security credential.
通过上述技术方案,本申请支持物联网设备向物联网服务器发送用于请求对物联网设备进行认证授权的请求信息,相应地,物联网管理设备通过与物联网服务器之间的交互确定物联网设备是否通过物联网服务器的认证授权,从而保障物联网中的其他设备之间的信息交互安全。 Through the above technical solution, the present application supports the IoT device to send request information to the IoT server for requesting authentication and authorization of the IoT device. Accordingly, the IoT management device determines whether the IoT device has passed the authentication and authorization of the IoT server through interaction with the IoT server, thereby ensuring the security of information interaction between other devices in the IoT.
一种可能的实现方式中,物联网管理设备接收来自于物联网网关设备的第一信息之前,该方法还包括:物联网管理设备向物联网设备发送物联网服务器的地址,物联网服务器的地址用于物联网设备确定第一请求信息的接收目标,第一请求信息用于请求物联网服务器对物联网设备进行认证授权;物联网管理设备确定物联网设备通过认证授权,包括:物联网管理设备接收来自于物联网服务器的第二安全凭证,第二安全凭证用于指示物联网设备通过认证授权;物联网管理设备根据第二安全凭证确定物联网设备通过认证授权。In one possible implementation, before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device, the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information, and the first request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization, including: the Internet of Things management device receives the second security credential from the Internet of Things server, the second security credential is used to indicate that the Internet of Things device passes the authentication and authorization; the Internet of Things management device determines that the Internet of Things device passes the authentication and authorization based on the second security credential.
通过上述技术方案,本申请支持物联网设备向物联网服务器发送用于请求对物联网设备进行认证授权的请求信息,相应地,物联网管理设备通过与物联网服务器之间的交互确定物联网设备是否通过物联网服务器的认证授权,从而保障物联网中的其他设备之间的信息交互安全。Through the above technical solution, the present application supports the IoT device to send request information to the IoT server for requesting authentication and authorization of the IoT device. Accordingly, the IoT management device determines whether the IoT device has passed the authentication and authorization of the IoT server through interaction with the IoT server, thereby ensuring the security of information interaction between other devices in the IoT.
一个可能的实现方式中,上述的用于指示物联网管理设备的物联网操作是物联网设备请求物联网管理设备执行的物联网操作。In a possible implementation, the aforementioned Internet of Things operation for instructing the Internet of Things management device is an Internet of Things operation that the Internet of Things device requests the Internet of Things management device to perform.
如此,这能实现由物联网设备请求物联网管理设备执行物联网设备所请求执行的物联网操作,可以增强物联网设备的物联网操作被执行的灵活性。In this way, the IoT device can request the IoT management device to execute the IoT operation requested by the IoT device, which can enhance the flexibility of executing the IoT operation of the IoT device.
一个可能的实现方式中,第一信息用于指示物联网管理设备的物联网邀请确认操作,物联网管理设备接收来自于物联网网关设备的第一信息之前,该方法还包括:物联网管理设备向物联网设备发送物联网邀请信息,该物联网邀请信息用于指示物联网设备加入物联网管理设备管理的物联网;物联网管理设备根据第一信息执行物联网操作,包括:物联网管理设备将物联网设备加入该物联网。In one possible implementation, the first information is used to indicate an IoT invitation confirmation operation of the IoT management device. Before the IoT management device receives the first information from the IoT gateway device, the method also includes: the IoT management device sends IoT invitation information to the IoT device, and the IoT invitation information is used to indicate the IoT device to join the IoT managed by the IoT management device; the IoT management device performs IoT operations according to the first information, including: the IoT management device adds the IoT device to the IoT.
如此,可以简化物联网设备的操作,并由物联网管理设备主动控制物联网设备加入物联网,从而增强物联网管理设备的集中管理功能。In this way, the operation of IoT devices can be simplified, and the IoT management device can actively control the IoT devices to join the IoT, thereby enhancing the centralized management function of the IoT management device.
一种可能的实现方式中,物联网管理设备接收来自于物联网网关设备的第一信息之前,该方法还包括:物联网管理设备接收来自于物联网设备的第二信息,第二信息用于指示物联网管理设备的物联网操作;物联网管理设备确定物联网设备处于非认证授权状态;物联网管理设备向物联网设备发送第一指示信息,第一指示信息用于指示物联网设备发送第一请求信息。In one possible implementation, before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device receives the second information from the Internet of Things device, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device; the Internet of Things management device determines that the Internet of Things device is in a non-authentication and authorization state; the Internet of Things management device sends the first indication information to the Internet of Things device, and the first indication information is used to instruct the Internet of Things device to send the first request information.
通过上述技术方案,本申请支持物联网管理设备确认物联网设备没有完成认证授权之后,向物联网设备发送指示信息,物联网设备在物联网管理设备发送的指示信息的指示下完成对物联网设备的认证授权过程,使得物联网设备能够进行物联网的相关操作。Through the above technical solution, the present application supports the IoT management device to send instruction information to the IoT device after confirming that the IoT device has not completed authentication and authorization. The IoT device completes the authentication and authorization process of the IoT device under the instruction of the instruction information sent by the IoT management device, so that the IoT device can perform related operations of the IoT.
一种可能的实现方式中,该第一指示信息包括该物联网服务器的地址。In a possible implementation, the first indication information includes an address of the Internet of Things server.
一种可能的实现方式中,物联网管理设备接收来自于物联网网关设备的第一信息之前,该方法还包括:物联网管理设备接收来自于物联网设备的第三信息,第三信息用于指示物联网管理设备的物联网操作,第三信息包括物联网设备的设备标识与设备凭证;物联网管理设备确定物联网设备处于非认证授权状态;物联网管理设备向物联网服务器发送第二请求信息,第二请求信息用于请求物联网服务器对物联网设备进行认证授权,第二请求信息包括设备标识与设备凭证;物联网管理设备接收来自于物联网服务器的响应信息,响应信息用于指示物联网设备通过认证授权,该响应信息包括物联网服务器为物联网设备配置的第一标识与第一安全凭证,第一标识与第一安全凭证用于指示物联网设备通过认证授权。In one possible implementation, before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device receives third information from the Internet of Things device, the third information is used to indicate the Internet of Things operation of the Internet of Things management device, and the third information includes the device identification and device credentials of the Internet of Things device; the Internet of Things management device determines that the Internet of Things device is in a non-authentication and authorization state; the Internet of Things management device sends a second request information to the Internet of Things server, the second request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device, and the second request information includes the device identification and device credentials; the Internet of Things management device receives a response information from the Internet of Things server, the response information is used to indicate that the Internet of Things device has passed the authentication and authorization, and the response information includes the first identification and first security credential configured by the Internet of Things server for the Internet of Things device, and the first identification and first security credential are used to indicate that the Internet of Things device has passed the authentication and authorization.
具体来说,物联网管理设备确定物联网设备没有通过或者完成认证授权时,则可以代理物联网设备向物联网服务器发送请求信息,从而完成对物联网设备的认证授权。Specifically, when the IoT management device determines that the IoT device has not passed or completed authentication and authorization, it can proxy the IoT device to send request information to the IoT server, thereby completing the authentication and authorization of the IoT device.
一种可能的实现方式中,第一信息还包括以下至少一项:物联网标识,或者,第二指示信息;第二指示信息用于指示物联网管理设备向物联网服务器发送第一信息。In a possible implementation, the first information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the Internet of Things management device to send the first information to the Internet of Things server.
一种可能的实现方式中,物联网管理设备接收来自于物联网网关设备的第一信息之前,该方法还包括:物联网管理设备接收来自于物联网网关设备的验证信息,验证信息用于请求物联网管理设备确定物联网设备通过认证授权,验证信息包括第一标识与第一安全凭证;物联网管理设备向物联网网关设备发送第二反馈信息,第二反馈信息用于指示物联网设备通过该认证授权。In one possible implementation, before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method also includes: the Internet of Things management device receives verification information from the Internet of Things gateway device, the verification information is used to request the Internet of Things management device to determine that the Internet of Things device has passed the authentication authorization, and the verification information includes a first identifier and a first security credential; the Internet of Things management device sends second feedback information to the Internet of Things gateway device, and the second feedback information is used to indicate that the Internet of Things device has passed the authentication authorization.
第四方面,提供了一种认证授权方法,该方法包括:物联网设备向物联网网关设备发送请求信息,请求信息用于请求对物联网设备的认证授权,请求信息包括物联网设备的设备标识与设备凭证;物联网设备接收来自于物联网网关设备的响应信息,响应信息用于指示物联网设备通过认证授权,响应信息包括物联网认证设备为物联网设备配置的第一标识与第一安全凭证。 In a fourth aspect, an authentication and authorization method is provided, which includes: an Internet of Things device sends a request message to an Internet of Things gateway device, the request message is used to request authentication and authorization for the Internet of Things device, and the request message includes a device identification and a device credential of the Internet of Things device; the Internet of Things device receives a response message from the Internet of Things gateway device, the response message is used to indicate that the Internet of Things device has passed the authentication and authorization, and the response message includes a first identification and a first security credential configured by the Internet of Things authentication device for the Internet of Things device.
通过上述技术方案,本申请支持在物联网设备还不是物联网的成员时,物联网网关设备转发物联网设备发送的特定类型的信息,譬如,用于请求对物联网设备的认证授权的请求信息等,如此,在物联网设备与物联网管理设备之间没有直连通信时,本申请支持能够完成对物联网设备的认证授权,使得物联网设备能够进行物联网的相关业务。Through the above technical solution, the present application supports the IoT gateway device forwarding specific types of information sent by the IoT device when the IoT device is not yet a member of the IoT, such as request information for requesting authentication and authorization of the IoT device. In this way, when there is no direct communication between the IoT device and the IoT management device, the present application supports the completion of authentication and authorization of the IoT device, so that the IoT device can perform IoT-related services.
一种可能的实现方式中,该方法还包括:物联网设备向物联网网关设备发送第一信息,该第一信息用于指示物联网管理或者物联网服务器设备的物联网操作;物联网设备接收来自于向物联网网关设备的第一指示信息,该第一指示信息用于指示物联网设备发送请求信息。In one possible implementation, the method also includes: the Internet of Things device sends first information to the Internet of Things gateway device, and the first information is used to instruct the Internet of Things management or the Internet of Things operation of the Internet of Things server device; the Internet of Things device receives the first indication information from the Internet of Things gateway device, and the first indication information is used to instruct the Internet of Things device to send request information.
一种可能的实现方式中,该方法还包括:物联网设备向物联网网关设备发送第二信息,该第信息包括第一标识与第一安全凭证,该第二信息用于指示物联网管理设备或者物联网服务器的物联网操作。In a possible implementation, the method also includes: the Internet of Things device sends second information to the Internet of Things gateway device, the second information includes a first identifier and a first security credential, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server.
一种可能的实现方式中,第二信息还包括以下至少一项:物联网标识,或者,第二指示信息;该第二指示信息用于指示物联网网关设备向物联网服务器发送第二信息;或者,该第二指示信息用于指示物联网网关设备向物联网实体管理功能发送第二信息。In one possible implementation, the second information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things server; or the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things entity management function.
第五方面,提供了一种认证授权的方法,该方法包括:物联网设备向物联网管理设备发送第二信息,第二信息用于指示物联网管理设备的物联网操作;物联网设备接收来自于物联网管理设备的第一指示信息,该第一指示信息用于指示物联网设备向物联网服务器发送第一请求信息,第一请求信息用于请求物联网服务器对物联网设备进行认证授权。In a fifth aspect, a method for authentication and authorization is provided, the method comprising: an Internet of Things device sends second information to an Internet of Things management device, the second information is used to instruct the Internet of Things operation of the Internet of Things management device; the Internet of Things device receives first indication information from the Internet of Things management device, the first indication information is used to instruct the Internet of Things device to send first request information to an Internet of Things server, the first request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device.
一种可能的实现方式中,该方法还包括:物联网设备接收来自于物联网管理设备的物联网服务器的地址,该物联网服务器的地址用于物联网设备确定第一请求信息的接收目标。In a possible implementation, the method further includes: the Internet of Things device receives the address of the Internet of Things server from the Internet of Things management device, and the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information.
一种可能的实现方式中,第一指示信息包括物联网服务器的地址。In a possible implementation, the first indication information includes an address of an Internet of Things server.
一种可能的实现方式中,该方法包括:物联网设备向物联网管理设备发送第三信息,该第三信息用于指示物联网管理设备的物联网操作,第三信息包括物联网设备的设备标识与设备凭证。In a possible implementation, the method includes: the Internet of Things device sends third information to the Internet of Things management device, where the third information is used to indicate the Internet of Things operation of the Internet of Things management device, and the third information includes a device identification and a device credential of the Internet of Things device.
第六方面,提供了一种通信装置,包括:收发单元,用于接收来自于物联网设备的请求信息,该请求信息包括物联网设备的设备标识与设备凭证;处理单元,用于确定请求信息用于请求对物联网设备的认证授权;收发单元,用于向物联网认证设备发送请求信息,物联网认证设备用于对物联网设备进行认证授权;收发单元,用于向物联网设备发送响应信息,该响应信息用于指示物联网设备通过认证授权,该响应信息包括物联网认证设备为物联网设备配置的第一标识与第一安全凭证,该第一标识与第一安全凭证用于指示该通信装置通过该认证授权。In a sixth aspect, a communication device is provided, comprising: a transceiver unit for receiving request information from an Internet of Things device, the request information including a device identification and a device credential of the Internet of Things device; a processing unit for determining that the request information is used to request authentication and authorization for the Internet of Things device; a transceiver unit for sending request information to an Internet of Things authentication device, the Internet of Things authentication device being used to authenticate and authorize the Internet of Things device; a transceiver unit for sending response information to the Internet of Things device, the response information being used to indicate that the Internet of Things device has passed the authentication and authorization, the response information including a first identification and a first security credential configured by the Internet of Things authentication device for the Internet of Things device, the first identification and the first security credential being used to indicate that the communication device has passed the authentication and authorization.
一种可能的实现方式中,收发单元,用于接收来自于物联网设备的第一信息,第一信息用于指示物联网管理设备或者物联网服务器的物联网操作;处理单元,用于确定物联网设备处于非认证授权状态;收发单元,用于向物联网设备发送第一指示信息,第一指示信息用于指示物联网设备发送请求信息。In one possible implementation, the transceiver unit is used to receive first information from an Internet of Things device, and the first information is used to instruct the Internet of Things operation of an Internet of Things management device or an Internet of Things server; the processing unit is used to determine that the Internet of Things device is in a non-authentication and authorization state; the transceiver unit is used to send first indication information to the Internet of Things device, and the first indication information is used to instruct the Internet of Things device to send request information.
一种可能的实现方式中,该收发单元,用于接收来自于物联网设备的第二信息,第二信息包括第一标识与第一安全凭证,第二信息用于指示物联网管理设备或者物联网服务器的物联网操作;处理单元,用于确定物联网设备通过认证授权;收发单元,用于向物联网管理设备或者物联网服务器发送第二信息。In one possible implementation, the transceiver unit is used to receive second information from the Internet of Things device, the second information includes a first identifier and a first security credential, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server; the processing unit is used to determine whether the Internet of Things device has passed the authentication authorization; the transceiver unit is used to send the second information to the Internet of Things management device or the Internet of Things server.
一个可能的实现方式中,收发单元,用于向物联网认证设备发送第一标识与第一安全凭证;收发单元,用于接收来自于物联网认证设备的反馈信息,反馈信息用于指示物联网设备通过认证授权;处理单元,用于根据反馈信息确定物联网设备通过认证授权。In one possible implementation, the transceiver unit is used to send a first identification and a first security credential to an Internet of Things authentication device; the transceiver unit is used to receive feedback information from the Internet of Things authentication device, and the feedback information is used to indicate that the Internet of Things device has passed the authentication authorization; the processing unit is used to determine whether the Internet of Things device has passed the authentication authorization based on the feedback information.
一个可能的实现方式中,收发单元,用于接收来自于物联网认证设备的第二安全凭证,第二安全凭证用于指示物联网设备通过认证授权;处理单元。用于根据第二安全凭证确定物联网设备通过认证授权。In a possible implementation, the transceiver unit is used to receive a second security credential from an IoT authentication device, where the second security credential is used to indicate that the IoT device has passed the authentication authorization; and the processing unit is used to determine whether the IoT device has passed the authentication authorization based on the second security credential.
一种可能的实现方式中,物联网认证设备包括物联网管理设备与物联网服务器中的至少一项。In a possible implementation, the Internet of Things authentication device includes at least one of an Internet of Things management device and an Internet of Things server.
一种可能的实现方式中,第二信息还包括以下至少一项:物联网标识,或者,第二指示信息;第二指示信息用于指示该通信装置向物联网服务器发送第二信息;或者,第二指示信息用于指示该通信装置向物联网管理设备发送第二信息。In one possible implementation, the second information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the communication device to send the second information to the Internet of Things server; or the second indication information is used to instruct the communication device to send the second information to the Internet of Things management device.
第七方面,提供了一种通信装置,包括:收发单元,用于接收来自于物联网设备的第一信息,第一信息包括物联网设备的设备标识与设备凭证;处理单元,用于确定物联网设备处于非认证授权状态; 收发单元,用于向物联网服务器发送请求信息,该请求信息用于请求物联网服务器对物联网设备的认证授权,该请求信息包括设备标识与设备凭证。In a seventh aspect, a communication device is provided, comprising: a transceiver unit, configured to receive first information from an Internet of Things device, the first information comprising a device identification and a device credential of the Internet of Things device; a processing unit, configured to determine that the Internet of Things device is in a non-authentication and authorization state; The transceiver unit is used to send a request message to the Internet of Things server, where the request message is used to request the Internet of Things server to authenticate and authorize the Internet of Things device, and the request message includes a device identifier and a device credential.
一种可能的实现方式中,该收发单元,用于接收来自于物联网服务器的响应信息,响应信息用于指示物联网设备通过认证授权。In a possible implementation, the transceiver unit is used to receive response information from the Internet of Things server, and the response information is used to indicate that the Internet of Things device has passed the authentication authorization.
一种可能的实现方式中,该第一信息用于指示物联网设备的物联网操作,该收发单元,用于向物联网管理设备发送第一信息;或者,该收发单元,用于向物联网服务器发送第一信息。In a possible implementation, the first information is used to indicate the Internet of Things operation of the Internet of Things device, and the transceiver unit is used to send the first information to the Internet of Things management device; or, the transceiver unit is used to send the first information to the Internet of Things server.
一种可能的实现方式中,该收发单元,用于接收来自于物联网管理设备的物联网服务器的地址。In a possible implementation, the transceiver unit is used to receive the address of the Internet of Things server from the Internet of Things management device.
第八方面,提供了一种通信装置,包括:收发单元,用于接收来自于物联网网关设备的第一信息,第一信息用于指示物联网管理设备的物联网操作,第一信息包括第一标识与第一安全凭证,第一标识与第一安全凭证用于指示物联网设备通过认证授权;处理单元,用于确定物联网设备通过该认证授权;处理单元,用于根据该第一信息进行执行该物联网操作。In an eighth aspect, a communication device is provided, including: a transceiver unit, used to receive first information from an Internet of Things gateway device, the first information is used to indicate an Internet of Things operation of an Internet of Things management device, the first information includes a first identifier and a first security credential, the first identifier and the first security credential are used to indicate that the Internet of Things device has passed the authentication authorization; a processing unit, used to determine that the Internet of Things device has passed the authentication authorization; a processing unit, used to execute the Internet of Things operation according to the first information.
一种可能的实现方式中,收发单元,用于向物联网设备发送物联网服务器的地址,物联网服务器的地址用于物联网设备确定第一请求信息的接收目标,第一请求信息用于请求物联网服务器对物联网设备进行认证授权;收发单元,用于向物联网服务器发送第一标识与第一安全凭证;收发单元,用于接收来自于物联网服务器的第一反馈信息,第一反馈信息用于指示物联网设备通过认证授权;处理单元,用于根据反馈信息确定物联网设备通过认证授权。In one possible implementation, the transceiver unit is used to send the address of the Internet of Things server to the Internet of Things device, the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information, and the first request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device; the transceiver unit is used to send a first identifier and a first security credential to the Internet of Things server; the transceiver unit is used to receive first feedback information from the Internet of Things server, and the first feedback information is used to indicate that the Internet of Things device has passed the authentication and authorization; the processing unit is used to determine whether the Internet of Things device has passed the authentication and authorization based on the feedback information.
一种可能的实现方式中,收发单元,用于向物联网设备发送物联网服务器的地址,物联网服务器的地址用于物联网设备确定第一请求信息的接收目标,第一请求信息用于请求物联网服务器对物联网设备进行认证授权;收发单元,用于接收来自于物联网服务器的第二安全凭证,第二安全凭证用于指示物联网设备通过认证授权;处理单元,用于根据第二安全凭证确定物联网设备通过认证授权。In one possible implementation, the transceiver unit is used to send the address of the IoT server to the IoT device, the address of the IoT server is used by the IoT device to determine the receiving target of the first request information, the first request information is used to request the IoT server to authenticate and authorize the IoT device; the transceiver unit is used to receive the second security credential from the IoT server, the second security credential is used to indicate that the IoT device has passed the authentication and authorization; the processing unit is used to determine whether the IoT device has passed the authentication and authorization based on the second security credential.
一种可能的实现方式中,收发单元,用于接收来自于物联网设备的第二信息,第二信息用于指示该通信装置的物联网操作;处理单元,用于确定物联网设备处于非认证授权状态;收发单元,用于向物联网设备发送第一指示信息,第一指示信息用于指示物联网设备发送第一请求信息。In one possible implementation, the transceiver unit is used to receive second information from the Internet of Things device, and the second information is used to indicate the Internet of Things operation of the communication device; the processing unit is used to determine that the Internet of Things device is in a non-authentication and authorization state; the transceiver unit is used to send first indication information to the Internet of Things device, and the first indication information is used to instruct the Internet of Things device to send first request information.
一种可能的实现方式中,该第一指示信息包括该物联网服务器的地址。In a possible implementation, the first indication information includes an address of the Internet of Things server.
一种可能的实现方式中,收发单元,用于接收来自于物联网设备的第三信息,第三信息用于指示该通信装置的物联网操作,第三信息包括物联网设备的设备标识与设备凭证;处理单元,用于确定物联网设备处于非认证授权状态;收发单元,用于向物联网服务器发送第二请求信息,第二请求信息用于请求物联网服务器对物联网设备进行认证授权,第二请求信息包括设备标识与设备凭证;收发单元,用于接收来自于物联网服务器的响应信息,响应信息用于指示物联网设备通过认证授权,该响应信息包括物联网服务器为物联网设备配置的第一标识与第一安全凭证。In one possible implementation, the transceiver unit is used to receive third information from the Internet of Things device, the third information is used to indicate the Internet of Things operation of the communication device, and the third information includes the device identification and device credentials of the Internet of Things device; the processing unit is used to determine that the Internet of Things device is in a non-authentication and authorization state; the transceiver unit is used to send second request information to the Internet of Things server, the second request information is used to request the Internet of Things server to authenticate and authorize the Internet of Things device, and the second request information includes the device identification and device credentials; the transceiver unit is used to receive response information from the Internet of Things server, the response information is used to indicate that the Internet of Things device has passed the authentication and authorization, and the response information includes the first identification and first security credential configured by the Internet of Things server for the Internet of Things device.
一个可能的实现方式中,上述的用于指示该通信装置的物联网操作是物联网设备请求该通信装置执行的物联网操作。In one possible implementation, the aforementioned Internet of Things operation for indicating the communication device is an Internet of Things operation that the Internet of Things device requests the communication device to perform.
一个可能的实现方式中,第一信息用于指示该通信装置的物联网邀请确认操作,该是否单元,还用于向物联网设备发送物联网邀请信息,该物联网邀请信息用于指示物联网设备加入该通信装置管理的物联网;该处理单元,还用于将物联网设备加入该物联网。In one possible implementation, the first information is used to indicate the Internet of Things invitation confirmation operation of the communication device, and the whether unit is also used to send Internet of Things invitation information to the Internet of Things device, and the Internet of Things invitation information is used to instruct the Internet of Things device to join the Internet of Things managed by the communication device; the processing unit is also used to add the Internet of Things device to the Internet of Things.
一种可能的实现方式中,第一信息还包括以下至少一项:物联网标识,或者,第二指示信息;第二指示信息用于指示该通信装置向物联网服务器发送第一信息。In a possible implementation, the first information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the communication device to send the first information to the Internet of Things server.
一种可能的实现方式中,收发单元,用于接收来自于物联网网关设备的验证信息,验证信息用于请求物联网管理设备确定物联网设备通过认证授权,验证信息包括第一标识与第一安全凭证;收发单元,用于向物联网网关设备发送第二反馈信息,第二反馈信息用于指示物联网设备通过该认证授权。In one possible implementation, the transceiver unit is used to receive verification information from the Internet of Things gateway device, the verification information is used to request the Internet of Things management device to determine that the Internet of Things device has passed the authentication authorization, and the verification information includes a first identifier and a first security credential; the transceiver unit is used to send second feedback information to the Internet of Things gateway device, and the second feedback information is used to indicate that the Internet of Things device has passed the authentication authorization.
第九方面,提供了一种通信装置,包括:收发单元,用于向物联网网关设备发送请求信息,请求信息用于请求对该通信装置的认证授权,请求信息包括该通信装置的设备标识与设备凭证;收发单元,用于接收来自于物联网网关设备的响应信息,响应信息用于指示该通信装置通过认证授权,响应信息包括物联网认证设备为该通信装置配置的第一标识与安全凭证。In the ninth aspect, a communication device is provided, including: a transceiver unit, used to send request information to an Internet of Things gateway device, the request information is used to request authentication and authorization for the communication device, the request information includes a device identification and device credentials of the communication device; a transceiver unit, used to receive response information from the Internet of Things gateway device, the response information is used to indicate that the communication device has passed the authentication and authorization, and the response information includes a first identification and security credential configured for the communication device by the Internet of Things authentication device.
一种可能的实现方式中,该收发单元,用于向物联网网关设备发送第一信息,该第一信息用于指示物联网管理设备或者物联网服务器的物联网操作;收发单元,用于接收来自于向物联网网关设备的第一指示信息,该第一指示信息用于指示该通信装置发送请求信息。 In one possible implementation, the transceiver unit is used to send first information to the Internet of Things gateway device, and the first information is used to instruct the Internet of Things operation of the Internet of Things management device or the Internet of Things server; the transceiver unit is used to receive first indication information from the Internet of Things gateway device, and the first indication information is used to instruct the communication device to send request information.
一种可能的实现方式中,该收发单元,用于向物联网网关设备发送第二信息,该第信息包括第一标识与安全凭证,该第二信息用于指示物联网管理设备或者物联网服务器的物联网操作。In a possible implementation, the transceiver unit is used to send second information to the Internet of Things gateway device, where the second information includes a first identifier and a security credential, and the second information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server.
一种可能的实现方式中,第二信息还包括以下至少一项:物联网标识,或者,第二指示信息;该第二指示信息用于指示物联网网关设备向物联网服务器发送第二信息;或者,该第二指示信息用于指示物联网网关设备向物联网实体管理功能发送第二信息。In one possible implementation, the second information also includes at least one of the following: an Internet of Things identifier, or second indication information; the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things server; or the second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things entity management function.
第十方面,提供了一种通信装置,包括:收发单元,用于向物联网管理设备发送第二信息,第二信息用于指示物联网管理设备或者物联网服务器的物联网操作;收发单元,用于接收来自于物联网管理设备的第一指示信息,该第一指示信息用于指示该通信装置向物联网服务器发送第一请求信息,第一请求信息用于请求物联网服务器对该通信装置进行认证授权。In the tenth aspect, a communication device is provided, including: a transceiver unit, used to send second information to an Internet of Things management device, the second information is used to instruct the Internet of Things operation of the Internet of Things management device or the Internet of Things server; a transceiver unit, used to receive first indication information from the Internet of Things management device, the first indication information is used to instruct the communication device to send first request information to the Internet of Things server, the first request information is used to request the Internet of Things server to authenticate and authorize the communication device.
一种可能的实现方式中,该收发单元,用于接收来自于物联网管理设备的物联网服务器的地址,该物联网服务器的地址用于该通信装置确定第一请求信息的接收目标。In a possible implementation, the transceiver unit is used to receive the address of an Internet of Things server from an Internet of Things management device, and the address of the Internet of Things server is used by the communication device to determine a receiving target of the first request information.
一种可能的实现方式中,第一指示信息包括物联网服务器的地址。In a possible implementation manner, the first indication information includes an address of an Internet of Things server.
一种可能的实现方式中,该收发单元,用于向物联网管理设备发送第三信息,该第三信息用于指示物联网管理设备或者物联网服务器的物联网操作,第三信息包括该通信装置的设备标识与设备凭证。In one possible implementation, the transceiver unit is used to send third information to the Internet of Things management device, where the third information is used to indicate the Internet of Things operation of the Internet of Things management device or the Internet of Things server, and the third information includes the device identification and device credentials of the communication device.
第十一方面,提供了一种通信装置,包括处理器,该处理器用于,通过执行计算机程序或指令,或者,通过逻辑电路,使得所述通信装置执行第一方面以及第一方面的任一种可能的实现方式中任一项所述的方法;或者,使得所述通信装置执行第二方面以及第二方面的任一种可能的实现方式中任一项所述的方法;或者,使得所述通信装置执行第三方面以及第三方面的任一种可能的实现方式中任一项所述的方法;或者,使得所述通信装置执行第四方面以及第四方面的任一种可能的实现方式中任一项所述的方法;或者,使得所述通信装置执行第五方面以及第五方面的任一种可能的实现方式中任一项所述的方法。In the eleventh aspect, a communication device is provided, comprising a processor, the processor being used to, by executing a computer program or instruction, or, through a logic circuit, enable the communication device to perform any method in the first aspect and any possible implementation of the first aspect; or, enable the communication device to perform any method in the second aspect and any possible implementation of the second aspect; or, enable the communication device to perform any method in the third aspect and any possible implementation of the third aspect; or, enable the communication device to perform any method in the fourth aspect and any possible implementation of the fourth aspect; or, enable the communication device to perform any method in the fifth aspect and any possible implementation of the fifth aspect.
一种可能的实现方式中,该通信装置还包括存储器,该存储器用于存储所述的计算机程序或指令。In a possible implementation, the communication device further includes a memory, and the memory is used to store the computer program or instruction.
一种可能的实现方式中,该通信装置还包括通信接口,该通信接口用于输入和/或输出信号。In a possible implementation, the communication device further includes a communication interface, and the communication interface is used to input and/or output signals.
第十二方面,提供了一种通信装置,包括逻辑电路和输入输出接口,该输入输出接口用于输入和/或输出信号,该逻辑电路用于执行第一方面以及第一方面的任一种可能的实现方式中任一项所述的方法;或者,该逻辑电路用于执行第二方面以及第二方面的任一种可能的实现方式中任一项所述的方法;或者,该逻辑电路用于执行第三方面以及第三方面的任一种可能的实现方式中任一项所述的方法;或者,该逻辑电路用于执行第四方面以及第四方面的任一种可能的实现方式中任一项所述的方法;或者,该逻辑电路用于执行第五方面以及第五方面的任一种可能的实现方式中任一项所述的方法。In the twelfth aspect, a communication device is provided, comprising a logic circuit and an input-output interface, the input-output interface being used to input and/or output signals, the logic circuit being used to execute the method described in the first aspect and any possible implementation of the first aspect; or, the logic circuit being used to execute the method described in the second aspect and any possible implementation of the second aspect; or, the logic circuit being used to execute the method described in the third aspect and any possible implementation of the third aspect; or, the logic circuit being used to execute the method described in the fourth aspect and any possible implementation of the fourth aspect; or, the logic circuit being used to execute the method described in the fifth aspect and any possible implementation of the fifth aspect.
第十三方面,提供了一种计算机可读存储介质,包括计算机程序或指令,当所述计算机程序或所述指令在计算机上运行时,使得第一方面以及第一方面的任一种可能的实现方式中任意一项所述的方法被执行;或者,使得第二方面以及第二方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第三方面以及第三方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第四方面以及第四方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第五方面以及第五方面的任一种可能的实现方式中任一项所述的方法被执行。In the thirteenth aspect, a computer-readable storage medium is provided, comprising a computer program or instructions, which, when the computer program or the instructions are run on a computer, causes the method described in the first aspect and any one of its possible implementations to be executed; or causes the method described in the second aspect and any one of its possible implementations to be executed; or causes the method described in the third aspect and any one of its possible implementations to be executed; or causes the method described in the fourth aspect and any one of its possible implementations to be executed; or causes the method described in the fifth aspect and any one of its possible implementations to be executed.
第十四方面,提供了一种计算机程序产品,包含指令,当该指令在计算机上运行时,使得第一方面以及第一方面的任一种可能的实现方式中任意一项所述的方法被执行;或者,使得第二方面以及第二方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第三方面以及第三方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第四方面以及第四方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第五方面以及第五方面的任一种可能的实现方式中任一项所述的方法被执行。In the fourteenth aspect, a computer program product is provided, comprising instructions, which, when executed on a computer, cause the method described in the first aspect and any one of its possible implementations to be executed; or, cause the method described in the second aspect and any one of its possible implementations to be executed; or, cause the method described in the third aspect and any one of its possible implementations to be executed; or, cause the method described in the fourth aspect and any one of its possible implementations to be executed; or, cause the method described in the fifth aspect and any one of its possible implementations to be executed.
第十五方面,提供了一种计算机程序,当其在计算机上运行时,使得第一方面以及第一方面的任一种可能的实现方式中任意一项所述的方法被执行;或者,使得第二方面以及第二方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第三方面以及第三方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第四二方面以及第四方面的任一种可能的实现方式中任一项所述的方法被执行;或者,使得第五方面以及第五方面的任一种可能的实现方式中任一项所述的方法被执行。 In the fifteenth aspect, a computer program is provided, which, when executed on a computer, enables the method described in the first aspect and any one of its possible implementations to be executed; or enables the method described in the second aspect and any one of its possible implementations to be executed; or enables the method described in the third aspect and any one of its possible implementations to be executed; or enables the method described in the fourth aspect and any one of its possible implementations to be executed; or enables the method described in the fifth aspect and any one of its possible implementations to be executed.
第十六方面,提供了一种通信***,该通信***包括物联网网关设备与物联网管理设备,该物联网网关设备用于执行第一方面以及第一方面的任一种可能的实现方式中任意一项所述的方法,或者,物联网网关设备用于执行第二方面以及第二方面的任一种可能的实现方式中任意一项所述的方法,物联网管理设备用于执行第三方面以及第三方面的任一种可能的实现方式中任意一项所述的方法。In the sixteenth aspect, a communication system is provided, which includes an Internet of Things gateway device and an Internet of Things management device, the Internet of Things gateway device is used to execute the method described in the first aspect and any one of any possible implementations of the first aspect, or the Internet of Things gateway device is used to execute the method described in the second aspect and any one of any possible implementations of the second aspect, and the Internet of Things management device is used to execute the method described in the third aspect and any one of any possible implementations of the third aspect.
一种可能的实现方式中,该通信***还包括物联网设备,该物联网设备用于执行第四方面以及第四方面的任一种可能的实现方式中任意一项所述的方法;或者,该物联网设备用于执行第五方面以及第五方面的任一种可能的实现方式中任意一项所述的方法。In one possible implementation, the communication system also includes an Internet of Things device, which is used to execute the method described in the fourth aspect and any one of the possible implementations of the fourth aspect; or, the Internet of Things device is used to execute the method described in the fifth aspect and any one of the possible implementations of the fifth aspect.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是适用于本申请实施例的通信***100的示意图。FIG. 1 is a schematic diagram of a communication system 100 applicable to an embodiment of the present application.
图2是一种认证授权的方法200的交互流程示意图。FIG. 2 is a schematic diagram of an interaction flow of a method 200 for authentication and authorization.
图3是本申请实施例的认证授权的方法300的交互流程示意图。FIG. 3 is a schematic diagram of an interaction flow of a method 300 for authentication and authorization according to an embodiment of the present application.
图4是本申请实施例的认证授权的方法400的交互流程示意图。FIG. 4 is a schematic diagram of an interaction flow of a method 400 for authentication and authorization according to an embodiment of the present application.
图5是本申请实施例的认证授权的方法500的交互流程示意图。FIG. 5 is a schematic diagram of an interaction flow of a method 500 for authentication and authorization according to an embodiment of the present application.
图6是本申请实施例的认证授权的方法600的交互流程示意图。FIG. 6 is a schematic diagram of an interactive process of a method 600 for authentication and authorization according to an embodiment of the present application.
图7是本申请实施例的通信装置700的结构示意框图。FIG. 7 is a schematic block diagram of the structure of a communication device 700 according to an embodiment of the present application.
图8是本申请实施例的通信装置800的结构示意框图。FIG8 is a schematic block diagram of the structure of a communication device 800 according to an embodiment of the present application.
图9是本申请实施例的通信装置900的结构示意框图。FIG. 9 is a schematic block diagram of the structure of a communication device 900 according to an embodiment of the present application.
图10是本申请实施例的通信装置1000的结构示意框图。FIG. 10 is a schematic block diagram of the structure of a communication device 1000 according to an embodiment of the present application.
图11是本申请实施例的通信装置1100的结构示意框图。FIG. 11 is a schematic block diagram of the structure of a communication device 1100 according to an embodiment of the present application.
具体实施方式Detailed ways
下面将结合附图,对本申请中的技术方案进行描述。The technical solution in this application will be described below in conjunction with the accompanying drawings.
本申请实施例的技术方案可以应用于各种通信***,例如:全球移动通讯(global system of mobile communication,GSM)***、码分多址(code division multiple access,CDMA)***、宽带码分多址(wideband code division multiple access,WCDMA)***、通用分组无线业务(general packet radio service,GPRS)、长期演进(long term evolution,LTE)***、LTE频分双工(frequency division duplex,FDD)***、LTE时分双工(time division duplex,TDD)、通用移动通信***(universal mobile telecommunication system,UMTS)、全球互联微波接入(worldwide interoperability for microwave access,WiMAX)通信***、第五代(5th generation,5G)***或新无线(new radio,NR)、以及未来的其他通信***等。The technical solutions of the embodiments of the present application can be applied to various communication systems, for example: global system of mobile communication (GSM) system, code division multiple access (CDMA) system, wideband code division multiple access (WCDMA) system, general packet radio service (GPRS), long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (TDD) system, universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5G) system or new radio (NR), and other future communication systems.
本申请实施例中的终端设备可以指用户设备(user equipment,UE)、接入终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。终端设备还可以是蜂窝电话、无绳电话、会话启动协议(session initiation protocol,SIP)电话、无线本地环路(wireless local loop,WLL)站、个人数字处理(personal digital assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备,5G网络中的终端设备或者公用陆地移动通信网络(public land mobile network,PLMN)中的终端设备等,本申请实施例对此并不限定。The terminal device in the embodiments of the present application may refer to user equipment (UE), access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device. The terminal device may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a handheld device with wireless communication function, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a 5G network or a terminal device in a public land mobile network (PLMN), etc., and the embodiments of the present application are not limited to this.
本申请实施例中的网络设备可以是用于与终端设备通信的设备,该网络设备可以是GSM***或CDMA***中的基站(base transceiver station,BTS),也可以是WCDMA***中的基站(nodeB,NB),还可以是LTE***中的演进型基站(evolutional nodeB,eNB或eNodeB),还可以是云无线接入网络(cloud radio access network,CRAN)场景下的无线控制器,或者该网络设备可以为中继站、接入点、车载设备、可穿戴设备以及5G网络中的网络设备、PLMN网络中的网络设备或者非公共网络中的网络设备等,本申请实施例并不限定。The network device in the embodiments of the present application may be a device for communicating with a terminal device. The network device may be a base station (base transceiver station, BTS) in a GSM system or a CDMA system, or a base station (nodeB, NB) in a WCDMA system, or an evolved base station (evolutional nodeB, eNB or eNodeB) in an LTE system, or a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the network device may be a relay station, an access point, an in-vehicle device, a wearable device, a network device in a 5G network, a network device in a PLMN network, or a network device in a non-public network, etc., and the embodiments of the present application are not limited thereto.
下面将结合附图,对本申请实施例的技术方案进行描述。The technical solution of the embodiments of the present application will be described below in conjunction with the accompanying drawings.
图1是适用于本申请实施例的通信***100的示意图。如图1所示,通信***100包括5GC与个人万物互联网络(personal IoT network,PIN)。其中,5GC主要包括接入与移动性管理功能(access and mobility management function,AMF)、能力开放功能(network exposure function,NEF)、用户数据 库(user data repository,UDR)、网络存储功能(network repository function,NRF)、统一数据管理(unified data management,UDM)、下一代无线接入网(next generation,NG)-无线接入网(radio access network,RAN)设备、策略控制功能(policy control function,PCF)、用户面功能(user plane function,UPF)、数据网络(data network,DN)等等。另外,PIN主要包括PEGC、PEMC以及PINE。其中,PEMC与PINE之间通过P1(基于non-3GPP或者3GPP接入技术)进行信息交互,PINE与PEGC之间通过P2(基于non-3GPP接入技术、3GPP接入技术或者互联网)进行信息交互,PEGC与PEMC之间通过P3(基于non-3GPP接入技术或者3GPP短距离通信技术如5G prose技术)进行信息交互。应理解,PIN中的PEMC以及PEGC分别与5GC中的NG-RAN之间存在信息交互。FIG1 is a schematic diagram of a communication system 100 applicable to an embodiment of the present application. As shown in FIG1 , the communication system 100 includes 5GC and a personal IoT network (PIN). Among them, 5GC mainly includes access and mobility management function (AMF), capability exposure function (NEF), user data User data repository (UDR), network repository function (NRF), unified data management (UDM), next generation (NG)-radio access network (RAN) equipment, policy control function (PCF), user plane function (UPF), data network (DN), etc. In addition, PIN mainly includes PEGC, PEMC and PINE. Among them, PEMC and PINE exchange information through P1 (based on non-3GPP or 3GPP access technology), PINE and PEGC exchange information through P2 (based on non-3GPP access technology, 3GPP access technology or the Internet), and PEGC and PEMC exchange information through P3 (based on non-3GPP access technology or 3GPP short-distance communication technology such as 5G prose technology). It should be understood that there is information interaction between PEMC and PEGC in PIN and NG-RAN in 5GC respectively.
应理解,图1仅作为一种示意性的描述图,本申请实施例对通信***100中实际部署的网元与功能(或者设备)的数量和种类不做限制。It should be understood that Figure 1 is only a schematic description diagram, and the embodiment of the present application does not limit the number and types of network elements and functions (or devices) actually deployed in the communication system 100.
其中,图1所示的各网元或者功能的主要功能描述如下:The main functions of each network element or function shown in Figure 1 are described as follows:
无线接入网设备(radio access network,RAN)(亦可称为接入网设备),对应5G中的不同接入网,如有线接入、无线基站接入等多种方式。本申请中的RAN设备包括但不限于:5G中的下一代基站(gnodeB,gNB)、演进型节点B(evolved node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved nodeB,或home node B,HNB)、基带单元(base band unit,BBU)、传输点(transmitting and receiving point,TRP)、发射点(transmitting point,TP)、移动交换中心等。Radio access network equipment (RAN) (also called access network equipment) corresponds to different access networks in 5G, such as wired access, wireless base station access and other methods. The RAN equipment in this application includes but is not limited to: next-generation base stations (gnodeB, gNB), evolved node B (evolved node B, eNB), radio network controller (radio network controller, RNC), node B (node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, or home node B, HNB), base band unit (base band unit, BBU), transmission point (transmitting and receiving point, TRP), transmission point (transmitting point, TP), mobile switching center, etc.
统一数据管理(unified data management,UDM)(也可以称为统一数据管理网元、统一数据管理实体、数据管理设备、统一数据管理设备),是核心网设备的一种,主要用于处理终端设备标识,接入鉴权,注册以及移动性管理等。统一数据管理设备是控制面设备。Unified data management (UDM) (also called unified data management network element, unified data management entity, data management device, unified data management equipment) is a type of core network equipment, mainly used to process terminal equipment identification, access authentication, registration and mobility management. Unified data management equipment is a control plane device.
策略控制功能(policy control function,PCF)(也可以称为策略控制网元、策略控制功能网元、策略控制设备、策略控制功能实体等):主要负责针对会话、业务流级别进行计费、服务质量(quality of service,QoS)带宽保障及移动性管理、UE策略决策等策略控制功能。Policy control function (PCF) (also known as policy control network element, policy control function network element, policy control equipment, policy control function entity, etc.): mainly responsible for policy control functions such as billing at the session and service flow level, quality of service (QoS) bandwidth guarantee and mobility management, UE policy decision-making, etc.
会话管理功能(session management function,SMF):主要进行会话管理、PCF下发控制策略的执行、UPF的选择、UE IP地址分配等功能。Session management function (SMF): mainly performs session management, execution of control policies issued by PCF, UPF selection, UE IP address allocation and other functions.
接入和移动管理功能(access and mobility management function,AMF)(也可以称为接入与移动性管理功能实体、接入与移动性管理设备、接入与移动性管理网元、接入管理设备、移动管理设备),是核心网设备的一种,主要用于移动性管理和接入管理等,可以用于实现移动性管理实体(mobility management entity,MME)功能中除会话管理之外的其它功能,例如,合法监听、或接入授权(或鉴权)、用户设备的注册、移动性管理、跟踪区更新流程、可达性检测、会话管理网元的选择、移动状态转换管理等功能。例如,在5G中,接入与移动性管理网元可以是AMF网元,在未来通信,如6G中,接入与移动性管理网元仍可以是AMF网元,或有其它的名称,本申请不限定。当接入与移动性管理网元是AMF网元时,AMF可以提供Namf服务。Access and mobility management function (AMF) (also known as access and mobility management function entity, access and mobility management equipment, access and mobility management network element, access management equipment, mobility management equipment) is a type of core network equipment, mainly used for mobility management and access management, etc., and can be used to implement other functions of mobility management entity (MME) functions except session management, such as lawful interception, or access authorization (or authentication), user equipment registration, mobility management, tracking area update process, reachability detection, selection of session management network element, mobile state transition management and other functions. For example, in 5G, the access and mobility management network element can be an AMF network element. In future communications, such as 6G, the access and mobility management network element can still be an AMF network element, or have other names, which are not limited in this application. When the access and mobility management network element is an AMF network element, the AMF can provide Namf services.
用户面功能(user plane function,UPF)(也可以称为用户面设备、用户面功能网元、用户面网元、用户面功能实体):主要包括以下功能:数据包路由和传输、包检测、业务用量上报、QoS处理、合法监听、上行包检测、下行数据包存储等用户面相关的功能。User plane function (UPF) (also known as user plane equipment, user plane function network element, user plane network element, user plane function entity): mainly includes the following functions: data packet routing and transmission, packet detection, service usage reporting, QoS processing, legal monitoring, uplink packet detection, downlink data packet storage and other user-plane related functions.
网络存储功能(network repository function,NRF)(也可以称为网络存储设备、网络存储功能网元、网络存储功能实体):主要用于支持服务发现功能。从一个网元功能或服务通信代理(service communication proxy,SCP)收到网元发现请求,并且可以予以反馈该网元发现请求信息。同时,NRF还用于负责维护可用网络功能的信息以及它们各自支持的服务。也可以理解为网络存储设备。其中,发现流程是由需求网元功能(network function,NF)借助NRF实现特定NF或者特定服务寻址的过程,NRF提供相应NF实例或NF服务实例的IP地址或者全限定域名(fully qualified domain name,FQDN)或者统一资源标识符(unified resource identifier,URI)。此外,NRF还可以通过提供网络标识(例如PLMN ID)实现跨PLMN的发现流程。为了实现网元功能的寻址发现,各个网元都需要在NRF中进行登记,一些网元功能可在首次运行时在NRF中进行登记。网络存储功能设备可以是核心网设备。Network repository function (NRF) (also known as network storage device, network repository function network element, network repository function entity): mainly used to support service discovery function. Receives a network element discovery request from a network element function or service communication proxy (SCP), and can feedback the network element discovery request information. At the same time, NRF is also responsible for maintaining information about available network functions and the services they support. It can also be understood as a network storage device. Among them, the discovery process is the process of addressing a specific NF or a specific service by the demand network element function (NF) with the help of NRF. NRF provides the IP address or fully qualified domain name (FQDN) or unified resource identifier (URI) of the corresponding NF instance or NF service instance. In addition, NRF can also implement the cross-PLMN discovery process by providing a network identifier (such as PLMN ID). In order to realize the addressing discovery of network element functions, each network element needs to be registered in NRF, and some network element functions can be registered in NRF when they are first run. The network repository function device can be a core network device.
网络开放功能(network exposure function,NEF)(也可以称为网络开放设备、网络开放功能实体、 网络开放功能网元、网络能力开放功能实体、网络能力开放功能设备、网络能力开放功能网元、网络能力开放设备等):主要用于支持能力和事件的开放,如用于安全地向外部开放由3GPP网络功能提供的业务和能力等。Network exposure function (NEF) (also called network exposure device, network exposure function entity, Network open function network element, network capability open function entity, network capability open function equipment, network capability open function network element, network capability open equipment, etc.): mainly used to support the opening of capabilities and events, such as securely opening the services and capabilities provided by 3GPP network functions to the outside world.
用户数据库(user data repository,UDR)(也可以称为用户数据库实体、用户数据库网元、用户数据库设备等),它能够针对不同类型的数据如签约数据、策略数据有不同的数据接入鉴权机制,以保证数据接入的安全性。User database (user data repository, UDR) (also known as user database entity, user database network element, user database equipment, etc.) can have different data access authentication mechanisms for different types of data such as contract data and policy data to ensure the security of data access.
个人万物互联网络实体(PIN element,PINE):PIN中的IoT设备,可以是3GPP的UE或者是non-3GPP的设备,可以发现PIN或者PIN中的其他PINE、加入或者离开一个PIN。Personal Internet of Everything Network Entity (PIN element, PINE): An IoT device in a PIN, which can be a 3GPP UE or a non-3GPP device, can discover a PIN or other PINEs in a PIN, and join or leave a PIN.
个人万物互联网络网关能力(PIN gateway capability,PEGC):是PINE的一种角色或者能力,也可以理解为具备网关功能的PINE,用于实现PIN中的其他PINE与5GC之间的信息交互,为PINE提供数据的路由和转发。PIN gateway capability (PEGC): It is a role or capability of PINE, which can also be understood as PINE with gateway function, used to realize information interaction between other PINEs in PIN and 5GC, and provide data routing and forwarding for PINE.
个人万物互联网络管理能力(PIN management capability,PEMC):是PINE的一种角色或者能力,也可以理解为是具备管理功能的PINE,用于实现PIN的管理,例如PIN的创建、更新、删除,PINE的加入与移出,PEGC的配置管理工作。PIN management capability (PEMC): It is a role or capability of PINE. It can also be understood as PINE with management function, which is used to implement PIN management, such as PIN creation, update, deletion, PINE addition and removal, and PEGC configuration management.
其中PINE,PGEC,PEMC可以是运行在UE设备或IoT设备上的软件模块,一个UE或者设备可以具备一个或者多个上述能力,例如一个UE可以具备PINE、PEGC和PEMC的能力,也可以理解为一个UE可以同时作为PINE、PEGC、PEMC。Among them, PINE, PGEC, and PEMC can be software modules running on UE devices or IoT devices. A UE or device can have one or more of the above capabilities. For example, a UE can have the capabilities of PINE, PEGC, and PEMC. It can also be understood that a UE can serve as PINE, PEGC, and PEMC at the same time.
本申请实施例中的PINE、PEGC以及PEMC也可以是指PINE client,PEGC client,PEMC client。其中,PEMC client可以理解为具备PEMC能力的PINE,PEGC client可以理解为具备PEGC能力的PINE。The PINE, PEGC and PEMC in the embodiments of the present application may also refer to PINE client, PEGC client and PEMC client. Among them, PEMC client can be understood as PINE with PEMC capability, and PEGC client can be understood as PINE with PEGC capability.
上述的各个网元与功能的命名仅为用于区分不同的功能,并不代表这些网元与功能分别为独立的物理设备,本申请对于上述的网元与功能的具体形态不作限定,例如,可以集成在同一个物理设备中,也可以分别是不同的物理设备。在实际部署中,网元或者设备可以合设。例如,接入与移动性管理网元可以与会话管理网元合设;会话管理网元可以与用户面网元合设。当两个网元合设的时候,本申请实施例提供的这两个网元之间的交互就成为该合设网元的内部操作或者可以省略。The naming of the above-mentioned network elements and functions is only used to distinguish different functions, and does not mean that these network elements and functions are independent physical devices. The present application does not limit the specific forms of the above-mentioned network elements and functions. For example, they can be integrated in the same physical device, or they can be different physical devices. In actual deployment, network elements or devices can be combined. For example, the access and mobility management network element can be combined with the session management network element; the session management network element can be combined with the user plane network element. When two network elements are combined, the interaction between the two network elements provided in the embodiment of the present application becomes the internal operation of the combined network element or can be omitted.
上述的功能与网元可以是硬件设备中的网络元件,也可以是在专用硬件上运行的软件功能,或者是硬件与软件的结合,或者是平台(例如,云平台)上实例化的虚拟化功能。The above functions and network elements may be network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or virtualized functions instantiated on a platform (e.g., a cloud platform).
需要说明的是,图1所示的各个网元与功能(比如PCF、AMF等)的命名仅是一个名字,名字对网元与功能本身的功能不构成限定。在5G网络以及未来其它的网络中,上述的各个网元与功能也可以是其他的名字,本申请不作具体限定。例如,在6G网络中,上述的各个网元与功能中的部分或全部可以沿用5G中的术语,也可能是其他命名等等,在此进行统一说明,以下不再赘述。It should be noted that the naming of the various network elements and functions (such as PCF, AMF, etc.) shown in Figure 1 is only a name, and the name does not limit the functions of the network elements and functions themselves. In 5G networks and other future networks, the above-mentioned network elements and functions may also have other names, and this application does not make specific limitations. For example, in a 6G network, some or all of the above-mentioned network elements and functions may use the terminology in 5G, or may be other names, etc., which are uniformly explained here and will not be repeated below.
需要说明的是,本申请实施例的技术方案不仅适用于5G网络,也同样适用于4G与6G网络,以及未来的通信网络等。It should be noted that the technical solutions of the embodiments of the present application are not only applicable to 5G networks, but also to 4G and 6G networks, as well as future communication networks.
下文将结合附图对本申请实施例的认证授权的方法进行描述。The following will describe the authentication and authorization method of the embodiment of the present application in conjunction with the accompanying drawings.
图2是一种认证授权的方法200的交互流程图。其中,图2所示的方法200可以应用于上述的通信***100之中。如图2所示,方法200包括:FIG2 is an interactive flow chart of an authentication and authorization method 200. The method 200 shown in FIG2 can be applied to the above-mentioned communication system 100. As shown in FIG2, the method 200 includes:
S210、PINE1与PEMC之间建立应用层连接(application layer connection)。An application layer connection is established between S210, PINE1 and PEMC.
具体地,PEMC与PINE1之间建立应用层连接之后,PEMC将本地的PIN配置信息(profile)发送给PINE1。其中,PIN配置信息包括PIN标识(ID)、PIN描述(如公司名称,位置,或者业务类型)以及PEMC互联网协议(internet protocol,IP)地址等信息。Specifically, after the application layer connection is established between PEMC and PINE1, PEMC sends the local PIN configuration information (profile) to PINE1. The PIN configuration information includes PIN identification (ID), PIN description (such as company name, location, or business type) and PEMC Internet protocol (IP) address and other information.
S220、PINE1向PEMC发送请求信息1,其用于请求加入PIN。S220. PINE1 sends a request message 1 to PEMC, which is used to request to join PIN.
相应地,PEMC接收来自于PINE1的请求信息1,并基于请求信息1确定PINE1请求加入PIN。Accordingly, the PEMC receives the request message 1 from the PINE1 and determines based on the request message 1 that the PINE1 requests to join the PIN.
可以理解的是,PINE1所请求加入的PIN是由PEMC创建的。It can be understood that the PIN requested to be joined by PINE1 is created by PEMC.
应理解,PINE1向PEMC发送的请求信息1是用于向PEMC请求PINE1加入PIN。其中,请求信息1包括PIN服务器(server)为PINE1分配的安全凭证以及PINE1的标识信息。例如,PINE1的标识信息可以包括通用公共订阅标识符(generic public subscription identifier,GPSI)、PINE1的应用层标识(client ID)、PINE1的位置、PIN ID以及PIN配置信息。It should be understood that the request message 1 sent by PINE1 to PEMC is used to request PEMC to add PINE1 to the PIN. The request message 1 includes the security credentials assigned by the PIN server to PINE1 and the identification information of PINE1. For example, the identification information of PINE1 may include a generic public subscription identifier (GPSI), an application layer identifier (client ID) of PINE1, a location of PINE1, a PIN ID, and PIN configuration information.
可选地,请求信息1还包括PINE1所能提供的服务的信息。 Optionally, the request information 1 also includes information about services that PINE1 can provide.
S230、PEMC对PINE1进行认证授权。S230, PEMC authenticates and authorizes PINE1.
具体地,在接收到请求信息1之后,PEMC对PINE1执行认证授权,并确认PINE1是否有权限加入PIN。其中,PEMC对PINE1执行认证授权的权限可以是PIN服务器授予的,本申请对此不作限定。Specifically, after receiving the request information 1, PEMC performs authentication and authorization on PINE1, and confirms whether PINE1 has the authority to join the PIN. The authority of PEMC to perform authentication and authorization on PINE1 may be granted by the PIN server, and this application does not limit this.
S240、PEMC向PINE1发送响应信息1。S240. PEMC sends response information 1 to PINE1.
相应地,PINE1接收PEMC发送的响应信息1,并基于响应信息1确定PINE1是否可以加入PIN。Accordingly, PINE1 receives the response information 1 sent by the PEMC, and determines whether PINE1 can join the PIN based on the response information 1.
在确定PINE1可以加入PIN之后,PEMC向PINE1发送用于指示PINE1通过认证授权的响应信息1。其中,响应信息1包括PINE1的接入信息(譬如,用户面、WIFI的名称和密码等),其能够用于PINE1访问DN中的业务。After determining that PINE1 can join the PIN, PEMC sends a response message 1 to PINE1 indicating that PINE1 has passed the authentication authorization. Response message 1 includes access information of PINE1 (eg, user plane, WIFI name and password, etc.), which can be used by PINE1 to access services in the DN.
可选地,响应信息1还可以包括PIN ID以及PEGC的IP地址等信息。Optionally, response information 1 may also include information such as PIN ID and IP address of PEGC.
S250、PEMC向PEGC与PIN服务器通知PINE1加入PIN。S250. PEMC notifies PEGC and PIN server that PINE1 joins PIN.
具体地,PEGC基于PEMC发送的通知信息确定PINE1作为PIN的新成员后,能够允许PINE1访问5G服务器。PIN服务器基于PEMC发送的通知信息确定PINE1作为PIN的新成员后,能够允许PINE1进行PIN的相关业务。譬如,PIN的相关业务包括:PIN加入、PIN发现等。Specifically, after PEGC determines that PINE1 is a new member of PIN based on the notification information sent by PEMC, it can allow PINE1 to access the 5G server. After the PIN server determines that PINE1 is a new member of PIN based on the notification information sent by PEMC, it can allow PINE1 to perform PIN-related services. For example, PIN-related services include: PIN joining, PIN discovery, etc.
S260、PEMC、PEGC以及PIN服务器更新PIN配置信息。S260, PEMC, PEGC and PIN server update PIN configuration information.
在确定PINE1能够加入PIN之后,PEMC、PEGC以及PIN服务器更新本地的PIN配置信息,并将PINE1添加到PIN的成员列表之中。After determining that PINE1 can join the PIN, the PEMC, PEGC, and PIN server update the local PIN configuration information and add PINE1 to the member list of the PIN.
综上,为了能够实现PEMC对PINE1的认证授权,PINE1与PEMC之间需要一直有直连通信(direct communication)。若PINE1与PEMC之间不能一直有直连通信,则PEMC不能完成对PINE1的认证授权。此时,若PEGC接收到PINE1发送的PIN信息(例如PIN发现,PIN加入等),PEGC因为PINE1不是PIN的成员而直接丢弃PINE1发送的PIN信息,导致PINE1无法进行PIN的相关业务。In summary, in order to realize the authentication and authorization of PINE1 by PEMC, there needs to be direct communication between PINE1 and PEMC. If there is no direct communication between PINE1 and PEMC, PEMC cannot complete the authentication and authorization of PINE1. At this time, if PEGC receives PIN information sent by PINE1 (such as PIN discovery, PIN joining, etc.), PEGC directly discards the PIN information sent by PINE1 because PINE1 is not a member of PIN, resulting in PINE1 being unable to perform PIN-related services.
鉴于上述技术问题,本申请提供一种认证授权的方法与通信装置,能够支持完成对PINE1的认证授权。In view of the above technical problems, the present application provides an authentication and authorization method and a communication device, which can support the completion of authentication and authorization of PINE1.
下文将结合附图对本申请的认证授权方法进行描述。The following will describe the authentication and authorization method of this application in conjunction with the accompanying drawings.
图3是本申请实施例的认证授权的方法300的交互流程示意图。其中,图3所示的方法300可以应用于上述的通信***100之中,也可以应用于其他涉及PIN的通信***之中。为便于描述,本申请以PIN为物联网为例进行描述。其中,PIN中的PINE为物联网设备,PEGC为物联网网关设备,PEMC为物联网管理设备。如图3所示,方法300包括:FIG3 is a schematic diagram of the interaction flow of the authentication and authorization method 300 of the embodiment of the present application. The method 300 shown in FIG3 can be applied to the above-mentioned communication system 100, and can also be applied to other communication systems involving PIN. For ease of description, the present application takes PIN as the Internet of Things as an example for description. The PINE in the PIN is an Internet of Things device, the PEGC is an Internet of Things gateway device, and the PEMC is an Internet of Things management device. As shown in FIG3, the method 300 includes:
S310、物联网设备1向物联网网关设备发送请求信息A,其用于请求对物联网设备1的认证授权。S310, the Internet of Things device 1 sends a request message A to the Internet of Things gateway device, which is used to request authentication and authorization for the Internet of Things device 1.
相应地,物联网网关设备接收来自于物联网设备1的请求信息A。Correspondingly, the IoT gateway device receives request information A from IoT device 1.
在本申请实施例中,请求信息A可以为物联网注册信息,也可以为物联网认证信息,还可以为物联网授权信息,或者,请求信息A还可以是上述的几项信息之间的组合,譬如,请求信息A为物联网认证与授权信息,或者,请求信息A为物联网注册与认证信息,又或者,请求信息A为物联网注册认证与授权信息等。换言之,请求信息A是用于请求对物联网设备1的认证授权(也可以理解为允许物联网设备1执行特定的物联网操作),其中,物联网设备1为任意一个与物联网网关设备之间建立直连通信连接的物联网设备。In the embodiment of the present application, the request information A can be the Internet of Things registration information, the Internet of Things authentication information, the Internet of Things authorization information, or the request information A can also be a combination of the above-mentioned information, for example, the request information A is the Internet of Things authentication and authorization information, or the request information A is the Internet of Things registration and authentication information, or the request information A is the Internet of Things registration authentication and authorization information, etc. In other words, the request information A is used to request authentication and authorization for the Internet of Things device 1 (which can also be understood as allowing the Internet of Things device 1 to perform specific Internet of Things operations), wherein the Internet of Things device 1 is any Internet of Things device that establishes a direct communication connection with the Internet of Things gateway device.
具体来说,请求信息A包括物联网设备1的设备标识与设备凭证。其中,物联网设备1的设备标识与设备凭证能够用于表示物联网设备1的身份。应理解,物联网设备1的设备标识与设备凭证是物联网设备1的设备认证服务器为物联网设备1配置的。其中,设备凭证可以是证书,并由物联网设备1的生产厂家设置在物联网设备1内。Specifically, the request information A includes the device identification and device credentials of the IoT device 1. The device identification and device credentials of the IoT device 1 can be used to represent the identity of the IoT device 1. It should be understood that the device identification and device credentials of the IoT device 1 are configured for the IoT device 1 by the device authentication server of the IoT device 1. The device credentials can be a certificate and are set in the IoT device 1 by the manufacturer of the IoT device 1.
S320、物联网网关设备确定请求信息A用于请求对物联网设备1的认证授权。S320. The Internet of Things gateway device determines that the request information A is used to request authentication authorization for the Internet of Things device 1.
如上文所述,物联网网关设备确定请求信息A是物联网网关设备能够转发的信息类型(或者是数据类型)时,物联网网关设备则可以确定转发请求信息A,而不是拒绝或者丢弃请求信息A。例如,为了能够允许物联网设备1动态地加入已经建立的物联网,本申请支持允许物联网网关设备识别并转发物联网设备1向其发送的物联网信息。其中,物联网信息为物联网应用或物联网业务的信令,可以包括物联网注册信息、物联网登录信息、物联网认证信息、物联网授权信息、物联网连接信息、物联网发现信息、物联网发现信息或者物联网加入信息等类型。As described above, when the IoT gateway device determines that the request information A is an information type (or data type) that the IoT gateway device can forward, the IoT gateway device can determine to forward the request information A instead of rejecting or discarding the request information A. For example, in order to allow IoT device 1 to dynamically join the established IoT, the present application supports allowing the IoT gateway device to identify and forward IoT information sent to it by IoT device 1. Among them, IoT information is the signaling of IoT applications or IoT services, which may include IoT registration information, IoT login information, IoT authentication information, IoT authorization information, IoT connection information, IoT discovery information, IoT discovery information, or IoT joining information.
应理解,上述所描述的物联网信息可以是物联网应用层信息,其包括物联网头部信息和载荷 (payload)。其中,物联网头部信息包括用于指示物联网信息类型的信元(information element,IE)。It should be understood that the IoT information described above may be IoT application layer information, which includes IoT header information and payload. The IoT header information includes an information element (IE) for indicating the IoT information type.
一个可能的实现方式,上述的物联网信息是基于超文本传输协议(hypertext transfer protocol,HTTP)或者会话发起协议(session initiation protocol,SIP)等应用层信息进行扩展而得到的信息。该HTTP或SIP信息包括用于指示物联网信息类型的IE。当物联网网关设备收到来自物联网设备的请求信息A时,物联网网关设备对收到的请求信息A进行解析,当识别到请求信息A包括用于指示物联网信息类型的IE且为上述的物联网信息类型中的任意一种时,物联网网关设备则可以确定转发请求信息A。如此,能够避免由于物联网设备1没有完成认证授权,物联网网关设备因物联网设备1不是物联网的成员而拒绝或者丢弃物联网设备1向物联网网关设备发送的任何物联网信息,导致其无法进行物联网的相关操作(或者物联网的相关业务)。In a possible implementation, the above-mentioned IoT information is information obtained by extending application layer information such as hypertext transfer protocol (HTTP) or session initiation protocol (SIP). The HTTP or SIP information includes an IE for indicating the type of IoT information. When the IoT gateway device receives request information A from the IoT device, the IoT gateway device parses the received request information A. When it is identified that the request information A includes an IE for indicating the type of IoT information and is any of the above-mentioned IoT information types, the IoT gateway device can determine to forward the request information A. In this way, it can be avoided that the IoT gateway device 1 does not complete the authentication and authorization, and the IoT gateway device rejects or discards any IoT information sent by the IoT device 1 to the IoT gateway device because the IoT device 1 is not a member of the IoT, resulting in the inability to perform IoT-related operations (or IoT-related services).
S330、物联网网关设备向物联网认证设备发送请求信息A。S330: The IoT gateway device sends a request message A to the IoT authentication device.
具体地,物联网认证设备能够用于执行对物联网设备1的认证授权。因此,物联网网关设备将物联网设备1发送的请求信息A转发给物联网认证设备,并由物联网认证设备对物联网设备1进行认证授权。Specifically, the IoT authentication device can be used to perform authentication and authorization on the IoT device 1. Therefore, the IoT gateway device forwards the request information A sent by the IoT device 1 to the IoT authentication device, and the IoT authentication device performs authentication and authorization on the IoT device 1.
其中,物联网认证设备可以是物联网管理设备,也可以是物联网服务器,本申请对此不限定。Among them, the Internet of Things authentication device can be an Internet of Things management device or an Internet of Things server, which is not limited in this application.
一个可能的实现方式,物联网网关设备向物联网认证设备发送请求信息A,包括:In a possible implementation, the IoT gateway device sends a request message A to the IoT authentication device, including:
S330a、物联网网关设备向物联网服务器发送请求信息A。S330a, the IoT gateway device sends request information A to the IoT server.
若物联网网关设备确定物联网不是本地的,或者理解物联网不是本地业务(例如当物联网网关设备收到了物联网管理设备配置的物联网服务器的地址,或者请求信息A中携带物联网服务器的地址(例如请求信息A中的目的地址为物联网服务器的地址),或者请求消息A中携带应用或业务的标识信息(如域名,统一资源***(uniform resource locator,URL)等)可以进一步被解析出物联网服务器的地址),物联网网关设备根据请求信息A或本地的物联网配置信息确定物联网服务器,并向物联网服务器发送请求信息A,并由物联网服务器执行对物联网设备1的认证授权。譬如,物联网服务器通过与物联网设备1的设备认证服务器的交互完成对物联网设备1的合法性的检查。If the IoT gateway device determines that the IoT is not local, or understands that the IoT is not a local business (for example, when the IoT gateway device receives the address of the IoT server configured by the IoT management device, or the request information A carries the address of the IoT server (for example, the destination address in the request information A is the address of the IoT server), or the request message A carries the identification information of the application or business (such as domain name, uniform resource locator (URL), etc.) which can be further parsed to obtain the address of the IoT server), the IoT gateway device determines the IoT server according to the request information A or the local IoT configuration information, and sends the request information A to the IoT server, and the IoT server performs the authentication and authorization of the IoT device 1. For example, the IoT server completes the legitimacy check of the IoT device 1 by interacting with the device authentication server of the IoT device 1.
在通过对物联网设备1的认证授权后,物联网服务器为物联网设备1配置第一标识与安全凭证1(譬如,令牌(token)、业务码(service code)或密钥(credential)等),并将第一标识与安全凭证1等承载于响应信息A。其中,第一标识用于标识所述物联网设备1。该第一标识可以为应用层标识(application layer id)1,该应用层标识1用于在应用层识别该物联网设备1(通过认证授权),其可以为PINE client ID、PINE ID或PIN user ID等。另外,根据具体的实现需求,第一标识也可以为其他的标识,物理层标识、链路层标识,等等,本申请对此不限定。After the IoT device 1 is authenticated and authorized, the IoT server configures the IoT device 1 with a first identifier and a security credential 1 (e.g., a token, a service code, or a credential, etc.), and carries the first identifier and the security credential 1, etc. in the response information A. The first identifier is used to identify the IoT device 1. The first identifier may be an application layer identifier (application layer id) 1, which is used to identify the IoT device 1 at the application layer (through authentication and authorization), and may be a PINE client ID, a PINE ID, or a PIN user ID, etc. In addition, according to specific implementation requirements, the first identifier may also be other identifiers, such as a physical layer identifier, a link layer identifier, etc., which is not limited in this application.
应理解,物联网服务器为物联网设备1配置的第一标识与安全凭证1能够用于表示物联网设备1通过了物联网服务器对物联网设备1的认证授权.另外,第一标识与安全凭证2还能够作为物联网设备1访问物联网中的其他设备的凭证。It should be understood that the first identification and security credential 1 configured by the IoT server for the IoT device 1 can be used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server for the IoT device 1. In addition, the first identification and security credential 2 can also be used as credentials for the IoT device 1 to access other devices in the IoT.
在完成对物联网设备1的认证授权后,物联网服务器向物联网网关设备发送响应信息A,其用于指示物联网设备1通过了物联网服务器对物联网设备1的认证授权。After completing the authentication and authorization of the IoT device 1, the IoT server sends a response message A to the IoT gateway device, which is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server.
一个可能的实现方式,物联网网关设备发送请求信息A,包括:In a possible implementation, the IoT gateway device sends a request message A, including:
S330b、物联网网关设备向物联网管理设备发送请求信息A。S330b, the Internet of Things gateway device sends a request message A to the Internet of Things management device.
若物联网网关设备确定物联网是本地的,或者理解物联网是本地业务(例如当物联网网关设备未曾收到过物联网管理设备配置的物联网服务器的地址,或者请求信息A中携带物联网管理设备的标识(例如IP地址,通用公共用户标识(generic public subscription identifier,GPSI),媒介接入可控制(medium access control,MAC)地址、域名或其他可以用于标识物联网管理设备的信息)(例如请求信息A中的目的地址为物联网管理设备的地址),或者请求消息A中携带应用或业务的标识信息(如域名,URL等)可以进一步被解析出物联网管理设备的地址),物联网网关设备则向物联网管理设备发送请求信息A,并由物联网管理设备执行对物联网设备1的认证授权。其中,物联网管理设备对物联网设备1执行认证授权的描述可以参见前述的物联网服务器对物联网设备1执行认证授权的描述,在此不再赘述。If the IoT gateway device determines that the IoT is local, or understands that the IoT is a local service (for example, when the IoT gateway device has never received the address of the IoT server configured by the IoT management device, or the request information A carries the identifier of the IoT management device (for example, IP address, generic public subscription identifier (GPSI), medium access control (MAC) address, domain name or other information that can be used to identify the IoT management device) (for example, the destination address in the request information A is the address of the IoT management device, or the request message A carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT management device), the IoT gateway device sends request information A to the IoT management device, and the IoT management device performs authentication and authorization on the IoT device 1. Among them, the description of the IoT management device performing authentication and authorization on the IoT device 1 can refer to the aforementioned description of the IoT server performing authentication and authorization on the IoT device 1, which will not be repeated here.
在完成对物联网设备1的认证授权后,物联网管理设备向物联网网关设备发送响应信息A,其用于指示物联网设备1通过了物联网管理设备对物联网设备1的认证授权。 After completing the authentication and authorization of the Internet of Things device 1, the Internet of Things management device sends a response message A to the Internet of Things gateway device, which is used to indicate that the Internet of Things device 1 has passed the authentication and authorization of the Internet of Things management device for the Internet of Things device 1.
S340、物联网网关设备向物联网设备1发送响应信息A,其用于指示物联网设备1通过认证授权。S340. The IoT gateway device sends response information A to IoT device 1, which is used to indicate that IoT device 1 has passed the authentication authorization.
相应地,物联网设备1接收来自于物联网网关设备的响应信息A,并基于响应信息A确定物联网设备1通过了认证授权。其中,响应信息A包括安全凭证1与第一标识。Correspondingly, the IoT device 1 receives the response information A from the IoT gateway device, and determines that the IoT device 1 has passed the authentication authorization based on the response information A. The response information A includes the security credential 1 and the first identifier.
通过上述技术方案,本申请支持在物联网设备1还不是物联网的成员时,物联网网关设备转发物联网设备1发送的特定类型的物联网信息,譬如,用于请求对物联网设备1的认证授权的请求信息A等,如此,在物联网设备1与物联网管理设备之间没有直连通信时,本申请支持能够完成对物联网设备1的认证授权,使得物联网设备1能够进行物联网的相关操作。Through the above technical solution, the present application supports the IoT gateway device forwarding specific types of IoT information sent by IoT device 1 when IoT device 1 is not yet a member of the IoT, such as request information A for requesting authentication and authorization for IoT device 1. In this way, when there is no direct communication between IoT device 1 and the IoT management device, the present application supports the completion of authentication and authorization for IoT device 1, so that IoT device 1 can perform related operations of the IoT.
一个可能的实现方式,方法300还包括:In a possible implementation, method 300 further includes:
S301、物联网设备1向物联网网关设备发送物联网信息#1(例如,第一信息)。S301. Internet of Things device 1 sends Internet of Things information #1 (eg, first information) to an Internet of Things gateway device.
相应地,物联网网关设备接收来自于物联网设备1的物联网信息#1。其中,物联网信息#1用于指示物联网管理设备或者物联网服务器的物联网操作。Correspondingly, the IoT gateway device receives IoT information #1 from IoT device 1. The IoT information #1 is used to indicate the IoT operation of the IoT management device or IoT server.
一个示例中,物联网信息#1包括物联网操作的信息。譬如,物联网操作包括:物联网加入(PIN join)、物联网发现(PIN discovery),或者,物联网邀请确认(PIN invite ack)等,相应地,物联网操作的信息指示物联网操作。相应地,物联网信息#1可以为物联网加入请求消息(携带物联网1的设备标识或第一标识的至少一种)、物联网发现请求消息(携带物联网1的设备标识或第一标识的至少一种)以及物联网邀请确认消息(携带物联网1的设备标识或第一标识的至少一种)等。In one example, IoT information #1 includes information of IoT operation. For example, IoT operation includes: IoT join (PIN join), IoT discovery (PIN discovery), or IoT invite confirmation (PIN invite ack), etc. Accordingly, the information of IoT operation indicates IoT operation. Accordingly, IoT information #1 may be an IoT join request message (carrying at least one of the device identification or the first identification of IoT 1), an IoT discovery request message (carrying at least one of the device identification or the first identification of IoT 1), and an IoT invite confirmation message (carrying at least one of the device identification or the first identification of IoT 1), etc.
S302、物联网网关设备确定物联网设备1处于非认证授权状态。S302: The IoT gateway device determines that the IoT device 1 is in a non-authentication and authorization state.
在接收到物联网信息#1之后,物联网网关设备确定物联网设备1处于非认证授权状态(例如当物联网网关设备发现物联网信息#1中没有携带第一标识和/或安全凭证1时,物联网网关设备判定物联网设备1处于非认证授权状态),即物联网网关设备确定物联网设备1未完成在物联网认证设备处的认证授权,可以进一步地理解为:物联网网关设备确定物联网设备1不被允许执行物联网信息#1指示的物联网操作。相应地,物联网网关设备拒绝转发物联网信息#1。After receiving IoT information #1, the IoT gateway device determines that IoT device 1 is in a non-authentication and authorization state (for example, when the IoT gateway device finds that IoT information #1 does not carry the first identification and/or security credential 1, the IoT gateway device determines that IoT device 1 is in a non-authentication and authorization state), that is, the IoT gateway device determines that IoT device 1 has not completed the authentication and authorization at the IoT authentication device, which can be further understood as: the IoT gateway device determines that IoT device 1 is not allowed to perform the IoT operation indicated by IoT information #1. Accordingly, the IoT gateway device refuses to forward IoT information #1.
S303、物联网网关设备向物联网设备1发送指示信息1(例如,第一指示信息),其用于指示物联网设备1发送请求信息A。S303. The IoT gateway device sends indication information 1 (for example, first indication information) to IoT device 1, which is used to instruct IoT device 1 to send request information A.
相应地,物联网设备1接收指示信息1,并基于指示信息1确定需要发送请求信息A。Accordingly, IoT device 1 receives indication information 1, and determines based on indication information 1 that request information A needs to be sent.
具体来说,物联网网关设备确定物联网设备1没有通过或者完成认证授权时,则可以拒绝转发物联网信息#1,并向物联网设备1发送指示信息1,其用于向物联网设备1指示其需要完成认证授权。相应地,物联网设备1在指示信息1的指示下进行认证授权。示例性地,物联网设备1向物联网网关设备发送前述的请求信息A,并由物联网网关设备转发请求信息A。Specifically, when the IoT gateway device determines that IoT device 1 has not passed or completed authentication and authorization, it may refuse to forward IoT information #1 and send indication information 1 to IoT device 1, which is used to indicate to IoT device 1 that it needs to complete authentication and authorization. Accordingly, IoT device 1 performs authentication and authorization under the instruction of indication information 1. Exemplarily, IoT device 1 sends the aforementioned request information A to the IoT gateway device, and the IoT gateway device forwards the request information A.
一个可能的实现方式,物联网网关设备可以在向物联网设备1发送的物联网信息#1的响应信息中携带指示信息1,例如在物联网加入请求信息的响应信息、物联网发现请求信息的响应信息或者物联网邀请确认信息的响应信息等携带指示信息1。其中,指示信息1可以是上述信息中的一个指示器(indicator),在具体编码时,可以是信息中的一个位(bit)的值,也可以是占用了几个位的一个参数。In a possible implementation, the IoT gateway device may carry indication information 1 in the response information of IoT information #1 sent to IoT device 1, for example, the indication information 1 is carried in the response information of IoT joining request information, the response information of IoT discovery request information, or the response information of IoT invitation confirmation information. The indication information 1 may be an indicator in the above information, and in specific encoding, may be a bit value in the information, or may be a parameter occupying several bits.
一个示例中,物联网设备1与物联网管理设备之间有直连通信时,物联网设备1向物联网管理设备发送请求信息A,并由物联网管理设备执行对物联网设备1的认证授权。In one example, when there is direct communication between IoT device 1 and IoT management device, IoT device 1 sends request information A to IoT management device, and IoT management device performs authentication and authorization on IoT device 1.
又一个示例中,物联网设备1与物联网管理设备之间没有直连通信时,物联网设备1向物联网网关设备发送请求信息A,并由物联网网关设备转发请求信息A,从而完成对物联网设备1的认证授权,使得物联网设备1能够进行物联网的相关操作。In another example, when there is no direct communication between IoT device 1 and the IoT management device, IoT device 1 sends request information A to the IoT gateway device, and the IoT gateway device forwards the request information A, thereby completing the authentication and authorization of IoT device 1, so that IoT device 1 can perform related operations of the IoT.
通过上述技术方案,本申请支持物联网设备1在物联网网关设备的指示下进行物联网设备1的认证授权。Through the above technical solution, the present application supports the IoT device 1 to perform authentication and authorization of the IoT device 1 under the instruction of the IoT gateway device.
一个可能的实现方式,方法300还包括:In a possible implementation, method 300 further includes:
S340、物联网设备1向物联网网关设备发送物联网信息#2(例如,第二信息),其包括第一标识与安全凭证1。S340, IoT device 1 sends IoT information #2 (eg, second information) to the IoT gateway device, which includes the first identifier and security credential 1.
相应地,物联网网关设备接收物联网信息#2。其中,物联网信息#2用于指示物联网管理设备或者物联网服务器的物联网操作。一个示例中,物联网信息#2包括物联网操作的信息。譬如,物联网操作包括:物联网加入、物联网发现,或者,物联网邀请确认等,相应地,物联网操作的信息指示物联网操作。相应地,物联网信息#2可以为物联网加入请求消息(携带物联网1的设备标识或第一标识的至 少一种)、物联网发现请求消息(携带物联网1的设备标识或第一标识的至少一种)以及物联网邀请确认消息(携带物联网1的设备标识或第一标识的至少一种)等。Accordingly, the IoT gateway device receives IoT information #2. IoT information #2 is used to indicate the IoT operation of the IoT management device or IoT server. In one example, IoT information #2 includes information about IoT operations. For example, IoT operations include: IoT joining, IoT discovery, or IoT invitation confirmation, etc. Accordingly, the information about IoT operations indicates IoT operations. Accordingly, IoT information #2 can be an IoT joining request message (carrying the device identifier of IoT 1 or the first identifier of IoT 1). At least one), an Internet of Things discovery request message (carrying at least one of the device identifier or the first identifier of Internet of Things 1) and an Internet of Things invitation confirmation message (carrying at least one of the device identifier or the first identifier of Internet of Things 1), etc.
S350、物联网网关设备确定物联网设备1通过认证授权。S350: The IoT gateway device determines that the IoT device 1 passes the authentication and authorization.
具体而言,物联网网关设备确定物联网设备1通过认证授权,可以进一步地理解为:物联网网关设备确定物联网设备1被允许执行物联网信息#2所指示的物联网操作,具体可以通过下述的两种方式实现:Specifically, the IoT gateway device determines that the IoT device 1 passes the authentication authorization, which can be further understood as: the IoT gateway device determines that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2, which can be implemented in the following two ways:
方式(1):Method (1):
S350a1、物联网网关设备向物联网认证设备(其包括物联网管理设备或者物联网服务器)发送第一标识与安全凭证1。S350a1. The Internet of Things gateway device sends a first identification and security credential 1 to the Internet of Things authentication device (which includes an Internet of Things management device or an Internet of Things server).
如前文所述,物联网认证设备能够用于执行对物联网设备1的认证授权,且在完成对物联网设备1的认证授权之后,物联网认证设备为物联网设备1配置第一标识与安全凭证1。As mentioned above, the IoT authentication device can be used to perform authentication and authorization on the IoT device 1, and after completing the authentication and authorization on the IoT device 1, the IoT authentication device configures the first identification and security credential 1 for the IoT device 1.
一个可能的实现方式,物联网网关设备在物联网请求信息中向物联网认证设备发送第一标识与安全凭证1,该物联网请求信息可以是物联网授权信息、物联网认证信息以及物联网认证授权请求信息等中的任意一项或者多项。In one possible implementation, the IoT gateway device sends a first identification and security credential 1 to the IoT authentication device in an IoT request message, where the IoT request message may be any one or more of IoT authorization information, IoT authentication information, and IoT authentication authorization request information.
S350b1、物联网网关设备接收来自物联网认证设备的反馈信息1,并根据反馈信息1确定物联网设备1通过认证授权。S350b1. The IoT gateway device receives feedback information 1 from the IoT authentication device, and determines that the IoT device 1 passes the authentication authorization based on the feedback information 1.
具体地,在接收到物联网网关设备发送的第一标识与安全凭证1后,物联网认证设备基于物联网网关设备发送的第一标识与安全凭证1确定物联网设备1通过了物联网认证设备对物联网设备1的认证授权。进一步地,物联网认证设备确定允许物联网设备1执行物联网信息#2所指示的物联网操作。Specifically, after receiving the first identification and security credential 1 sent by the IoT gateway device, the IoT authentication device determines that the IoT device 1 has passed the authentication authorization of the IoT authentication device for the IoT device 1 based on the first identification and security credential 1 sent by the IoT gateway device. Further, the IoT authentication device determines that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
相应地,物联网认证设备则向物联网网关设备发送反馈信息1,其用于向物联网网关设备指示物联网设备1通过了物联网认证设备对物联网设备1的认证授权。进一步地,该反馈信息1包含对物联网设备1执行物联网信息#2所指示的物联网操作的授权,即安全凭证1和/或第一标识能够指示允许物联网设备1执行物联网信息#2所指示的物联网操作。Correspondingly, the IoT authentication device sends feedback information 1 to the IoT gateway device, which is used to indicate to the IoT gateway device that the IoT device 1 has passed the authentication authorization of the IoT authentication device for the IoT device 1. Further, the feedback information 1 includes authorization for the IoT device 1 to perform the IoT operation indicated by the IoT information #2, that is, the security credential 1 and/or the first identifier can indicate that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
一个可能的实现方式,物联网认证设备在发给物联网网关设备的物联网请求信息的响应信息中携带反馈信息1。其中,反馈信息1可以是一组(set)参数,或者一个指示器(indicator),或者信息中的特定位的值。In a possible implementation, the IoT authentication device carries feedback information 1 in the response information of the IoT request information sent to the IoT gateway device. The feedback information 1 may be a set of parameters, an indicator, or a value of a specific bit in the information.
物联网网关设备通过与物联网认证设备的交互获取反馈信息1,并根据反馈信息1完成对物联网设备1是否通过认证授权的确认。进一步地,物联网网关设备可以根据反馈信息1确定允许物联网设备1执行物联网信息#2所指示的物联网操作。The IoT gateway device obtains feedback information 1 through interaction with the IoT authentication device, and completes the confirmation of whether the IoT device 1 has passed the authentication authorization according to the feedback information 1. Further, the IoT gateway device can determine, according to the feedback information 1, whether the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
方式(2):Method (2):
S350a2、物联网网关设备接收来自于物联网认证设备的安全凭证2(例如,第二安全凭证),其用于指示物联网设备1通过了物联网认证设备对物联网设备1的认证授权。S350a2. The IoT gateway device receives security credential 2 (eg, second security credential) from the IoT authentication device, which is used to indicate that the IoT device 1 has passed the authentication authorization of the IoT authentication device for the IoT device 1.
其中,安全凭证2用于指示物联网设备1通过了物联网认证设备对物联网设备1的认证授权。其中,其可以进一步地包含允许物联网设备1执行物联网信息#2所指示的物联网操作。在完成对物联网设备1的认证授权之后,物联网认证设备为物联网设备1配置安全凭证2,其用于向物联网网关设备指示物联网设备1通过了物联网认证设备对物联网设备1的认证授权。Among them, the security credential 2 is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT authentication device to the IoT device 1. Among them, it may further include allowing the IoT device 1 to perform the IoT operation indicated by the IoT information #2. After completing the authentication and authorization of the IoT device 1, the IoT authentication device configures the security credential 2 for the IoT device 1, which is used to indicate to the IoT gateway device that the IoT device 1 has passed the authentication and authorization of the IoT authentication device to the IoT device 1.
相应地,物联网认证设备向物联网网关设备发送与物联网设备1关联的安全凭证2。物联网网关设备也可以在收到物联网设备1的物联网信息#2后,向物联网认证设备请求物联网设备1关联的安全凭证2,物联网认证设备向物联网网关设备发送安全凭证2;或者物联网认证设备在完成对物联网设备1的认证授权后,主动向服务物联网设备1的物联网网关设备发送物联网设备1关联的安全凭证2。Correspondingly, the IoT authentication device sends the security credential 2 associated with the IoT device 1 to the IoT gateway device. The IoT gateway device may also request the IoT authentication device for the security credential 2 associated with the IoT device 1 after receiving the IoT information #2 of the IoT device 1, and the IoT authentication device sends the security credential 2 to the IoT gateway device; or the IoT authentication device actively sends the security credential 2 associated with the IoT device 1 to the IoT gateway device serving the IoT device 1 after completing the authentication and authorization of the IoT device 1.
可选地,物联网认证设备也可以向物联网设备1发送安全凭证2。相应地,物联网设备1在向物联网网关设备发送的物联网信息(譬如,物联网信息#2)中携带安全凭证2,如此,物联网网关设备确定物联网设备1通过认证授权。Optionally, the IoT authentication device may also send security credentials 2 to the IoT device 1. Accordingly, the IoT device 1 carries security credentials 2 in the IoT information (e.g., IoT information #2) sent to the IoT gateway device, so that the IoT gateway device determines that the IoT device 1 has passed the authentication authorization.
可选地,安全凭证2与物联网设备1的设备标识和/或设备凭证关联。Optionally, the security credential 2 is associated with a device identification and/or a device credential of the IoT device 1 .
S350b2、物联网网关设备根据安全凭证2确定物联网设备1通过认证授权。S350b2. The IoT gateway device determines that the IoT device 1 has passed the authentication authorization based on the security certificate 2.
其中,安全凭证2用于指示物联网设备1通过了物联网认证设备对物联网设备1的认证授权,其进一步包含允许物联网设备1执行物联网信息#2所指示的物联网操作。 Among them, security certificate 2 is used to indicate that IoT device 1 has passed the authentication and authorization of IoT device 1 by IoT authentication device, which further includes allowing IoT device 1 to execute IoT operation indicated by IoT information #2.
具体地,物联网网关设备根据物联网认证设备下发的安全凭证2确定物联网设备1是否通过认证授权。譬如,物联网网关设备根据安全凭证2确定物联网设备1是否是与安全凭证2关联的物联网设备,若是,则确定物联网设备1通过认证授权,若不是,则确定物联网设备1没有通过或者完成认证授权。Specifically, the IoT gateway device determines whether the IoT device 1 has passed the authentication authorization based on the security certificate 2 issued by the IoT authentication device. For example, the IoT gateway device determines whether the IoT device 1 is the IoT device associated with the security certificate 2 based on the security certificate 2. If so, it is determined that the IoT device 1 has passed the authentication authorization. If not, it is determined that the IoT device 1 has not passed or completed the authentication authorization.
综上,物联网网关设备通过与物联网认证设备的交互完成对物联网设备1是否通过认证授权的确认。In summary, the IoT gateway device completes the confirmation of whether the IoT device 1 has passed the authentication authorization by interacting with the IoT authentication device.
S360、物联网网关设备向物联网管理设备或者物联网服务器发送物联网信息#2。S360. The IoT gateway device sends IoT information #2 to the IoT management device or the IoT server.
如前文所述,在确定物联网设备1通过认证授权之后,物联网网关设备则可以向物联网认证设备转发物联网信息#2。As mentioned above, after determining that the IoT device 1 has passed the authentication authorization, the IoT gateway device can forward the IoT information #2 to the IoT authentication device.
一个可能的实现方式,物联网信息#2包括物联网标识与指示信息2(例如,第二指示信息)中的至少一项。其中,物联网标识与指示信息2均可以用于指示物联网网关设备向物联网管理设备还是物联网服务器转发物联网信息#2。In a possible implementation, the IoT information #2 includes at least one of an IoT identifier and indication information 2 (e.g., second indication information). The IoT identifier and indication information 2 can both be used to indicate whether the IoT gateway device forwards the IoT information #2 to the IoT management device or the IoT server.
一个可能的实现方式,物联网网关设备向物联网认证设备发送物联网信息#2,包括:In a possible implementation, the IoT gateway device sends IoT information #2 to the IoT authentication device, including:
S360a、物联网网关设备向物联网服务器发送物联网信息#2。S360a. The IoT gateway device sends IoT information #2 to the IoT server.
具体地,物联网信息#2指示物联网发现时,物联网信息#2包括指示信息2(可以不包括物联网标识),其用于指示物联网网关设备向物联网服务器发送物联网信息#2;物联网信息#2指示物联网加入或者物联网邀请确认时,物联网信息#2包括指示信息2和/或物联网标识,指示信息2和/或物联网标识用于指示物联网网关设备向物联网服务器发送物联网操作信息#2。Specifically, when IoT information #2 indicates IoT discovery, IoT information #2 includes indication information 2 (which may not include an IoT identifier), which is used to instruct the IoT gateway device to send IoT information #2 to the IoT server; when IoT information #2 indicates IoT joining or IoT invitation confirmation, IoT information #2 includes indication information 2 and/or an IoT identifier, and indication information 2 and/or an IoT identifier are used to instruct the IoT gateway device to send IoT operation information #2 to the IoT server.
示例性地,物联网网关设备根据物联网信息#2中的物联网标识检索本地的物联网配置信息,在物联网配置信息中查找是否包含物联网是否是本地的指示信息,如果包含指示物联网为云端或物联网服务器侧的指示信息,物联网网关设备确定物联网不是本地的,物联网网关设备则向物联网服务器发送物联网信息#2。Exemplarily, the IoT gateway device retrieves the local IoT configuration information according to the IoT identifier in IoT information #2, and searches in the IoT configuration information whether it contains indication information indicating whether the IoT is local. If it contains indication information indicating that the IoT is on the cloud or IoT server side, the IoT gateway device determines that the IoT is not local, and the IoT gateway device sends IoT information #2 to the IoT server.
相应地,物联网服务器根据物联网信息#2执行物联网信息#2所指示的物联网服务器的物联网操作。譬如,物联网信息#2指示物联网发现,则物联网服务器返回物联网列表;物联网信息#2指示物联网加入或物联网邀请确认,物联网信息#2中还包含至少一个物联网标识,物联网服务器则将物联网设备加入到物联网标识所标识的物联网中,并将其添加到物联网的成员列表中。更为具体地,物联网服务器更新当前物联网的物联网配置信息,进而添加物联网设备1的相关信息。Accordingly, the IoT server performs the IoT operation of the IoT server indicated by IoT information #2 according to IoT information #2. For example, if IoT information #2 indicates IoT discovery, the IoT server returns an IoT list; if IoT information #2 indicates IoT joining or IoT invitation confirmation, and IoT information #2 also includes at least one IoT identifier, the IoT server adds the IoT device to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT server updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
一个可能的实现方式,物联网网关设备根据物联网是否是本地的确定是否向物联网服务器发送物联网信息#2。譬如,物联网网关设备确定物联网不是本地的,或者理解物联网不是本地业务(例如当物联网网关设备收到了物联网管理设备配置的物联网服务器的地址,或者物联网信息#2中携带物联网服务器的地址(例如物联网信息#2中的目的地址为物联网服务器的地址),或者物联网信息#2中携带应用或业务的标识信息(如域名,URL等)可以进一步被解析出物联网服务器的地址),物联网网关设备根据物联网信息#2或本地的物联网配置信息确定物联网服务器,则向物联网服务器发送物联网信息#2。In one possible implementation, the IoT gateway device determines whether to send IoT information #2 to the IoT server based on whether the IoT is local. For example, the IoT gateway device determines that the IoT is not local, or understands that the IoT is not a local service (for example, when the IoT gateway device receives the address of the IoT server configured by the IoT management device, or the IoT information #2 carries the address of the IoT server (for example, the destination address in IoT information #2 is the address of the IoT server), or the IoT information #2 carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT server), the IoT gateway device determines the IoT server based on IoT information #2 or the local IoT configuration information, and then sends IoT information #2 to the IoT server.
相应地,物联网服务器根据物联网信息#2执行物联网信息#2所指示的物联网服务器的物联网操作。譬如,物联网信息#2指示物联网发现,则物联网服务器返回物联网列表;物联网信息#2指示物联网加入或物联网邀请确认,物联网信息#2中还包含至少一个物联网标识,物联网服务器则将物联网设备1加入到物联网标识所标识的物联网中,并将其添加到物联网的成员列表中。更为具体地,物联网服务器更新当前物联网的物联网配置信息,进而添加物联网设备1的相关信息。Accordingly, the IoT server performs the IoT operation of the IoT server indicated by IoT information #2 according to IoT information #2. For example, if IoT information #2 indicates IoT discovery, the IoT server returns the IoT list; if IoT information #2 indicates IoT joining or IoT invitation confirmation, and IoT information #2 also includes at least one IoT identifier, the IoT server adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT server updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
可选地,物联网设备1通过物联网信息#2中的指示信息2向物联网网关设备指示其需要向物联网服务器发送物联网信息#2。Optionally, IoT device 1 indicates to the IoT gateway device through indication information 2 in IoT information #2 that it needs to send IoT information #2 to the IoT server.
另外,上述的指示信息2也可以用于指示物联网是否是本地的。譬如,指示信息2用于指示物联网是本地时,物联网网关设备则向物联网管理设备发送物联网信息#2;或者,指示信息2用于指示物联网不是本地时,物联网网关设备则向物联网服务器发送物联网信息#2。In addition, the above-mentioned indication information 2 can also be used to indicate whether the Internet of Things is local. For example, when indication information 2 is used to indicate that the Internet of Things is local, the Internet of Things gateway device sends Internet of Things information #2 to the Internet of Things management device; or, when indication information 2 is used to indicate that the Internet of Things is not local, the Internet of Things gateway device sends Internet of Things information #2 to the Internet of Things server.
一个可能的实现方式,物联网网关设备发送物联网信息#2,包括:In a possible implementation, the IoT gateway device sends IoT information #2, including:
S360b、物联网网关设备向物联网管理设备发送物联网信息#2。S360b. The IoT gateway device sends IoT information #2 to the IoT management device.
具体地,物联网信息#2指示物联网发现时,物联网信息#2包括指示信息2(可以不包括物联网标 识),其用于指示物联网网关设备向物联网管理设备发送物联网信息#2;物联网信息#2指示物联网加入或者物联网邀请确认时,物联网信息#2包括指示信息2和/或物联网标识,指示信息2和/或物联网标识用于指示物联网网关设备向物联网管理设备发送物联网信息#2。示例性地,物联网网关设备根据物联网信息#2中的物联网标识检索本地的物联网配置信息,在物联网配置信息中查找是否包含物联网是否是本地的指示信息,如果不包含指示物联网为云端或服务器侧的指示信息,物联网网关设备确定物联网是本地的,物联网网关设备向物联网管理设备发送物联网信息#2。Specifically, when the IoT information #2 indicates that the IoT is discovered, the IoT information #2 includes indication information 2 (which may not include the IoT tag). Identification), which is used to instruct the IoT gateway device to send IoT information #2 to the IoT management device; when IoT information #2 indicates IoT joining or IoT invitation confirmation, IoT information #2 includes indication information 2 and/or IoT identification, and indication information 2 and/or IoT identification are used to instruct the IoT gateway device to send IoT information #2 to the IoT management device. Exemplarily, the IoT gateway device retrieves the local IoT configuration information according to the IoT identification in IoT information #2, and searches the IoT configuration information for whether it contains indication information of whether the IoT is local. If it does not contain indication information indicating that the IoT is on the cloud or server side, the IoT gateway device determines that the IoT is local, and the IoT gateway device sends IoT information #2 to the IoT management device.
相应地,物联网管理设备根据物联网信息#2执行物联网信息#2所指示的物联网管理设备的物联网操作。譬如,物联网信息#2指示物联网发现,则物联网管理设备返回本地或者物联网服务器的物联网列表;物联网信息#2指示物联网加入或物联网邀请确认,物联网信息#2中还包含至少一个物联网标识,物联网管理设备则将物联网设备1加入到物联网标识所标识的物联网中,并将其添加到物联网的成员列表中。更为具体地,物联网管理设备更新当前物联网的物联网配置信息,进而添加物联网设备1的相关信息。Accordingly, the IoT management device performs the IoT operation of the IoT management device indicated by IoT information #2 according to IoT information #2. For example, if IoT information #2 indicates IoT discovery, the IoT management device returns the IoT list of the local or IoT server; if IoT information #2 indicates IoT joining or IoT invitation confirmation, and IoT information #2 also includes at least one IoT identifier, the IoT management device adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT management device updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
一个可能的实现方式,物联网网关设备根据物联网是否是本地确定是否向物联网管理设备送物联网信息#2。譬如,物联网网关设备确定物联网是本地的,或者理解物联网是本地业务(例如当物联网网关设备未曾收到过物联网管理设备配置的物联网服务器的地址,或者物联网信息#2中携带物联网管理设备的标识(IP地址,通用公共用户标识(generic public subscription identifier,GPSI),媒介接入可控制(medium access control,MAC)地址、域名或其他可以用于标识物联网管理设备的信息)(例如物联网信息#2中的目的地址为物联网管理设备的地址),或者物联网信息#2中携带应用或业务的标识信息(如域名,URL等)可以进一步被解析出物联网管理设备的地址),物联网网关设备根据物联网信息#2或本地的物联网配置信息确定物联网管理设备,则向物联网管理设备发送物联网信息#2。In one possible implementation, the IoT gateway device determines whether to send IoT information #2 to the IoT management device based on whether the IoT is local. For example, the IoT gateway device determines that the IoT is local, or understands that the IoT is a local service (for example, when the IoT gateway device has never received the address of the IoT server configured by the IoT management device, or the IoT information #2 carries the identifier of the IoT management device (IP address, generic public subscription identifier (GPSI), medium access control (MAC) address, domain name or other information that can be used to identify the IoT management device) (for example, the destination address in the IoT information #2 is the address of the IoT management device), or the IoT information #2 carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT management device), the IoT gateway device determines the IoT management device based on the IoT information #2 or the local IoT configuration information, and then sends the IoT information #2 to the IoT management device.
相应地,物联网管理设备根据物联网信息#2执行物联网信息#2所指示的物联网管理设备的物联网操作。譬如,物联网信息#2指示物联网发现,则物联网管理设备返回本地或者物联网服务器的物联网列表;物联网信息#2指示物联网加入或物联网邀请确认,物联网信息#2中还包含至少一个物联网标识,物联网管理设备则将物联网设备1加入到物联网标识所标识的物联网中,并将其添加到物联网的成员列表中。更为具体地,物联网管理设备更新当前物联网的物联网配置信息,进而添加物联网设备1的相关信息。Accordingly, the IoT management device performs the IoT operation of the IoT management device indicated by IoT information #2 according to IoT information #2. For example, if IoT information #2 indicates IoT discovery, the IoT management device returns the IoT list of the local or IoT server; if IoT information #2 indicates IoT joining or IoT invitation confirmation, and IoT information #2 also includes at least one IoT identifier, the IoT management device adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT management device updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
可选地,物联网设备通过物联网信息#2中的指示信息2向物联网网关设备指示其需要向物联网管理设备发送物联网信息#2。Optionally, the IoT device indicates to the IoT gateway device through indication information 2 in IoT information #2 that it needs to send IoT information #2 to the IoT management device.
一个可能的实现方式,上述的物联网信息#2所指示的物联网管理设备的物联网操作是物联网设备1请求物联网管理设备执行的。如此,这能实现由物联网设备请求物联网管理设备执行物联网设备所请求执行的物联网操作,可以增强物联网设备的物联网操作被执行的灵活性。In one possible implementation, the IoT operation of the IoT management device indicated by the IoT information #2 is requested by IoT device 1 to be executed by the IoT management device. In this way, the IoT device can request the IoT management device to execute the IoT operation requested by the IoT device, which can enhance the flexibility of executing the IoT operation of the IoT device.
示例性地,若物联网信息#2用于指示物联网管理设备的物联网邀请确认操作时,物联网管理设备可以直接向物联网设备1发送物联网邀请信息,该物联网邀请信息用于指示物联网设备1加入物联网管理设备管理的物联网;相应地,物联网管理设备可以根据物联网信息#2将物联网设备1加入该物联网。另外,物联网管理设备可以通过物联网网关设备的转发向物联网设备1发送上述的物联网邀请信息,本申请对此不限定。如此,可以简化物联网设备的操作,并由物联网管理设备主动控制物联网设备加入物联网,从而增强物联网管理设备的集中管理功能。Exemplarily, if IoT information #2 is used to indicate the IoT invitation confirmation operation of the IoT management device, the IoT management device can directly send IoT invitation information to IoT device 1, and the IoT invitation information is used to indicate that IoT device 1 joins the IoT managed by the IoT management device; accordingly, the IoT management device can join IoT device 1 to the IoT according to IoT information #2. In addition, the IoT management device can send the above-mentioned IoT invitation information to IoT device 1 through the forwarding of the IoT gateway device, which is not limited in this application. In this way, the operation of the IoT device can be simplified, and the IoT management device can actively control the IoT device to join the IoT, thereby enhancing the centralized management function of the IoT management device.
可以理解的是,物联网管理设备所执行的动作也可以由物联网服务器进行执行,本申请对此不限定。在此做统一说明,后文不再赘述。It is understandable that the actions performed by the IoT management device can also be performed by the IoT server, and this application does not limit this. A unified explanation is given here, and no further description is given later.
通过上述技术方案,本申请支持物联网网关设备完成对物联网设备1是否通过认证授权的确认,进而确保物联网中的其他设备之间的信息交互安全。Through the above technical solution, the present application supports the IoT gateway device to complete the confirmation of whether the IoT device 1 has passed the authentication authorization, thereby ensuring the security of information interaction between other devices in the IoT.
下文将结合图4对图3所示的方法作进一步的描述。The method shown in FIG. 3 will be further described below in conjunction with FIG. 4 .
图4是本申请实施例的认证授权的方法400的交互流程图。其中,图4所示的方法400能够应用于上述的通信***100之中,也可以应用于其他涉及物联网的通信***之中。如图4所示,方法400包括:FIG4 is an interactive flow chart of a method 400 for authentication and authorization in an embodiment of the present application. The method 400 shown in FIG4 can be applied to the above-mentioned communication system 100, and can also be applied to other communication systems involving the Internet of Things. As shown in FIG4, the method 400 includes:
S401、物联网管理设备进行物联网服务器的注册认证授权。S401, the Internet of Things management device performs registration authentication and authorization for the Internet of Things server.
具体地,物联网管理设备先完成在物联网服务器处的认证授权。在完成对物联网管理设备的认证 授权之后,物联网服务器为物联网管理设备配置安全凭证3。可选地,物联网服务器还为物联网管理设备配置应用层标识3。其中,应用层标识3也可以是预配置在物联网管理设备之中的,本申请对此不限定。Specifically, the IoT management device first completes the authentication and authorization at the IoT server. After authorization, the IoT server configures the IoT management device with security credentials 3. Optionally, the IoT server also configures the IoT management device with an application layer identifier 3. The application layer identifier 3 may also be pre-configured in the IoT management device, which is not limited in this application.
S402、物联网管理设备与物联网网关设备之间建立通信连接。S402: Establish a communication connection between the IoT management device and the IoT gateway device.
在发现物联网网关设备之后,物联网管理设备与物联网网关设备之间建立通信连接,譬如,物联网管理设备与物联网网关设备之间可以基于PC5、Wi-Fi或者蓝牙(bluetooth,BT)等方式建立通信连接。After discovering the IoT gateway device, a communication connection is established between the IoT management device and the IoT gateway device. For example, a communication connection can be established between the IoT management device and the IoT gateway device based on PC5, Wi-Fi or Bluetooth (BT).
相应地,物联网管理设备则向物联网网关设备发送物联网服务器的地址。其中,物联网管理设备可以通过物联网服务器(PIN sever)配置信息向物联网网关设备发送物联网服务器的地址,也可以通过物联网公告(PIN announcement)信息(其包括物联网ID、物联网服务器地址以及物联网管理设备ID/地址)或者物联网邀请(PIN invite)信息(其包括物联网ID、物联网服务器地址以及物联网的其他描述信息)向物联网网关设备发送物联网服务器的地址,本申请对物联网管理设备向物联网网关设备发送物联网服务器的地址的方式不限定。Correspondingly, the IoT management device sends the address of the IoT server to the IoT gateway device. The IoT management device may send the address of the IoT server to the IoT gateway device through the IoT server (PIN sever) configuration information, or may send the address of the IoT server to the IoT gateway device through the IoT announcement (PIN announcement) information (which includes the IoT ID, IoT server address, and IoT management device ID/address) or the IoT invitation (PIN invite) information (which includes the IoT ID, IoT server address, and other description information of the IoT). This application does not limit the way in which the IoT management device sends the address of the IoT server to the IoT gateway device.
S403、物联网网关设备进行物联网服务器的认证授权。S403: The IoT gateway device performs authentication and authorization on the IoT server.
具体地,若物联网网关设备没有完成在物联网服务器的认证授权,物联网网关设备则可以基于物联网管理设备发送的物联网服务器的地址向物联网服务器发送用于进行认证授权的请求信息S。Specifically, if the IoT gateway device has not completed the authentication and authorization on the IoT server, the IoT gateway device may send a request message S for authentication and authorization to the IoT server based on the address of the IoT server sent by the IoT management device.
其中,物联网网关设备向物联网服务器发送的请求信息S包括物联网网关设备的设备标识与设备凭证。在完成对物联网网关设备的注册认证授权之后,物联网服务器则为物联网网关设备配置安全凭证4。The request information S sent by the IoT gateway device to the IoT server includes the device identification and device credentials of the IoT gateway device. After completing the registration, authentication and authorization of the IoT gateway device, the IoT server configures the security credentials 4 for the IoT gateway device.
可选地,物联网服务器还为物联网网关设备配置应用层标识4。其中,应用层标识4也可以是预配置在物联网网关设备中的,本申请对此不限定。Optionally, the Internet of Things server further configures the Internet of Things gateway device with an application layer identifier 4. The application layer identifier 4 may also be pre-configured in the Internet of Things gateway device, which is not limited in the present application.
S404、物联网设备1、物联网网关设备以及物联网网关设备之间建立通信连接。S404, establish a communication connection between the IoT device 1, the IoT gateway device and the IoT gateway device.
具体来说,物联网设备1发现了物联网管理设备与物联网网关设备,并与二者建立了通信连接(如PC5,Wi-Fi或蓝牙)。其中,本申请对物联网设备1发现物联网管理设备与物联网网关设备之间的先后顺序不限定。示例性地,物联网设备1先发现物联网管理设备,并从物联网管理设备获取物联网网关设备的信息,再与物联网管理设备建立通信连接。其中,物联网设备1与物联网管理设备之间的通信可以中断。Specifically, IoT device 1 discovers the IoT management device and the IoT gateway device, and establishes a communication connection with the two (such as PC5, Wi-Fi or Bluetooth). Among them, this application does not limit the order in which IoT device 1 discovers the IoT management device and the IoT gateway device. Exemplarily, IoT device 1 first discovers the IoT management device, obtains the information of the IoT gateway device from the IoT management device, and then establishes a communication connection with the IoT management device. Among them, the communication between IoT device 1 and the IoT management device can be interrupted.
需要说明的是,关于前述的S401~S404的描述可以见现行标准的技术细节,本申请对此不做详细描述。It should be noted that the description of the aforementioned S401 to S404 can be found in the technical details of the current standard, and this application does not provide a detailed description of this.
应理解,前述的S401~S404可以是可选步骤,也可以是必须步骤,本申请对此不限定。It should be understood that the aforementioned S401 to S404 may be optional steps or required steps, and the present application does not limit this.
S405、物联网管理设备向物联网设备1发送物联网服务器的地址。S405. The Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device 1.
应理解,物联网设备1通过物联网管理设备发送的物联网服务器的地址可以在进行认证授权中向物联网服务器发送请求信息A,并由物联网网关设备转发请求信息A。It should be understood that the address of the Internet of Things server sent by the Internet of Things device 1 through the Internet of Things management device can send request information A to the Internet of Things server during authentication and authorization, and the request information A is forwarded by the Internet of Things gateway device.
其中,物联网服务器的地址可以用于物联网设备1确定请求信息A的接收目标。Among them, the address of the Internet of Things server can be used by the Internet of Things device 1 to determine the receiving target of the request information A.
S406、物联网设备1向物联网网关设备发送请求信息A。S406. IoT device 1 sends request information A to the IoT gateway device.
具体内容可以参前述的S310,在此不再赘述。For the specific content, please refer to the aforementioned S310, which will not be repeated here.
S407、物联网网关设备确定请求信息A用于请求对物联网设备1的认证授权。S407 . The IoT gateway device determines that the request information A is used to request authentication authorization for the IoT device 1 .
具体内容可以参前述的S320,在此不再赘述。For the specific content, please refer to the aforementioned S320, which will not be repeated here.
S408、物联网网关设备向物联网认证设备发送请求信息A。S408. The IoT gateway device sends request information A to the IoT authentication device.
具体内容可以参前述的S330,在此不再赘述。For the specific content, please refer to the aforementioned S330, which will not be repeated here.
S409、物联网网关设备向物联网设备1发送响应信息A。S409, the IoT gateway device sends response information A to IoT device 1.
具体内容可以参前述的S340,在此不再赘述。For specific details, please refer to the aforementioned S340, which will not be repeated here.
S410、物联网设备1向物联网认证设备发送物联网信息#2。S410, IoT device 1 sends IoT information #2 to the IoT authentication device.
在完成了对物联网设备1的认证授权后,物联网设备则向物联网认证设备发送物联网信息#2。其中,关于物联网信息#2的描述可以见前文,在此就不再赘述。After completing the authentication and authorization of the IoT device 1, the IoT device sends IoT information #2 to the IoT authentication device. The description of IoT information #2 can be found in the previous text, and will not be repeated here.
一个可能的实现方式,在物联网设备1向物联网网关设备发送物联网信息#2之后,方法400还包 括:In a possible implementation, after the IoT device 1 sends the IoT information #2 to the IoT gateway device, the method 400 further includes: include:
S411a、物联网网关设备确定物联网设备1通过认证授权。S411a. The IoT gateway device determines that IoT device 1 passes authentication and authorization.
具体内容可以参见前述的S360的描述,在此就不再赘述。For specific details, please refer to the description of S360 mentioned above, which will not be repeated here.
一个可能的实现方式,物联网网关设备确定物联网设备1通过认证授权之后,方法400还包括:In a possible implementation, after the IoT gateway device determines that the IoT device 1 has passed the authentication authorization, the method 400 further includes:
S411a1、物联网网关设备向物联网服务器发送物联网信息#2。S411a1. The IoT gateway device sends IoT information #2 to the IoT server.
物联网网关设备确定物联网设备1通过前述的认证授权后,物联网网关设备向物联网服务器发送物联网信息#2。具体内容可以参见S370a的描述,在此就不再赘述。After the IoT gateway device determines that the IoT device 1 has passed the aforementioned authentication and authorization, the IoT gateway device sends IoT information #2 to the IoT server. For details, please refer to the description of S370a, which will not be repeated here.
一个可能的实现方式,在物联网网关设备确定物联网设备1通过认证授权之后,方法400还可以包括:In a possible implementation, after the IoT gateway device determines that the IoT device 1 passes the authentication authorization, the method 400 may further include:
S410a2、物联网网关设备向物联网管理设备发送物联网信息#2。S410a2. The IoT gateway device sends IoT information #2 to the IoT management device.
物联网网关设备确定物联网设备1通过前述的认证授权后,物联网网关设备向物联网管理设备发送物联网信息#2。具体内容可以参见S370b的描述,在此就不再赘述。After the IoT gateway device determines that the IoT device 1 has passed the aforementioned authentication and authorization, the IoT gateway device sends IoT information #2 to the IoT management device. For details, please refer to the description of S370b, which will not be repeated here.
可以理解的是,物联网网关设备是向物联网服务器还是物联网管理设备发送物联网信息#2可以根据物联网信息#2中携带的指示信息2和/或物联网标识进行确定,具体可以参见前文描述,在此不再赘述。It can be understood that whether the IoT gateway device sends IoT information #2 to the IoT server or the IoT management device can be determined based on the indication information 2 and/or IoT identifier carried in the IoT information #2. For details, please refer to the previous description and will not be repeated here.
一个可能的实现方式,在物联网设备1向物联网管理设备发送物联网信息#2之后,方法400还包括:In a possible implementation, after the IoT device 1 sends the IoT information #2 to the IoT management device, the method 400 further includes:
S411b、物联网管理设备确定物联网设备1通过认证授权。S411b. The IoT management device determines that IoT device 1 passes the authentication and authorization.
具体而言,物联网管理设备确定物联网设备1通过认证授权,可以进一步地理解为:物联网管理设备确定物联网设备1被允许执行物联网信息#2所指示的物联网操作,具体可以通过下述的两种方式实现:Specifically, the IoT management device determines that IoT device 1 passes authentication and authorization, which can be further understood as: the IoT management device determines that IoT device 1 is allowed to perform the IoT operation indicated by IoT information #2, which can be implemented in the following two ways:
方式(3):Method (3):
S1、物联网管理设备向物联网服务器发送第一标识与安全凭证1。S1. The Internet of Things management device sends a first identification and security certificate 1 to the Internet of Things server.
如前文所述,物联网服务器能够用于执行对物联网设备的认证授权,且在完成对物联网设备1的认证授权之后,物联网服务器为物联网设备1配置第一标识与安全凭证1。As mentioned above, the IoT server can be used to perform authentication and authorization on the IoT device, and after completing the authentication and authorization of the IoT device 1, the IoT server configures the first identification and security credential 1 for the IoT device 1.
一个可能的实现方式,物联网管理设备在物联网请求信息中向物联网服务器发送第一标识与安全凭证,该物联网请求信息可以是物联网授权信息,物联网认证信息,物联网认证授权请求信息等中的任意一项或者多项。In one possible implementation, the IoT management device sends a first identification and security credentials to the IoT server in an IoT request message, where the IoT request message may be any one or more of IoT authorization information, IoT authentication information, IoT authentication authorization request information, etc.
S2、物联网管理设备接收来自物联网服务器的反馈信息2,并根据反馈信息2确定物联网设备1通过认证授权。S2. The IoT management device receives feedback information 2 from the IoT server, and determines, based on the feedback information 2, that the IoT device 1 has passed the authentication and authorization.
具体地,在接收到物联网管理设备发送的第一标识与安全凭证1后,物联网服务器基于物联网管理设备发送的第一标识与安全凭证1确定物联网设备1通过了物联网服务器对物联网设备1的认证授权。进一步地,物联网服务器确定允许物联网设备1执行物联网信息#2所指示的物联网操作。Specifically, after receiving the first identification and security credential 1 sent by the IoT management device, the IoT server determines that the IoT device 1 has passed the IoT server's authentication and authorization of the IoT device 1 based on the first identification and security credential 1 sent by the IoT management device. Further, the IoT server determines that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
相应地,物联网服务器则向物联网管理设备发送反馈信息2,其用于向物联网管理设备指示物联网设备1通过了物联网服务器对物联网设备1的认证授权。进一步地,反馈信息2包含对物联网设备1执行物联网信息#2所指示的物联网操作的授权(或者,也可以理解为包括对物联网设备1请求物联网管理设备或者物联网服务器执行的物联网操作的授权,本申请不限定这一表述),即安全凭证1和/或第一标识指示允许物联网设备1执行物联网信息#2所指示的物联网操作。Correspondingly, the IoT server sends feedback information 2 to the IoT management device, which is used to indicate to the IoT management device that the IoT device 1 has passed the authentication authorization of the IoT server for the IoT device 1. Further, the feedback information 2 includes the authorization for the IoT device 1 to perform the IoT operation indicated by the IoT information #2 (or, it can also be understood as including the authorization for the IoT operation that the IoT device 1 requests the IoT management device or the IoT server to perform, and this application does not limit this expression), that is, the security certificate 1 and/or the first identification indicate that the IoT device 1 is allowed to perform the IoT operation indicated by the IoT information #2.
一个可能的实现方式,物联网服务器在发给物联网管理设备的物联网请求信息的响应信息中携带反馈信息2。其中,反馈信息2可以是一组(set)参数,或者一个指示器(indicator),或者信息中的特定位的值。In a possible implementation, the IoT server carries feedback information 2 in the response information of the IoT request information sent to the IoT management device. The feedback information 2 may be a set of parameters, or an indicator, or a value of a specific bit in the information.
物联网管理设备通过与物联网服务器的交互获取反馈信息2,并根据反馈信息2完成对物联网设备1是否通过认证授权的确认。进一步地,物联网管理设备可以根据反馈信息2确定允许物联网设备1执行物联网信息#2所指示的物联网操作。The IoT management device obtains feedback information 2 through interaction with the IoT server, and completes the confirmation of whether IoT device 1 has passed the authentication authorization according to feedback information 2. Further, the IoT management device can determine, according to feedback information 2, whether IoT device 1 is allowed to perform the IoT operation indicated by IoT information #2.
方式(4):Method (4):
S3、物联网管理设备接收来自于物联网服务器的安全凭证2,其用于指示物联网设备1通过了物联网服务器的认证授权。 S3. The IoT management device receives the security certificate 2 from the IoT server, which is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server.
其中,安全凭证2用于指示物联网设备1通过了物联网服务器的认证授权。其中,其可以进一步地包含允许物联网设备1执行物联网信息#2所指示的物联网。在完成对物联网设备1的认证授权之后,物联网服务器为物联网设备1配置安全凭证2,其用于向物联网管理设备指示物联网设备1通过了物联网服务器对物联网设备1的认证授权。Among them, the security credential 2 is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server. Among them, it may further include allowing the IoT device 1 to execute the IoT indicated by the IoT information #2. After completing the authentication and authorization of the IoT device 1, the IoT server configures the security credential 2 for the IoT device 1, which is used to indicate to the IoT management device that the IoT device 1 has passed the authentication and authorization of the IoT server to the IoT device 1.
相应地,物联网服务器向物联网管理设备发送与物联网设备1关联的安全凭证2。物联网管理设备也可以在收到物联网设备1的物联网信息#2后,向物联网服务器请求物联网设备1关联的安全凭证2,物联网服务器向物联网管理设备发送安全凭证2;或者物联网服务器在完成对物联网设备1的认证授权后,主动向服务物联网设备1的物联网管理设备发送物联网设备1关联的安全凭证2。Correspondingly, the IoT server sends the security credential 2 associated with IoT device 1 to the IoT management device. After receiving the IoT information #2 of IoT device 1, the IoT management device may also request the security credential 2 associated with IoT device 1 from the IoT server, and the IoT server sends the security credential 2 to the IoT management device; or after completing the authentication and authorization of IoT device 1, the IoT server actively sends the security credential 2 associated with IoT device 1 to the IoT management device serving IoT device 1.
可选地,物联网服务器也可以向物联网设备1发送安全凭证2。相应地,物联网设备1在向物联网管理设备发送的物联网信息(譬如,物联网信息#2)中携带安全凭证2,如此,物联网管理设备确定物联网设备1通过认证授权。Optionally, the IoT server may also send security credentials 2 to the IoT device 1. Accordingly, the IoT device 1 carries security credentials 2 in the IoT information (e.g., IoT information #2) sent to the IoT management device, so that the IoT management device determines that the IoT device 1 has passed the authentication authorization.
可选地,安全凭证2与物联网设备1的设备标识和/或设备凭证关联。Optionally, the security credential 2 is associated with a device identification and/or a device credential of the IoT device 1 .
S4、物联网管理设备根据安全凭证2确定物联网设备1通过认证授权。S4. The IoT management device determines that the IoT device 1 has passed the authentication authorization based on the security certificate 2.
其中,安全凭证2用于指示物联网设备1通过了物联网服务器的认证授权进一步包含允许物联网设备1执行物联网信息#2所指示的物联网操作。具体地,物联网管理设备根据物联网服务器下发的安全凭证2确定物联网设备1是否通过认证授权。譬如,物联网管理设备根据该安全凭证2确定物联网设备1是否是与安全凭证2关联的物联网设备,若是,则确定物联网设备1通过认证授权,若不是,则确定物联网设备1没有通过或者完成认证授权。Among them, the security credential 2 is used to indicate that the IoT device 1 has passed the authentication and authorization of the IoT server, further including allowing the IoT device 1 to perform the IoT operation indicated by the IoT information #2. Specifically, the IoT management device determines whether the IoT device 1 has passed the authentication and authorization based on the security credential 2 issued by the IoT server. For example, the IoT management device determines whether the IoT device 1 is the IoT device associated with the security credential 2 based on the security credential 2. If so, it is determined that the IoT device 1 has passed the authentication and authorization. If not, it is determined that the IoT device 1 has not passed or completed the authentication and authorization.
应理解,若物联网管理设备用于执行对物联网设备1的认证授权时,则物联网管理设备可以直接确定物联网设备1是否通过了认证授权,且不需要与物联网服务器进行交互确定物联网设备1是否通过了认证授权。It should be understood that if the IoT management device is used to perform authentication and authorization for IoT device 1, the IoT management device can directly determine whether IoT device 1 has passed the authentication and authorization, and there is no need to interact with the IoT server to determine whether IoT device 1 has passed the authentication and authorization.
综上,物联网管理设备通过与物联网服务器的交互完成对物联网设备1是否通过认证授权的确认。In summary, the IoT management device completes the confirmation of whether the IoT device 1 has passed the authentication and authorization by interacting with the IoT server.
S411b1、物联网管理设备根据物联网信息#2执行物联网操作。S411b1. The IoT management device performs IoT operations according to IoT information #2.
示例性地,若物联网信息#2包括物联网发现,则物联网管理设备返回本地或者物联网服务器的物联网列表;若物联网信息#2包括物联网加入或物联网邀请确认,物联网管理设备则将物联网设备1加入到物联网中,并将其添加到物联网的成员列表。更为具体地,物联网管理设备更新当前物联网物联网配置信息,进而添加物联网设备1的相关信息(譬如,物联网设备1的应用层客户端ID、设备标识、能否被发现以及能够提供的服务等)。Exemplarily, if IoT information #2 includes IoT discovery, the IoT management device returns the IoT list of the local or IoT server; if IoT information #2 includes IoT joining or IoT invitation confirmation, the IoT management device adds IoT device 1 to the IoT and adds it to the member list of the IoT. More specifically, the IoT management device updates the current IoT configuration information and then adds the relevant information of IoT device 1 (e.g., the application layer client ID of IoT device 1, device identification, whether it can be discovered, and the services it can provide, etc.).
示例性地,物联网信息#2用于指示物联网管理设备的物联网邀请确认操作时,物联网管理设备可以直接向物联网设备1发送物联网邀请信息,该物联网邀请信息用于指示物联网设备1加入物联网管理设备管理的物联网;相应地,物联网管理设备可以根据物联网信息#2将物联网设备1加入该物联网。另外,物联网管理设备可以通过物联网网关设备的转发向物联网设备1发送上述的物联网邀请信息,本申请对此不限定。如此,可以简化物联网设备的操作,并由物联网管理设备主动控制物联网设备加入物联网,从而增强物联网管理设备的集中管理功能。Exemplarily, when IoT information #2 is used to indicate the IoT invitation confirmation operation of the IoT management device, the IoT management device can directly send IoT invitation information to IoT device 1, and the IoT invitation information is used to indicate that IoT device 1 joins the IoT managed by the IoT management device; accordingly, the IoT management device can join IoT device 1 to the IoT according to IoT information #2. In addition, the IoT management device can send the above-mentioned IoT invitation information to IoT device 1 through the forwarding of the IoT gateway device, which is not limited in this application. In this way, the operation of the IoT device can be simplified, and the IoT management device can actively control the IoT device to join the IoT, thereby enhancing the centralized management function of the IoT management device.
下文将结合图5对图3所示的方法作进一步的描述。The method shown in FIG. 3 will be further described below in conjunction with FIG. 5 .
图5是本申请实施例的认证授权的方法500的交互流程图。其中,图5所示的方法500能够应用于上述的通信***100之中,也可以应用于其他涉及物联网的通信***之中。如图5所示,方法500包括:FIG5 is an interactive flow chart of a method 500 for authentication and authorization in an embodiment of the present application. The method 500 shown in FIG5 can be applied to the above-mentioned communication system 100, and can also be applied to other communication systems involving the Internet of Things. As shown in FIG5, the method 500 includes:
S510、物联网设备1向物联网网关设备发送物联网信息#1。S510. IoT device 1 sends IoT information #1 to the IoT gateway device.
相应地,物联网网关设备接收来自于物联网设备1的物联网信息#1。Accordingly, the IoT gateway device receives IoT information #1 from IoT device 1.
关于S510的内容可以具体参见前述的S301的内容,在此不再赘述。For details about the content of S510, please refer to the content of S301 mentioned above, which will not be repeated here.
S520、物联网网关设备确定物联网设备1处于非认证授权状态。S520: The IoT gateway device determines that the IoT device 1 is in a non-authentication and authorization state.
关于S520的内容可以具体参见前述的S302的内容,在此不再赘述。For details about the content of S520, please refer to the content of S302 mentioned above, which will not be repeated here.
S530、物联网网关设备向物联网服务器发送请求信息B,其用于请求对物联网设备1的认证授权。S530. The IoT gateway device sends a request message B to the IoT server, which is used to request authentication and authorization for the IoT device 1.
具体地,物联网网关设备向物联网服务器发送的请求信息B包括物联网设备1的设备标识与设备凭证。关于请求信息B的描述可以见前述的请求信息A,在此不再赘述了。Specifically, the request information B sent by the IoT gateway device to the IoT server includes the device identification and device credentials of the IoT device 1. The description of the request information B can be found in the aforementioned request information A, which will not be repeated here.
S540、物联网服务器向物联网网关设备发送响应信息B,其用于指示物联网设备1通过认证授权。 S540. The IoT server sends a response message B to the IoT gateway device, which is used to indicate that the IoT device 1 has passed the authentication authorization.
关于S540的描述可以参见前述的S340的描述,在此不再赘述了。For the description of S540, please refer to the description of S340 mentioned above, which will not be repeated here.
S550、物联网网关设备向物联网认证设备发送物联网信息#1。S550. The IoT gateway device sends IoT information #1 to the IoT authentication device.
如前文所述,在确定物联网设备1通过认证授权之后,物联网网关设备则转发物联网信息#1。As mentioned above, after determining that IoT device 1 has passed authentication and authorization, the IoT gateway device forwards IoT information #1.
一个可能的实现方式,物联网信息#1包括物联网标识与指示信息3中的至少一项。其中,物联网标识与指示信息3用于指示物联网网关设备向物联网管理设备/物联网服务器转发物联网信息#1。In a possible implementation, the IoT information #1 includes at least one of an IoT identifier and indication information 3. The IoT identifier and indication information 3 are used to instruct the IoT gateway device to forward the IoT information #1 to the IoT management device/IoT server.
一个可能的实现方式,物联网网关设备向物联网服务器发送物联网信息#1。In a possible implementation, the IoT gateway device sends IoT information #1 to the IoT server.
具体地,物联网信息#1指示物联网发现时,物联网信息#1包括指示信息3(可以不包括物联网标识),其用于指示向物联网服务器发送物联网信息#1;物联网信息#1指示物联网加入或者物联网邀请确认时物联网信息#1包括指示信息3和/或物联网标识,用于指示向物联网服务器发送物联网信息#1。示例性地,物联网网关设备根据物联网信息#1中的物联网标识检索本地的物联网配置信息,在物联网配置信息中查找是否包含物联网是否是本地的指示信息,如果包含指示物联网为云端或服务器侧的指示信息,物联网网关设备确定物联网不是本地的,物联网网关设备则向物联网服务器发送物联网信息#1。Specifically, when IoT information #1 indicates IoT discovery, IoT information #1 includes indication information 3 (which may not include IoT identification), which is used to indicate that IoT information #1 is sent to the IoT server; when IoT information #1 indicates IoT joining or IoT invitation confirmation, IoT information #1 includes indication information 3 and/or IoT identification, which is used to indicate that IoT information #1 is sent to the IoT server. Exemplarily, the IoT gateway device retrieves the local IoT configuration information according to the IoT identification in IoT information #1, and searches the IoT configuration information for whether it contains indication information indicating whether the IoT is local. If it contains indication information indicating that the IoT is on the cloud or server side, the IoT gateway device determines that the IoT is not local, and the IoT gateway device sends IoT information #1 to the IoT server.
相应地,物联网服务器根据物联网信息#1执行物联网信息#1所指示的物联网服务器的物联网操作。譬如,物联网信息#1指示物联网发现,则物联网服务器返回物联网列表;物联网信息#1指示物联网加入或物联网邀请确认,物联网信息#1中还包含至少一个物联网标识,物联网服务器则将物联网设备1加入到物联网标识所标识的物联网中,并将其添加到物联网的成员列表中。更为具体地,物联网服务器更新当前物联网的物联网配置信息,进而添加物联网设备1的相关信息。Accordingly, the IoT server performs the IoT operation of the IoT server indicated by IoT information #1 according to IoT information #1. For example, if IoT information #1 indicates IoT discovery, the IoT server returns the IoT list; if IoT information #1 indicates IoT joining or IoT invitation confirmation, and IoT information #1 also includes at least one IoT identifier, the IoT server adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT server updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
一个可能的实现方式,物联网网关设备根据物联网是否是本地的确定是否向物联网服务器发送物联网信息#1。譬如,物联网网关设备确定物联网不是本地的,或者理解物联网不是本地业务(例如当物联网网关设备收到了物联网管理设备配置的物联网服务器的地址,或者物联网信息#1中携带物联网服务器的地址(例如物联网信息#1中的目的地址为物联网服务器的地址),或者物联网信息#1中携带应用或业务的标识信息(如域名,URL等)可以进一步被解析出物联网服务器的地址),物联网网关设备根据物联网信息#1或本地的物联网配置信息确定物联网服务器,则向物联网服务器发送物联网信息#1。相应地,物联网服务器进行对物联网信息#1的处理。相应地,物联网管理设备进行对物联网信息#1的处理。具体处理方式可以见上文,在此不再赘述了。In one possible implementation, the IoT gateway device determines whether to send IoT information #1 to the IoT server based on whether the IoT is local. For example, the IoT gateway device determines that the IoT is not local, or understands that the IoT is not a local service (for example, when the IoT gateway device receives the address of the IoT server configured by the IoT management device, or the IoT information #1 carries the address of the IoT server (for example, the destination address in IoT information #1 is the address of the IoT server), or the IoT information #1 carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT server), the IoT gateway device determines the IoT server based on IoT information #1 or the local IoT configuration information, and sends IoT information #1 to the IoT server. Accordingly, the IoT server processes IoT information #1. Accordingly, the IoT management device processes IoT information #1. The specific processing method can be found above and will not be repeated here.
可选地,物联网设备通过物联网信息#1中的指示信息3指示向物联网服务器发送物联网信息#1。Optionally, the IoT device sends IoT information #1 to the IoT server through indication information 3 in IoT information #1.
一个可能的实现方式,物联网网关设备向物联网管理设备发送物联网信息#1。In a possible implementation, the IoT gateway device sends IoT information #1 to the IoT management device.
具体地,物联网信息#1指示物联网发现时,物联网信息#1包括指示信息3(可以不包括物联网标识),其用于指示向物联网管理设备发送物联网信息#1;物联网信息#1指示物联网加入或者物联网邀请确认时,物联网信息#1包括指示信息3和/或物联网标识,用于指示向物联网管理设备发送物联网信息#1。示例性地,物联网网关设备根据物联网信息#1中的物联网标识检索本地的物联网配置信息,在物联网配置信息中查找是否包含物联网是否是本地的指示信息,如果不包含指示物联网为云端或服务器侧的指示信息,物联网网关设备确定物联网是本地的,物联网网关设备向物联网管理设备发送物联网信息#1。Specifically, when IoT information #1 indicates IoT discovery, IoT information #1 includes indication information 3 (which may not include IoT identification), which is used to indicate that IoT information #1 is sent to the IoT management device; when IoT information #1 indicates IoT joining or IoT invitation confirmation, IoT information #1 includes indication information 3 and/or IoT identification, which is used to indicate that IoT information #1 is sent to the IoT management device. Exemplarily, the IoT gateway device retrieves the local IoT configuration information according to the IoT identification in IoT information #1, and searches the IoT configuration information for whether it contains indication information indicating whether the IoT is local. If it does not contain indication information indicating that the IoT is on the cloud or server side, the IoT gateway device determines that the IoT is local, and the IoT gateway device sends IoT information #1 to the IoT management device.
相应地,物联网管理设备根据物联网信息#1执行物联网信息#1所指示的物联网管理设备的物联网操作。譬如,物联网信息#1指示物联网发现,则物联网管理设备返回本地或者物联网服务器的物联网列表;物联网信息#1指示物联网加入或物联网邀请确认,物联网信息#1中还包含至少一个物联网标识,物联网管理设备则将物联网设备1加入到物联网标识所标识的物联网中,并将其添加到物联网的成员列表中。更为具体地,物联网管理设备更新当前物联网的物联网配置信息,进而添加物联网设备1的相关信息。Accordingly, the IoT management device performs the IoT operation of the IoT management device indicated by IoT information #1 according to IoT information #1. For example, if IoT information #1 indicates IoT discovery, the IoT management device returns the IoT list of the local or IoT server; if IoT information #1 indicates IoT joining or IoT invitation confirmation, and IoT information #1 also includes at least one IoT identifier, the IoT management device adds IoT device 1 to the IoT identified by the IoT identifier and adds it to the member list of the IoT. More specifically, the IoT management device updates the IoT configuration information of the current IoT, and then adds the relevant information of IoT device 1.
一个可能的实现方式,物联网网关设备根据物联网是否是本地确定是否向物联网管理设备送物联网信息#1。譬如,物联网网关设备确定物联网是本地的,或者理解物联网是本地业务(例如当物联网网关设备未曾收到过物联网管理设备配置的物联网服务器的地址,或者物联网信息#1中携带物联网管理设备的标识(IP地址,GPSI,MAC地址、域名或其他可以用于标识物联网管理设备的信息)(例如物联网信息#1中的目的地址为物联网管理设备的地址),或者物联网信息#1中携带应用或业务的标识信息(如域名,URL等)可以进一步被解析出物联网管理设备的地址),物联网网关设备根据物联 网信息#1或本地的物联网配置信息确定物联网管理设备,则向物联网管理设备发送物联网信息#1。相应地,物联网管理设备进行对物联网信息#1的处理。具体处理方式可以见上文,在此不再赘述了。In one possible implementation, the IoT gateway device determines whether to send IoT information #1 to the IoT management device based on whether the IoT is local. For example, the IoT gateway device determines that the IoT is local, or understands that the IoT is a local service (for example, when the IoT gateway device has never received the address of the IoT server configured by the IoT management device, or the IoT information #1 carries the identifier of the IoT management device (IP address, GPSI, MAC address, domain name or other information that can be used to identify the IoT management device) (for example, the destination address in IoT information #1 is the address of the IoT management device), or the IoT information #1 carries the identification information of the application or service (such as domain name, URL, etc.) which can be further parsed to obtain the address of the IoT management device), the IoT gateway device determines whether to send IoT information #1 to the IoT management device based on the IoT. If the Internet of Things information #1 or the local Internet of Things configuration information determines the Internet of Things management device, the Internet of Things information #1 is sent to the Internet of Things management device. Accordingly, the Internet of Things management device processes the Internet of Things information #1. The specific processing method can be seen above and will not be repeated here.
可选地,物联网设备通过物联网信息#1中的指示信息3向物联网网关设备指示其向物联网管理设备发送物联网信息#1。Optionally, the IoT device instructs the IoT gateway device to send IoT information #1 to the IoT management device through indication information 3 in IoT information #1.
另外,上述的指示信息3也可以用于指示物联网是否是本地的。譬如,指示信息3用于指示物联网是本地时,则物联网网关设备向物联网管理设备发送物联网信息#1;或者,指示信息3用于指示物联网不是本地时,则物联网网关设备向物联网服务器发送物联网信息#1。在此做统一说明,后文不再赘述。In addition, the above-mentioned indication information 3 can also be used to indicate whether the Internet of Things is local. For example, when indication information 3 is used to indicate that the Internet of Things is local, the Internet of Things gateway device sends Internet of Things information #1 to the Internet of Things management device; or, when indication information 3 is used to indicate that the Internet of Things is not local, the Internet of Things gateway device sends Internet of Things information #1 to the Internet of Things server. A unified explanation is given here and will not be repeated in the following text.
一个可能的实现方式中,上述的物联网网关设备向物联网管理设备发送请求信息B,其用于请求对物联网设备1的认证授权。具体内容可以参见前文描述,在此不再赘述。In a possible implementation, the IoT gateway device sends a request message B to the IoT management device, which is used to request authentication and authorization for the IoT device 1. The specific content can be found in the above description, which will not be repeated here.
通过上述技术方案,本申请支持物联网网关设备确认物联网设备1没有完成认证授权之后,可以代理物联网设备1向物联网服务器发送用于对物联网设备1进行认证授权的请求信息,支持完成对物联网设备1的认证授权,使得物联网设备1能够进行物联网的相关操作。Through the above technical solution, the present application supports that after the IoT gateway device confirms that IoT device 1 has not completed authentication and authorization, it can proxy IoT device 1 to send request information for authentication and authorization of IoT device 1 to the IoT server, support the completion of authentication and authorization of IoT device 1, and enable IoT device 1 to perform related operations of the IoT.
下文将结合图6对本申请实施例的其他认证授权方法进行描述。其中,应理解,图6所示的方法与图3所示的方法之间存在共同的技术方案。The following will describe other authentication and authorization methods of the embodiment of the present application in conjunction with Figure 6. It should be understood that there is a common technical solution between the method shown in Figure 6 and the method shown in Figure 3.
图6是本申请实施例的认证授权的方法600的交互流程图。其中,图6所示的方法600能够应用于上述的通信***100之中,也可以应用于其他涉及物联网的通信***之中。如图6所示,方法600包括:FIG6 is an interactive flow chart of a method 600 for authentication and authorization in an embodiment of the present application. The method 600 shown in FIG6 can be applied to the above-mentioned communication system 100, and can also be applied to other communication systems involving the Internet of Things. As shown in FIG6, the method 600 includes:
S610、物联网网关设备向物联网管理设备发送物联网信息#3。S610. The IoT gateway device sends IoT information #3 to the IoT management device.
相应地,物联网管理设备接收来自于物联网网关设备转发的物联网设备1发送的物联网信息#3。其中,关于物联网信息#3的描述可以见前述的物联网信息#2的描述,在此不再赘述。Correspondingly, the IoT management device receives IoT information #3 sent by IoT device 1 and forwarded by the IoT gateway device. The description of IoT information #3 can be found in the description of IoT information #2, which will not be repeated here.
S620、物联网管理设备确定物联网设备1通过认证授权。S620: The IoT management device determines that IoT device 1 passes authentication and authorization.
关于S620的内容可以参见前述的S411b的描述,在此不再赘述。For the content of S620, please refer to the description of S411b above, which will not be repeated here.
S630、物联网管理设备根据物联网信息#3执行物联网操作。S630. The IoT management device performs IoT operations according to IoT information #3.
关于S630的内容可以参见前述的S411b1的描述,在此不再赘述。For the content of S630, please refer to the description of S411b1 above, which will not be repeated here.
通过上述技术方案,本申请支持物联网管理设备完成对物联网设备1是否通过认证授权的确认,进而确保物联网中的其他设备之间的信息交互安全。Through the above technical solution, the present application supports the Internet of Things management device to complete the confirmation of whether the Internet of Things device 1 has passed the authentication authorization, thereby ensuring the security of information interaction between other devices in the Internet of Things.
一个可能的实现方式,方法600还包括:In a possible implementation, method 600 further includes:
S601、物联网管理设备向物联网设备1发送物联网服务器的地址。S601. The Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device 1.
关于S601的内容可以参见前述的S405的描述,在此不再赘述。For the content of S601, please refer to the description of S405 above, which will not be repeated here.
S602、物联网设备1向物联网管理设备发送物联网信息#4。S602. IoT device 1 sends IoT information #4 to the IoT management device.
相应地,物联网管理设备接收来自于物联网设备1的物联网信息#4。其中,关于物联网信息#4的描述可以见前述的物联网信息#1的描述,在此不再赘述。Correspondingly, the IoT management device receives IoT information #4 from IoT device 1. The description of IoT information #4 can be found in the description of IoT information #1, which will not be repeated here.
S603、物联网管理设备确定物联网设备1处于非认证授权状态。S603: The Internet of Things management device determines that the Internet of Things device 1 is in a non-authentication and authorization state.
关于S603的内容可以参见S520的内容,在此不再赘述了。For the content of S603, please refer to the content of S520, which will not be repeated here.
S604a、物联网管理设备向物联网设备1发送指示信息2,其用于指示物联网设备1发送请求信息A。S604a, the Internet of Things management device sends instruction information 2 to the Internet of Things device 1, which is used to instruct the Internet of Things device 1 to send request information A.
关于S604a的内容可以参见S303的内容,在此不再赘述了。For the content of S604a, please refer to the content of S303, which will not be repeated here.
通过上述技术方案,本申请支持物联网管理设备确认物联网设备1没有完成认证授权之后,可以向物联网设备1发送指示信息,物联网设备1在物联网管理设备发送的指示信息的指示下,来完成对物联网设备1的认证授权过程,使得物联网设备1能够进行物联网的相关操作。Through the above technical solution, the present application supports that after the IoT management device confirms that IoT device 1 has not completed authentication and authorization, it can send instruction information to IoT device 1. IoT device 1 completes the authentication and authorization process for IoT device 1 under the instruction of the instruction information sent by the IoT management device, so that IoT device 1 can perform related operations of the IoT.
S604b、物联网管理设备向物联网服务器发送请求信息C,其用于请求对物联网设备1的认证授权。S604b, the Internet of Things management device sends a request message C to the Internet of Things server, which is used to request authentication and authorization for the Internet of Things device 1.
关于S604b的内容可以参见S530的内容,在此不再赘述了。For the content of S604b, please refer to the content of S530, which will not be repeated here.
应理解,上述的S601~S604可以是在S610之前进行的步骤。It should be understood that the above-mentioned S601 to S604 may be steps performed before S610.
通过上述技术方案,本申请支持物联网管理设备确认物联网设备1没有完成认证授权之后,可以代理物联网设备1向物联网服务器发送用于对物联网设备1进行认证授权的请求信息,支持完成对物联网设备1的认证授权,使得物联网设备1能够进行物联网的相关操作。 Through the above technical solution, the present application supports that after the IoT management device confirms that IoT device 1 has not completed authentication and authorization, it can proxy IoT device 1 to send request information for authentication and authorization of IoT device 1 to the IoT server, support the completion of authentication and authorization of IoT device 1, and enable IoT device 1 to perform related operations of the IoT.
以上描述了本申请实施例的方法实施例,下面对相应的装置实施例进行介绍。The method embodiments of the present application are described above, and the corresponding device embodiments are introduced below.
为了实现上述本申请实施例提供的方法中的各功能,终端、网络设备均可以包括硬件结构和/或软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能以硬件结构、软件模块、还是硬件结构加软件模块的方式来执行,取决于技术方案的特定应用和设计约束条件。In order to implement the functions of the method provided in the above embodiment of the present application, the terminal and the network device may include a hardware structure and/or a software module, and implement the above functions in the form of a hardware structure, a software module, or a hardware structure plus a software module. Whether one of the above functions is executed in the form of a hardware structure, a software module, or a hardware structure plus a software module depends on the specific application and design constraints of the technical solution.
图7是本申请实施例的通信装置700的示意性框图。通信装置700包括处理器710和通信接口720,处理器710和通信接口720通过总线730相互连接。图7所示的通信装置700可以是网络设备,也可以是终端设备。Fig. 7 is a schematic block diagram of a communication device 700 according to an embodiment of the present application. The communication device 700 includes a processor 710 and a communication interface 720, and the processor 710 and the communication interface 720 are interconnected via a bus 730. The communication device 700 shown in Fig. 7 may be a network device or a terminal device.
可选地,该通信装置700还包括存储器740。Optionally, the communication device 700 further includes a memory 740 .
存储器740包括但不限于是随机存储记忆体(random access memory,RAM)、只读存储器(read-only memory,ROM)、可擦除可编程只读存储器(erasable programmable read only memory,EPROM)、或便携式只读存储器(compact disc read-only memory,CD-ROM),该存储器740用于相关指令及数据。The memory 740 includes, but is not limited to, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), or portable read-only memory (CD-ROM), and the memory 740 is used for related instructions and data.
处理器710可以是一个或多个中央处理器(central processing unit,CPU),在处理器710是一个CPU的情况下,该CPU可以是单核CPU,也可以是多核CPU。Processor 710 may be one or more central processing units (CPUs). When processor 710 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.
当通信装置700是上述的物联网网关设备时,该通信装置700中的处理器710用于读取该存储器740中存储的计算机程序或指令,示例性地,执行以下操作:接收来自于物联网设备1的请求信息A,请求信息A包括物联网设备1的设备标识与设备凭证;确定请求信息A用于请求对物联网设备1的认证授权;向物联网认证设备发送请求信息A;向物联网设备1发送响应信息A,响应信息A用于指示物联网设备1通过认证授权,响应信息A包括物联网认证设备为物联网设备1配置的第一标识与安全凭证1。When the communication device 700 is the above-mentioned Internet of Things gateway device, the processor 710 in the communication device 700 is used to read the computer program or instructions stored in the memory 740, and illustratively, perform the following operations: receive request information A from the Internet of Things device 1, the request information A includes the device identification and device credentials of the Internet of Things device 1; determine that the request information A is used to request authentication and authorization for the Internet of Things device 1; send the request information A to the Internet of Things authentication device; send response information A to the Internet of Things device 1, the response information A is used to indicate that the Internet of Things device 1 has passed the authentication and authorization, and the response information A includes the first identification and security credential 1 configured by the Internet of Things authentication device for the Internet of Things device 1.
又示例性地,可以执行以下操作:接收来自于物联网设备1的物联网信息#1;确定物联网设备1处于非认证授权状态;向物联网设备1发送指示信息1,其用于指示物联网设备1发送请求信息A。Also exemplarily, the following operations can be performed: receiving IoT information #1 from IoT device 1; determining that IoT device 1 is in a non-authentication and authorization state; and sending indication information 1 to IoT device 1, which is used to instruct IoT device 1 to send request information A.
又示例性地,可以执行以下操作:接收来自于物联网设备1的物联网信息#2,其包括第一标识与安全凭证1;确定物联网设备1通过认证授权;向物联网认证设备发送物联网信息#2。Also illustratively, the following operations may be performed: receiving IoT information #2 from IoT device 1, which includes a first identifier and security credential 1; determining that IoT device 1 passes authentication authorization; and sending IoT information #2 to an IoT authentication device.
上述所述内容仅作为示例性描述。该通信装置700是物联网网关设备时,其将负责执行前述方法实施例中与物联网网关设备相关的方法或者步骤。The above contents are only used as exemplary descriptions. When the communication device 700 is an Internet of Things gateway device, it will be responsible for executing the methods or steps related to the Internet of Things gateway device in the above method embodiments.
当通信装置700是上述的物联网管理设备时,该通信装置700中的处理器710用于读取该存储器740中存储的计算机程序或指令,示例性地,执行以下操作:接收来自于物联网网关设备的物联网信息#3,物联网信息#3包括第一标识与安全凭证1,第一标识与安全凭证1用于指示物联网设备1通过认证授权;确定物联网设备1通过认证授权;根据物联网信息#3执行相应的物联网操作。When the communication device 700 is the above-mentioned Internet of Things management device, the processor 710 in the communication device 700 is used to read the computer program or instructions stored in the memory 740, and illustratively, perform the following operations: receive Internet of Things information #3 from the Internet of Things gateway device, the Internet of Things information #3 includes a first identifier and a security credential 1, the first identifier and the security credential 1 are used to indicate that the Internet of Things device 1 has passed the authentication authorization; determine that the Internet of Things device 1 has passed the authentication authorization; and perform corresponding Internet of Things operations according to the Internet of Things information #3.
上述所述内容仅作为示例性描述。该通信装置700是物联网管理设备时,其将负责执行前述方法实施例中与物联网管理设备相关的方法或者步骤。The above contents are only exemplary descriptions. When the communication device 700 is an Internet of Things management device, it will be responsible for executing the methods or steps related to the Internet of Things management device in the above method embodiments.
当通信装置700是上述的物联网设备1时,该通信装置700中的处理器710用于读取该存储器740中存储的计算机程序或指令,示例性地,执行以下操作:向物联网网关设备发送请求信息A,请求信息A用于请求对物联网设备1的认证授权,请求信息A包括物联网设备1的设备标识与设备凭证;接收来自于物联网网关设备发送的响应消息A,响应信息A用于指示物联网设备1通过认证授权,响应信息A包括物联网认证设备为物联网设备1配置的第一标识与安全凭证1。When the communication device 700 is the above-mentioned Internet of Things device 1, the processor 710 in the communication device 700 is used to read the computer program or instructions stored in the memory 740, and illustratively, perform the following operations: send a request message A to the Internet of Things gateway device, the request message A is used to request authentication authorization for the Internet of Things device 1, and the request message A includes the device identification and device certificate of the Internet of Things device 1; receive a response message A sent from the Internet of Things gateway device, the response message A is used to indicate that the Internet of Things device 1 has passed the authentication authorization, and the response message A includes the first identification and security certificate 1 configured by the Internet of Things authentication device for the Internet of Things device 1.
上述所述内容仅作为示例性描述。该通信装置700是物联网设备1时,其将负责执行前述方法实施例中与物联网设备1相关的方法或者步骤。The above contents are only exemplary descriptions. When the communication device 700 is an IoT device 1, it will be responsible for executing the methods or steps related to the IoT device 1 in the above method embodiments.
上述描述仅是示例性描述。具体内容可以参见上述方法实施例所示的内容。另外,图7中的各个操作的实现还可以对应参照图3至图6所示的方法实施例的相应描述。The above description is only an exemplary description. For specific content, please refer to the content shown in the above method embodiment. In addition, the implementation of each operation in Figure 7 can also correspond to the corresponding description of the method embodiment shown in Figures 3 to 6.
图8是本申请实施例的通信装置800的示意性框图。通信装置800包括收发单元810与处理单元820。下面对该收发单元810与处理单元820进行示例性地介绍。Fig. 8 is a schematic block diagram of a communication device 800 according to an embodiment of the present application. The communication device 800 includes a transceiver unit 810 and a processing unit 820. The transceiver unit 810 and the processing unit 820 are exemplarily introduced below.
收发单元810可以包括发送单元和接收单元,分别用于实现上述方法实施例中发送或接收的功能;还可以进一步包括处理单元,用于实现除发送或接收之外的功能。The transceiver unit 810 may include a sending unit and a receiving unit, which are respectively used to implement the sending or receiving functions in the above method embodiments; it may further include a processing unit, which is used to implement functions other than sending or receiving.
示例性地,通信装置800为物联网网关设备时,收发单元810用于接收来自于物联网设备的请求 信息A,请求信息A包括物联网设备1的设备标识与设备凭证;处理单元820用于确定请求信息A用于请求对物联网设备1的认证授权;收发单元810还用于向物联网认证设备发送请求信息A;收发单元810还用于向物联网设备1发送响应信息A,响应信息A用于指示物联网设备1通过认证授权,响应信息A包括物联网认证设备为物联网设备1配置的第一标识与安全凭证1。Exemplarily, when the communication device 800 is an IoT gateway device, the transceiver unit 810 is used to receive a request from an IoT device. Information A, request information A includes the device identification and device credentials of the Internet of Things device 1; the processing unit 820 is used to determine that the request information A is used to request authentication and authorization for the Internet of Things device 1; the transceiver unit 810 is also used to send the request information A to the Internet of Things authentication device; the transceiver unit 810 is also used to send the response information A to the Internet of Things device 1, the response information A is used to indicate that the Internet of Things device 1 has passed the authentication and authorization, and the response information A includes the first identification and security credential 1 configured by the Internet of Things authentication device for the Internet of Things device 1.
示例性地,处理单元820用于执行物联网网关设备中涉及处理、协调等步骤的内容。譬如,处理单元820用于确定物联网设备1通过认证授权。Exemplarily, the processing unit 820 is used to execute the contents of the steps involving processing, coordination, etc. in the IoT gateway device. For example, the processing unit 820 is used to determine whether the IoT device 1 passes the authentication authorization.
示例性地,通信装置800为物联网管理设备时,该收发单元810用于接收来自于物联网网关设备的物联网信息#3,物联网信息#3包括第一标识与安全凭证1,第一标识与安全凭证1用于指示物联网设备1通过认证授权;处理单元820用于确定物联网设备1通过认证授权;处理单元820还用于根据物联网信息#3执行相应的物联网操作。Exemplarily, when the communication device 800 is an IoT management device, the transceiver unit 810 is used to receive IoT information #3 from the IoT gateway device, where the IoT information #3 includes a first identifier and a security credential 1, and the first identifier and the security credential 1 are used to indicate that the IoT device 1 has passed the authentication authorization; the processing unit 820 is used to determine that the IoT device 1 has passed the authentication authorization; the processing unit 820 is also used to perform corresponding IoT operations according to the IoT information #3.
当通信装置800是物联网设备1时,该收发单元810用于向物联网网关设备发送请求信息A,请求信息A用于请求对物联网设备1的认证授权,请求信息A包括物联网设备1的设备标识与设备凭证;收发单元810还用于接收来自于物联网网关设备发送的响应消息A,响应信息A用于指示物联网设备1通过认证授权,响应信息A包括为物联网设备1配置的第一标识与安全凭证1。When the communication device 800 is an Internet of Things device 1, the transceiver unit 810 is used to send a request message A to the Internet of Things gateway device, where the request message A is used to request authentication and authorization for the Internet of Things device 1, and the request message A includes the device identification and device certificate of the Internet of Things device 1; the transceiver unit 810 is also used to receive a response message A sent from the Internet of Things gateway device, where the response message A is used to indicate that the Internet of Things device 1 has passed the authentication and authorization, and the response message A includes the first identification and security certificate 1 configured for the Internet of Things device 1.
可选地,通信装置800还包括存储单元830,该存储单元830用于存储用于执行前述方法的程序或者代码。Optionally, the communication device 800 further includes a storage unit 830, and the storage unit 830 is used to store a program or code for executing the aforementioned method.
上述所述内容仅作为示例性描述。应理解,通信装置800是物联网网关设备时,其将负责执行前述方法实施例中与物联网网关设备相关的方法或者步骤;通信装置800是物联网管理设备时,其将负责执行前述方法实施例中与物联网管理设备相关的方法或者步骤;该通信装置800是物联网设备1时,其将负责执行前述方法实施例中与物联网设备1相关的方法或者步骤.The above contents are only for illustrative purposes. It should be understood that when the communication device 800 is an IoT gateway device, it will be responsible for executing the methods or steps related to the IoT gateway device in the aforementioned method embodiment; when the communication device 800 is an IoT management device, it will be responsible for executing the methods or steps related to the IoT management device in the aforementioned method embodiment; when the communication device 800 is an IoT device 1, it will be responsible for executing the methods or steps related to the IoT device 1 in the aforementioned method embodiment.
另外,图8的各个操作的实现还可以对应参照上述实施例所示的方法相应描述,在此不再赘述。In addition, the implementation of each operation of FIG. 8 may also refer to the corresponding description of the method shown in the above embodiment, which will not be repeated here.
图7和图8所示的装置实施例是用于实现前述方法实施例图3至图6所述的内容的。因此,图7和图8所示装置的具体执行步骤与方法可以参见前述方法实施例所述的内容。The device embodiments shown in Figures 7 and 8 are used to implement the contents described in the aforementioned method embodiments Figures 3 to 6. Therefore, the specific execution steps and methods of the devices shown in Figures 7 and 8 can refer to the contents described in the aforementioned method embodiments.
应理解,上述的收发单元可以包括发送单元与接收单元。发送单元用于执行通信装置的发送动作,接收单元用于执行通信装置的接收动作。为便于描述,本申请实施例将发送单元与接收单元合为一个收发单元。在此做统一说明,后文不再赘述。It should be understood that the above-mentioned transceiver unit may include a sending unit and a receiving unit. The sending unit is used to perform a sending action of the communication device, and the receiving unit is used to perform a receiving action of the communication device. For ease of description, the embodiment of the present application combines the sending unit and the receiving unit into one transceiver unit. A unified description is given here, and no further description is given later.
图9是本申请实施例的通信装置900的示意图。通信装置900可用于实现上述方法中PECG/物联网管理设备或者物联网设备的功能。Fig. 9 is a schematic diagram of a communication device 900 according to an embodiment of the present application. The communication device 900 may be used to implement the functions of the PECG/IoT management device or the IoT device in the above method.
通信装置900包括:输入输出接口920和处理器910。输入输出接口920可以是输入输出电路。处理器910可以是信号处理器、芯片,或其他可以实现本申请方法的集成电路。其中,输入输出接口920用于信号或数据的输入或输出。The communication device 900 includes: an input/output interface 920 and a processor 910. The input/output interface 920 may be an input/output circuit. The processor 910 may be a signal processor, a chip, or other integrated circuit that can implement the method of the present application. The input/output interface 920 is used for inputting or outputting signals or data.
举例来说,通信装置900为物联网网关设备时,输入输出接口920用于接收来自于物联网设备的请求信息A,请求信息A包括物联网设备1的设备标识与设备凭证;向物联网认证设备发送请求信息A;向物联网设备1发送响应信息A,响应信息A用于指示物联网设备1通过认证授权,响应信息A包括为物联网设备1配置的第一标识与安全凭证1。其中,处理器910用于执行本申请实施例提供的任意一种方法的部分或全部步骤。示例性地,处理器910用于确定请求信息A用于请求对物联网设备1的认证授权以及物联网设备1通过认证授权等等。For example, when the communication device 900 is an IoT gateway device, the input/output interface 920 is used to receive request information A from the IoT device, the request information A includes the device identification and device credentials of the IoT device 1; send request information A to the IoT authentication device; send response information A to the IoT device 1, the response information A is used to indicate that the IoT device 1 has passed the authentication authorization, and the response information A includes the first identification and security credentials 1 configured for the IoT device 1. Among them, the processor 910 is used to execute some or all steps of any one of the methods provided in the embodiments of the present application. Exemplarily, the processor 910 is used to determine that the request information A is used to request authentication authorization for the IoT device 1 and that the IoT device 1 has passed the authentication authorization, and so on.
举例来说,通信装置900为物联网管理设备时,输入输出接口920用于接收来自于物联网网关设备的物联网信息#3,物联网信息#3包括第一标识与安全凭证1,第一标识与安全凭证1用于指示物联网设备1通过认证授权。其中,处理器910用于执行本申请实施例提供的任意一种方法的部分或全部步骤。示例性地,处理器910用于确定物联网设备1通过认证授权以及根据物联网信息#3执行相应的物联网操作等等。For example, when the communication device 900 is an IoT management device, the input/output interface 920 is used to receive IoT information #3 from the IoT gateway device, where IoT information #3 includes a first identifier and a security credential 1, and the first identifier and security credential 1 are used to indicate that the IoT device 1 has passed the authentication authorization. The processor 910 is used to execute some or all of the steps of any one of the methods provided in the embodiments of the present application. Exemplarily, the processor 910 is used to determine that the IoT device 1 has passed the authentication authorization and to perform corresponding IoT operations according to the IoT information #3, etc.
举例来说,通信装置900为物联网设备1时,输入输出接口920用于向物联网网关设备发送请求信息A,请求信息A用于请求对物联网设备1的认证授权,请求信息A包括物联网设备1的设备标识与设备凭证;输入输出接口920用于接收来自于物联网网关设备发送的响应消息A,响应信息A用于指示物联网设备1通过认证授权,响应信息A包括为物联网设备1配置的第一标识与安全凭证1。For example, when the communication device 900 is an Internet of Things device 1, the input-output interface 920 is used to send a request message A to the Internet of Things gateway device, the request message A is used to request authentication and authorization for the Internet of Things device 1, and the request message A includes the device identification and device certificate of the Internet of Things device 1; the input-output interface 920 is used to receive a response message A sent from the Internet of Things gateway device, the response message A is used to indicate that the Internet of Things device 1 has passed the authentication and authorization, and the response message A includes the first identification and security certificate 1 configured for the Internet of Things device 1.
一种可能的实现中,处理器910通过执行存储器中存储的指令,以实现网络设备或终端设备实现 的功能。In one possible implementation, the processor 910 executes instructions stored in the memory to implement the network device or terminal device to implement function.
可选的,通信装置900还包括存储器。Optionally, the communication device 900 also includes a memory.
可选的,处理器和存储器集成在一起。Optionally, the processor and memory are integrated together.
可选的,存储器在通信装置900之外。Optionally, the memory is outside the communication device 900 .
一种可能的实现中,处理器910可以为逻辑电路,处理器910通过输入输出接口920输入/输出消息或信令。其中,逻辑电路可以是信号处理器、芯片,或其他可以实现本申请实施例方法的集成电路。In a possible implementation, the processor 910 may be a logic circuit, and the processor 910 inputs/outputs messages or signals through the input/output interface 920. The logic circuit may be a signal processor, a chip, or other integrated circuit that can implement the method of the embodiment of the present application.
上述对于图9的装置的描述仅是作为示例性描述,该装置能够用于执行前述实施例所述的方法,具体内容可以参见前述方法实施例的描述,在此不再赘述。The above description of the device in FIG. 9 is only an exemplary description. The device can be used to execute the method described in the above embodiment. For details, please refer to the description of the above method embodiment, which will not be repeated here.
图10是本申请实施例的通信装置1000的示意框图。通信装置1000可以是网络设备也可以是芯片(若物联网网关设备/物联网管理设备/物联网设备为网络设备时)。该通信装置1000可以用于执行上述图3至图6所示的方法实施例中由网络设备所执行的操作。FIG10 is a schematic block diagram of a communication device 1000 of an embodiment of the present application. The communication device 1000 may be a network device or a chip (if the IoT gateway device/IoT management device/IoT device is a network device). The communication device 1000 may be used to perform the operations performed by the network device in the method embodiments shown in FIGS. 3 to 6 above.
当通信装置1000为网络设备时,例如为基站。图10示出了一种简化的基站结构示意图。基站包括1010部分、1020部分以及1030部分。1010部分主要用于基带处理,对基站进行控制等;1010部分通常是基站的控制中心,通常可以称为处理器,用于控制基站执行上述方法实施例中网络设备侧的处理操作。1020部分主要用于存储计算机程序代码和数据。1030部分主要用于射频信号的收发以及射频信号与基带信号的转换;1030部分通常可以称为收发模块、收发机、收发电路、或者收发器等。1030部分的收发模块,也可以称为收发机或收发器等,其包括天线1033和射频电路(图10未示),其中射频电路主要用于进行射频处理。可选地,可以将1030部分中用于实现接收功能的器件视为接收机,将用于实现发送功能的器件视为发射机,即1030部分包括接收机1032和发射机1031。接收机也可以称为接收模块、接收器、或接收电路等,发送机可以称为发射模块、发射器或者发射电路等。When the communication device 1000 is a network device, for example, a base station. FIG. 10 shows a simplified schematic diagram of the base station structure. The base station includes a part 1010, a part 1020, and a part 1030. Part 1010 is mainly used for baseband processing, controlling the base station, etc.; Part 1010 is usually the control center of the base station, which can usually be called a processor, and is used to control the base station to perform the processing operations on the network device side in the above method embodiment. Part 1020 is mainly used to store computer program code and data. Part 1030 is mainly used for receiving and transmitting radio frequency signals and converting radio frequency signals into baseband signals; Part 1030 can usually be called a transceiver module, a transceiver, a transceiver circuit, or a transceiver, etc. The transceiver module of part 1030, which can also be called a transceiver or a transceiver, etc., includes an antenna 1033 and a radio frequency circuit (not shown in FIG. 10), wherein the radio frequency circuit is mainly used for radio frequency processing. Optionally, the device for implementing the receiving function in part 1030 may be regarded as a receiver, and the device for implementing the transmitting function may be regarded as a transmitter, that is, part 1030 includes a receiver 1032 and a transmitter 1031. The receiver may also be referred to as a receiving module, a receiver, or a receiving circuit, etc., and the transmitter may be referred to as a transmitting module, a transmitter, or a transmitting circuit, etc.
1010部分与1020部分可以包括一个或多个单板,每个单板可以包括一个或多个处理器和一个或多个存储器。处理器用于读取和执行存储器中的程序以实现基带处理功能以及对基站的控制。若存在多个单板,各个单板之间可以互联以增强处理能力。作为一种可选的实施方式,也可以是多个单板共用一个或多个处理器,或者是多个单板共用一个或多个存储器,或者是多个单板同时共用一个或多个处理器。Part 1010 and part 1020 may include one or more single boards, each of which may include one or more processors and one or more memories. The processor is used to read and execute the program in the memory to realize the baseband processing function and the control of the base station. If there are multiple single boards, each single board can be interconnected to enhance the processing capability. As an optional implementation, multiple single boards may share one or more processors, or multiple single boards may share one or more memories, or multiple single boards may share one or more processors at the same time.
例如,在一种实现方式中,1030部分的收发模块用于执行图3至图6所示实施例中由网络设备执行的收发相关的过程。1010部分的处理器用于执行图3至图6所示实施例中由网络设备执行的处理相关的过程。For example, in one implementation, the transceiver module of part 1030 is used to execute the transceiver-related processes executed by the network device in the embodiments shown in Figures 3 to 6. The processor of part 1010 is used to execute the processing-related processes executed by the network device in the embodiments shown in Figures 3 to 6.
另一种实现方式中,1010部分的处理器用于执行图3至图6所示实施例中由通信设备执行的处理相关的过程。In another implementation, the processor of part 1010 is used to execute processes related to the processing performed by the communication device in the embodiments shown in Figures 3 to 6.
另一种实现方式中,1030部分的收发模块用于执行图3至图6所示实施例中由通信设备执行的收发相关的过程。In another implementation, the transceiver module of part 1030 is used to execute the transceiver-related processes performed by the communication device in the embodiments shown in Figures 3 to 6.
应理解,图10仅为示例而非限定,上述所包括的处理器、存储器以及收发器的网络设备可以不依赖于图7至图9所示的结构。It should be understood that FIG. 10 is merely an example and not a limitation, and the network device including the processor, memory, and transceiver described above may not rely on the structures shown in FIG. 7 to FIG. 9 .
当通信装置1000为芯片时,该芯片包括收发器、存储器和处理器。其中,收发器可以是输入输出电路、通信接口;处理器为该芯片上集成的处理器、或者微处理器、或者集成电路。上述方法实施例中网络设备的发送操作可以理解为芯片的输出,上述方法实施例中网络设备的接收操作可以理解为芯片的输入。When the communication device 1000 is a chip, the chip includes a transceiver, a memory and a processor. The transceiver may be an input/output circuit or a communication interface; the processor may be a processor, a microprocessor or an integrated circuit integrated on the chip. The sending operation of the network device in the above method embodiment may be understood as the output of the chip, and the receiving operation of the network device in the above method embodiment may be understood as the input of the chip.
图11是本申请实施例的通信装置1100的示意框图。通信装置1100可以为终端设备、终端设备的处理器、或芯片(若物联网网关设备/物联网管理设备/物联网设备为终端设备时)。通信装置1100可以用于执行上述方法实施例中由终端设备或通信设备所执行的操作。FIG11 is a schematic block diagram of a communication device 1100 of an embodiment of the present application. The communication device 1100 may be a terminal device, a processor of a terminal device, or a chip (if the IoT gateway device/IoT management device/IoT device is a terminal device). The communication device 1100 may be used to perform the operations performed by the terminal device or the communication device in the above method embodiment.
当通信装置1100为终端设备时,图11示出了一种简化的终端设备的结构示意图。如图11所示,终端设备包括处理器、存储器、以及收发器。存储器可以存储计算机程序代码,收发器包括发射机1131、接收机1132、射频电路(图11未示)、天线1133以及输入输出装置(图11未示)。When the communication device 1100 is a terminal device, FIG11 shows a simplified schematic diagram of the structure of the terminal device. As shown in FIG11, the terminal device includes a processor, a memory, and a transceiver. The memory can store computer program codes, and the transceiver includes a transmitter 1131, a receiver 1132, a radio frequency circuit (not shown in FIG11), an antenna 1133, and an input/output device (not shown in FIG11).
处理器主要用于对通信协议以及通信数据进行处理,以及对终端设备进行控制,执行软件程序,处理软件程序的数据等。存储器主要用于存储软件程序和数据。射频电路主要用于基带信号与射频信号的转换以及对射频信号的处理。天线主要用于收发电磁波形式的射频信号。输入输出装置。例如, 触摸屏、显示屏,键盘等主要用于接收用户输入的数据以及对用户输出数据。需要说明的是,有些种类的终端设备可以不具有输入输出装置。The processor is mainly used to process communication protocols and communication data, control terminal equipment, execute software programs, process software program data, etc. The memory is mainly used to store software programs and data. The RF circuit is mainly used to convert baseband signals and RF signals and process RF signals. The antenna is mainly used to send and receive RF signals in the form of electromagnetic waves. Input and output devices. For example, Touch screens, display screens, keyboards, etc. are mainly used to receive data input by users and output data to users. It should be noted that some types of terminal devices may not have input and output devices.
当需要发送数据时,处理器对待发送的数据进行基带处理后,输出基带信号至射频电路,射频电路将基带信号进行射频处理后将射频信号通过天线以电磁波的形式向外发送。当有数据发送到终端设备时,射频电路通过天线接收到射频信号,将射频信号转换为基带信号,并将基带信号输出至处理器,处理器将基带信号转换为数据并对该数据进行处理。为便于说明,图11中仅示出了一个存储器、处理器和收发器,在实际的终端设备产品中,可以存在一个或多个处理器和一个或多个存储器。存储器也可以称为存储介质或者存储设备等。存储器可以是独立于处理器设置,也可以是与处理器集成在一起,本申请实施例对此不做限制。When data needs to be sent, the processor performs baseband processing on the data to be sent, and then outputs the baseband signal to the RF circuit. The RF circuit performs RF processing on the baseband signal and then sends the RF signal outward in the form of electromagnetic waves through the antenna. When data is sent to the terminal device, the RF circuit receives the RF signal through the antenna, converts the RF signal into a baseband signal, and outputs the baseband signal to the processor. The processor converts the baseband signal into data and processes the data. For ease of explanation, only one memory, processor, and transceiver are shown in FIG11. In an actual terminal device product, there may be one or more processors and one or more memories. The memory may also be referred to as a storage medium or a storage device, etc. The memory may be set independently of the processor or integrated with the processor, and the embodiments of the present application do not limit this.
在本申请实施例中,可以将具有收发功能的天线和射频电路视为终端设备的收发模块,将具有处理功能的处理器视为终端设备的处理模块。In the embodiment of the present application, the antenna and the radio frequency circuit with transceiver functions can be regarded as the transceiver module of the terminal device, and the processor with processing function can be regarded as the processing module of the terminal device.
如图11所示,终端设备包括处理器1110、存储器1120和收发器1130。处理器1110也可以称为处理单元,处理单板,处理模块、处理装置等,收发器1130也可以称为收发单元、收发机、收发装置等。As shown in Fig. 11, the terminal device includes a processor 1110, a memory 1120 and a transceiver 1130. The processor 1110 may also be referred to as a processing unit, a processing board, a processing module, a processing device, etc., and the transceiver 1130 may also be referred to as a transceiver unit, a transceiver, a transceiver device, etc.
可选地,可以将收发器1130中用于实现接收功能的器件视为接收模块,将收发器1130中用于实现发送功能的器件视为发送模块,即收发器1130包括接收器和发送器。收发器有时也可以称为收发机、收发模块、或收发电路等。接收器有时也可以称为接收机、接收模块、或接收电路等。发送器有时也可以称为发射机、发射模块或者发射电路等。Optionally, the device for implementing the receiving function in the transceiver 1130 may be regarded as a receiving module, and the device for implementing the transmitting function in the transceiver 1130 may be regarded as a transmitting module, that is, the transceiver 1130 includes a receiver and a transmitter. A transceiver may sometimes be referred to as a transceiver, a transceiver module, or a transceiver circuit, etc. A receiver may sometimes be referred to as a receiver, a receiving module, or a receiving circuit, etc. A transmitter may sometimes be referred to as a transmitter, a transmitting module, or a transmitting circuit, etc.
例如,在一种实现方式中,处理器1110用于执行图3至图6所示的实施例中终端设备侧的处理动作,收发器1130用于执行图3至图6中终端设备侧的收发动作。For example, in one implementation, the processor 1110 is used to perform processing actions on the terminal device side in the embodiments shown in Figures 3 to 6, and the transceiver 1130 is used to perform transceiver actions on the terminal device side in Figures 3 to 6.
例如,在一种实现方式中,处理器1110用于执行图3至图6所示的实施例中终端设备侧的处理动作,收发器1130用于执行图3至图6中终端设备侧的收发动作。For example, in one implementation, the processor 1110 is used to perform processing actions on the terminal device side in the embodiments shown in Figures 3 to 6, and the transceiver 1130 is used to perform transceiver actions on the terminal device side in Figures 3 to 6.
应理解,图11仅为示例而非限定,上述的包括收发模块和处理模块的终端设备可以不依赖于图7至图9所示的结构。It should be understood that FIG. 11 is merely an example and not a limitation, and the above-mentioned terminal device including the transceiver module and the processing module may not rely on the structures shown in FIG. 7 to FIG. 9 .
当该通信装置1100为芯片时,该芯片包括处理器、存储器和收发器。其中,收发器可以是输入输出电路或通信接口;处理器可以为该芯片上集成的处理模块或者微处理器或者集成电路。上述方法实施例中终端设备的发送操作可以理解为芯片的输出,上述方法实施例中终端设备的接收操作可以理解为芯片的输入。When the communication device 1100 is a chip, the chip includes a processor, a memory and a transceiver. The transceiver may be an input/output circuit or a communication interface; the processor may be a processing module or a microprocessor or an integrated circuit integrated on the chip. The sending operation of the terminal device in the above method embodiment may be understood as the output of the chip, and the receiving operation of the terminal device in the above method embodiment may be understood as the input of the chip.
本申请还提供了一种芯片,包括处理器,用于从存储器中调用并运行所述存储器中存储的指令,使得安装有所述芯片的通信设备执行上述各示例中的方法。The present application also provides a chip, including a processor, for calling and executing instructions stored in a memory from the memory, so that a communication device equipped with the chip executes the methods in the above examples.
本申请还提供另一种芯片,包括:输入接口、输出接口、处理器,所述输入接口、输出接口以及所述处理器之间通过内部连接通路相连,所述处理器用于执行存储器中的代码,当所述代码被执行时,所述处理器用于执行上述各示例中的方法。可选地,该芯片还包括存储器,该存储器用于存储计算机程序或者代码。The present application also provides another chip, including: an input interface, an output interface, and a processor, wherein the input interface, the output interface, and the processor are connected via an internal connection path, and the processor is used to execute the code in the memory, and when the code is executed, the processor is used to execute the method in each of the above examples. Optionally, the chip also includes a memory, and the memory is used to store computer programs or codes.
本申请还提供了一种处理器,用于与存储器耦合,用于执行上述各实施例中任一实施例中涉及网络设备或者终端设备的方法和功能。The present application also provides a processor, which is coupled to a memory and is used to execute the methods and functions involving a network device or a terminal device in any of the above embodiments.
在本申请的另一实施例中提供一种包含指令的计算机程序产品,当该计算机程序产品在计算机上运行时,前述实施例的方法得以实现。In another embodiment of the present application, a computer program product including instructions is provided. When the computer program product is run on a computer, the method of the above embodiment is implemented.
本申请还提供一种计算机程序,当该计算机程序在计算机中被运行时,前述实施例的方法得以实现。The present application also provides a computer program. When the computer program is executed in a computer, the method of the above embodiment is implemented.
在本申请的另一实施例中提供一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,该计算机程序被计算机执行时实现前述实施例所述的方法。In another embodiment of the present application, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores a computer program, and when the computer program is executed by a computer, the method described in the above embodiment is implemented.
在本申请实施例的描述中,除非另有说明,“多个”是指二个或多于二个。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。In the description of the embodiments of the present application, unless otherwise specified, "multiple" refers to two or more than two. "At least one of the following" or similar expressions refers to any combination of these items, including any combination of single items or plural items. For example, at least one of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, and c can be single or multiple.
另外,为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第 二”等字样对功能和作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。同时,在本申请实施例中,“示例性地”或者“例如”等词用于表示作例子、例证或说明。In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, “first”, “second”, and “third” are used. The words "first", "second", etc. are used to distinguish the same or similar items with basically the same functions and effects. Those skilled in the art can understand that the words "first", "second", etc. do not limit the quantity and execution order, and the words "first", "second", etc. do not necessarily limit them to be different. At the same time, in the embodiments of the present application, the words "exemplarily" or "for example" are used to indicate examples, illustrations or explanations.
本申请实施例中被描述为“示例性地”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念,便于理解。Any embodiment or design described as "exemplarily" or "for example" in the embodiments of the present application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the use of words such as "exemplary" or "for example" is intended to present related concepts in a specific way for easy understanding.
在本申请实施例的描述中,除非另有说明,“/”表示前后关联的对象是一种“或”的关系,例如,A/B可以表示A或B;本申请中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。In the description of the embodiments of the present application, unless otherwise specified, "/" indicates that the objects associated before and after are in an "or" relationship, for example, A/B can represent A or B; "and/or" in the present application is merely a description of the association relationship between associated objects, indicating that three relationships may exist, for example, A and/or B can represent: A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural.
应理解,说明书通篇中提到的“一个实施例”或“一实施例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。It should be understood that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic related to the embodiment is included in at least one embodiment of the present application.
因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。Thus, the appearances of "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。In various embodiments of the present application, the size of the serial numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
可以理解,说明书通篇中提到的“实施例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。It will be understood that the “embodiment” mentioned throughout the specification means that a particular feature, structure or characteristic related to the embodiment is included in at least one embodiment of the present application.
因此,在整个说明书各个实施例未必指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。Thus, various embodiments throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
可以理解,在本申请的各种实施例中,各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It can be understood that in various embodiments of the present application, the size of the serial number of each process does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的***、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的***、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个***,或一些特征可以忽略,或不执行。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only schematic, for example, the division of units is only a logical function division, and there may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed.
另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。Another point is that the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, which may be electrical, mechanical or other forms.
作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以二个或二个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present application can be essentially or partly embodied in the form of a software product that contributes to the prior art. The computer software product is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of each embodiment of the present application. The aforementioned storage medium includes: various media that can store program codes, such as USB flash drives, mobile hard drives, ROM, RAM, magnetic disks, or optical disks.
以上,仅为本申请实施例的具体实施方式,但本申请实施例的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请实施例揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申 请实施例的保护范围之内。因此,本申请实施例的保护范围应以权利要求的保护范围为准。 The above is only a specific implementation of the embodiment of the present application, but the protection scope of the embodiment of the present application is not limited thereto. Any technician familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the embodiment of the present application, which should be covered in the present application. Therefore, the protection scope of the embodiments of the present application shall be subject to the protection scope of the claims.

Claims (37)

  1. 一种认证授权的方法,其特征在于,包括:A method for authentication and authorization, characterized by comprising:
    物联网网关设备接收来自于物联网设备的请求信息,所述请求信息包括所述物联网设备的设备标识与设备凭证;The IoT gateway device receives request information from the IoT device, wherein the request information includes a device identification and a device credential of the IoT device;
    所述物联网网关设备确定所述请求信息用于请求对所述物联网设备的认证授权;The Internet of Things gateway device determines that the request information is used to request authentication and authorization for the Internet of Things device;
    所述物联网网关设备向物联网认证设备发送所述请求信息,所述物联网认证设备用于对所述物联网设备进行所述认证授权;The Internet of Things gateway device sends the request information to the Internet of Things authentication device, and the Internet of Things authentication device is used to perform the authentication and authorization on the Internet of Things device;
    所述物联网网关设备向所述物联网设备发送响应信息,所述响应信息用于指示所述物联网设备通过所述认证授权,所述响应信息包括所述物联网认证设备为所述物联网设备配置的第一标识与第一安全凭证,所述第一标识与所述第一安全凭证用于指示所述物联网设备通过所述认证授权。The Internet of Things gateway device sends a response message to the Internet of Things device, and the response message is used to indicate that the Internet of Things device has passed the authentication authorization. The response message includes a first identifier and a first security credential configured by the Internet of Things authentication device for the Internet of Things device, and the first identifier and the first security credential are used to indicate that the Internet of Things device has passed the authentication authorization.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, characterized in that the method further comprises:
    所述物联网网关设备接收来自于所述物联网设备的第一信息,所述第一信息用于指示物联网管理设备或者物联网服务器的物联网操作;The Internet of Things gateway device receives first information from the Internet of Things device, where the first information is used to indicate an Internet of Things operation of an Internet of Things management device or an Internet of Things server;
    所述物联网网关设备确定所述物联网设备处于非认证授权状态;The Internet of Things gateway device determines that the Internet of Things device is in a non-authentication and authorization state;
    所述物联网网关设备向所述物联网设备发送第一指示信息,所述第一指示信息用于指示所述物联网设备发送所述请求信息。The Internet of Things gateway device sends first indication information to the Internet of Things device, where the first indication information is used to instruct the Internet of Things device to send the request information.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, characterized in that the method further comprises:
    所述物联网网关设备接收来自于所述物联网设备的第二信息,所述第二信息包括所述第一标识与所述第一安全凭证,所述第二信息用于指示所述物联网管理设备或者所述物联网服务器的物联网操作;The IoT gateway device receives second information from the IoT device, where the second information includes the first identifier and the first security credential, and the second information is used to indicate an IoT operation of the IoT management device or the IoT server;
    所述物联网网关设备确定所述物联网设备通过所述认证授权;The Internet of Things gateway device determines that the Internet of Things device passes the authentication authorization;
    所述物联网网关设备向所述物联网管理设备或者所述物联网服务器发送所述第二信息。The Internet of Things gateway device sends the second information to the Internet of Things management device or the Internet of Things server.
  4. 根据权利要求3所述的方法,其特征在于,所述物联网网关设备确定所述物联网设备通过所述认证授权,包括:The method according to claim 3 is characterized in that the IoT gateway device determines that the IoT device passes the authentication authorization, comprising:
    所述物联网网关设备向所述物联网认证设备发送所述第一标识与所述第一安全凭证;The Internet of Things gateway device sends the first identification and the first security credential to the Internet of Things authentication device;
    所述物联网网关设备接收来自于所述物联网认证设备的反馈信息,所述反馈信息用于指示所述物联网设备通过所述认证授权;The Internet of Things gateway device receives feedback information from the Internet of Things authentication device, where the feedback information is used to indicate that the Internet of Things device has passed the authentication authorization;
    所述物联网网关设备根据所述反馈信息确定所述物联网设备通过所述认证授权。The Internet of Things gateway device determines, based on the feedback information, that the Internet of Things device has passed the authentication authorization.
  5. 根据权利要求3所述的方法,其特征在于,所述物联网网关设备确定所述物联网设备通过所述认证授权,包括:The method according to claim 3 is characterized in that the IoT gateway device determines that the IoT device passes the authentication authorization, comprising:
    所述物联网网关设备接收来自于所述物联网认证设备的第二安全凭证,所述第二安全凭证用于指示所述物联网设备通过所述认证授权;The Internet of Things gateway device receives a second security credential from the Internet of Things authentication device, where the second security credential is used to indicate that the Internet of Things device has passed the authentication authorization;
    所述物联网网关设备根据所述第二安全凭证确定所述物联网设备通过所述认证授权。The Internet of Things gateway device determines, based on the second security credential, that the Internet of Things device passes the authentication authorization.
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述物联网认证设备包括物联网管理设备与物联网服务器中的至少一项。The method according to any one of claims 1 to 5 is characterized in that the Internet of Things authentication device includes at least one of an Internet of Things management device and an Internet of Things server.
  7. 根据权利要求6所述的方法,其特征在于,所述第二信息还包括以下至少一项:The method according to claim 6, characterized in that the second information further includes at least one of the following:
    物联网标识,或者,第二指示信息;Internet of Things identifier, or second indication information;
    所述第二指示信息用于指示所述物联网网关设备向所述物联网服务器发送所述第二信息;或者,The second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things server; or,
    所述第二指示信息用于指示所述物联网网关设备向所述物联网管理设备发送所述第二信息。The second indication information is used to instruct the Internet of Things gateway device to send the second information to the Internet of Things management device.
  8. 一种认证授权的方法,其特征在于,包括:A method for authentication and authorization, characterized by comprising:
    物联网管理设备接收来自于物联网网关设备的第一信息,所述第一信息用于指示所述物联网管理设备的物联网操作,所述第一信息包括第一标识与第一安全凭证,所述第一标识与所述第一安全凭证用于指示物联网设备通过认证授权;The Internet of Things management device receives first information from the Internet of Things gateway device, where the first information is used to indicate an Internet of Things operation of the Internet of Things management device, and the first information includes a first identifier and a first security credential, where the first identifier and the first security credential are used to indicate that the Internet of Things device has passed authentication and authorization;
    所述物联网管理设备确定所述物联网设备通过所述认证授权;The Internet of Things management device determines that the Internet of Things device passes the authentication authorization;
    所述物联网管理设备根据所述第一信息执行所述物联网操作。The Internet of Things management device performs the Internet of Things operation according to the first information.
  9. 根据权利要求8所述的方法,其特征在于,所述物联网操作是所述物联网设备请求所述物联网 管理设备执行的。The method according to claim 8 is characterized in that the IoT operation is that the IoT device requests the IoT Management equipment execution.
  10. 根据权利要求8所述的方法,其特征在于,The method according to claim 8, characterized in that
    所述第一信息用于指示所述物联网管理设备的物联网邀请确认操作,所述物联网管理设备接收来自于物联网网关设备的第一信息之前,所述方法还包括:The first information is used to indicate an Internet of Things invitation confirmation operation of the Internet of Things management device. Before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method further includes:
    所述物联网管理设备向所述物联网设备发送物联网邀请信息,所述物联网邀请信息用于指示所述物联网设备加入所述物联网管理设备管理的物联网;The Internet of Things management device sends an Internet of Things invitation message to the Internet of Things device, where the Internet of Things invitation message is used to instruct the Internet of Things device to join the Internet of Things managed by the Internet of Things management device;
    所述物联网管理设备根据所述第一信息执行所述物联网操作,包括:The Internet of Things management device performs the Internet of Things operation according to the first information, including:
    所述物联网管理设备将所述物联网设备加入所述物联网。The Internet of Things management device adds the Internet of Things device to the Internet of Things.
  11. 根据权利要求8至10中任一项所述的方法,其特征在于,所述物联网管理设备接收来自于物联网网关设备的第一信息之前,所述方法还包括:The method according to any one of claims 8 to 10, characterized in that before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method further comprises:
    所述物联网管理设备向所述物联网设备发送物联网服务器的地址,所述物联网服务器的地址用于所述物联网设备确定第一请求信息的接收目标,所述第一请求信息用于请求所述物联网服务器对所述物联网设备进行所述认证授权;The Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device, where the address of the Internet of Things server is used by the Internet of Things device to determine a receiving target of the first request information, and the first request information is used to request the Internet of Things server to perform the authentication and authorization on the Internet of Things device;
    所述物联网管理设备确定所述物联网设备通过所述认证授权,包括:The Internet of Things management device determines that the Internet of Things device passes the authentication authorization, including:
    所述物联网管理设备向所述物联网服务器发送所述第一标识与所述第一安全凭证;The Internet of Things management device sends the first identifier and the first security credential to the Internet of Things server;
    所述物联网管理设备接收来自于所述物联网服务器的第一反馈信息,所述第一反馈信息用于指示所述物联网设备通过所述认证授权;The Internet of Things management device receives first feedback information from the Internet of Things server, where the first feedback information is used to indicate that the Internet of Things device has passed the authentication authorization;
    所述物联网管理设备根据所述反馈信息确定所述物联网设备通过所述认证授权。The Internet of Things management device determines, based on the feedback information, that the Internet of Things device has passed the authentication authorization.
  12. 根据权利要求8至10中任一项所述的方法,其特征在于,所述物联网管理设备接收来自于物联网网关设备的第一信息之前,所述方法还包括:The method according to any one of claims 8 to 10, characterized in that before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method further comprises:
    所述物联网管理设备向所述物联网设备发送物联网服务器的地址,所述物联网服务器的地址用于所述物联网设备确定第一请求信息的接收目标,所述第一请求信息用于请求所述物联网服务器对所述物联网设备进行所述认证授权;The Internet of Things management device sends the address of the Internet of Things server to the Internet of Things device, where the address of the Internet of Things server is used by the Internet of Things device to determine a receiving target of the first request information, and the first request information is used to request the Internet of Things server to perform the authentication and authorization on the Internet of Things device;
    所述物联网管理设备确定所述物联网设备通过所述认证授权,包括:The Internet of Things management device determines that the Internet of Things device passes the authentication authorization, including:
    所述物联网管理设备接收来自于所述物联网服务器的第二安全凭证,所述第二安全凭证用于指示所述物联网设备通过所述认证授权;The Internet of Things management device receives a second security credential from the Internet of Things server, where the second security credential is used to indicate that the Internet of Things device has passed the authentication authorization;
    所述物联网管理设备根据所述第二安全凭证确定所述物联网设备通过所述认证授权。The Internet of Things management device determines, based on the second security credential, that the Internet of Things device passes the authentication authorization.
  13. 根据权利要求8至12中任一项所述的方法,其特征在于,所述物联网管理设备接收来自于物联网网关设备的第一信息之前,所述方法还包括:The method according to any one of claims 8 to 12, characterized in that before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method further comprises:
    所述物联网管理设备接收来自于所述物联网设备的第二信息,所述第二信息用于指示所述物联网管理设备的物联网操作;The Internet of Things management device receives second information from the Internet of Things device, where the second information is used to indicate an Internet of Things operation of the Internet of Things management device;
    所述物联网管理设备确定所述物联网设备处于非认证授权状态;The Internet of Things management device determines that the Internet of Things device is in a non-authentication and authorization state;
    所述物联网管理设备向所述物联网设备发送第一指示信息,所述第一指示信息用于指示所述物联网设备发送所述第一请求信息。The Internet of Things management device sends first indication information to the Internet of Things device, where the first indication information is used to instruct the Internet of Things device to send the first request information.
  14. 根据权利要求13所述的方法,其特征在于,所述第一指示信息包括所述物联网服务器的地址。The method according to claim 13 is characterized in that the first indication information includes the address of the Internet of Things server.
  15. 根据权利要求8至14中任一项所述的方法,其特征在于,所述物联网管理设备接收来自于物联网网关设备的第一信息之前,所述方法还包括:The method according to any one of claims 8 to 14, characterized in that before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method further comprises:
    所述物联网管理设备接收来自于所述物联网设备的第三信息,所述第三信息用于指示所述物联网管理设备的物联网操作,所述第三信息包括所述物联网设备的设备标识与设备凭证;The Internet of Things management device receives third information from the Internet of Things device, where the third information is used to indicate an Internet of Things operation of the Internet of Things management device, and the third information includes a device identification and a device credential of the Internet of Things device;
    所述物联网管理设备确定所述物联网设备处于非认证授权状态;The Internet of Things management device determines that the Internet of Things device is in a non-authentication and authorization state;
    所述物联网管理设备向所述物联网服务器发送第二请求信息,所述第二请求信息用于请求所述物联网服务器对所述物联网设备进行所述认证授权,所述第二请求信息包括所述设备标识与所述设备凭证;The Internet of Things management device sends a second request message to the Internet of Things server, where the second request message is used to request the Internet of Things server to perform the authentication and authorization on the Internet of Things device, and the second request message includes the device identifier and the device credential;
    所述物联网管理设备接收来自于所述物联网服务器的响应信息,所述响应信息用于指示所述物联网设备通过所述认证授权,所述响应信息包括所述物联网服务器为所述物联网设备配置的第一标识与第一安全凭证,所述第一标识与所述第一安全凭证用于指示所述物联网设备通过所述认证授权。The Internet of Things management device receives response information from the Internet of Things server, and the response information is used to indicate that the Internet of Things device has passed the authentication authorization. The response information includes a first identifier and a first security credential configured by the Internet of Things server for the Internet of Things device, and the first identifier and the first security credential are used to indicate that the Internet of Things device has passed the authentication authorization.
  16. 根据权利要求8至15中任一项所述的方法,其特征在于,所述第一信息还包括以下至少一项: The method according to any one of claims 8 to 15, characterized in that the first information further includes at least one of the following:
    物联网标识,或者,第二指示信息;Internet of Things identifier, or second indication information;
    所述第二指示信息用于指示所述物联网管理设备向所述物联网服务器发送所述第一信息。The second indication information is used to instruct the Internet of Things management device to send the first information to the Internet of Things server.
  17. 根据权利要求8至16中任一项所述的方法,其特征在于,所述物联网管理设备接收来自于物联网网关设备的第一信息之前,所述方法还包括:The method according to any one of claims 8 to 16, characterized in that before the Internet of Things management device receives the first information from the Internet of Things gateway device, the method further comprises:
    所述物联网管理设备接收来自于所述物联网网关设备的验证信息,所述验证信息用于请求所述物联网管理设备确定所述物联网设备通过所述认证授权,所述验证信息包括所述第一标识与所述第一安全凭证;The Internet of Things management device receives verification information from the Internet of Things gateway device, where the verification information is used to request the Internet of Things management device to determine that the Internet of Things device has passed the authentication authorization, and the verification information includes the first identifier and the first security credential;
    所述物联网管理设备向所述物联网网关设备发送第二反馈信息,所述第二反馈信息用于指示所述物联网设备通过所述认证授权。The Internet of Things management device sends second feedback information to the Internet of Things gateway device, where the second feedback information is used to indicate that the Internet of Things device has passed the authentication authorization.
  18. 一种通信装置,其特征在于,包括:A communication device, comprising:
    收发单元,用于接收来自于物联网设备的请求信息,所述请求信息包括所述物联网设备的设备标识与设备凭证;A transceiver unit, configured to receive request information from an IoT device, wherein the request information includes a device identification and a device certificate of the IoT device;
    处理单元,用于确定所述请求信息用于请求对所述物联网设备的认证授权;A processing unit, configured to determine that the request information is used to request authentication and authorization for the Internet of Things device;
    所述收发单元,还用于向物联网认证设备发送所述请求信息,所述物联网认证设备用于对所述物联网设备进行所述认证授权;The transceiver unit is further used to send the request information to an Internet of Things authentication device, and the Internet of Things authentication device is used to perform the authentication authorization on the Internet of Things device;
    所述收发单元,还用于向所述物联网设备发送响应信息,所述响应信息用于指示所述物联网设备通过所述认证授权,所述响应信息包括所述物联网认证设备为所述物联网设备配置的第一标识与第一安全凭证,所述第一标识与是第一安全凭证用于指示所述通信装置通过所述认证授权。The transceiver unit is also used to send response information to the Internet of Things device, and the response information is used to indicate that the Internet of Things device has passed the authentication authorization. The response information includes a first identifier and a first security credential configured by the Internet of Things authentication device for the Internet of Things device, and the first identifier and the first security credential are used to indicate that the communication device has passed the authentication authorization.
  19. 根据权利要求18所述的装置,其特征在于,The device according to claim 18, characterized in that
    所述收发单元,还用于接收来自于所述物联网设备的第一信息,所述第一信息用于指示物联网管理设备或者物联网服务器的物联网操作;The transceiver unit is further used to receive first information from the IoT device, where the first information is used to indicate an IoT operation of an IoT management device or an IoT server;
    所述处理单元,用于确定所述物联网设备处于非认证授权状态;The processing unit is used to determine that the IoT device is in a non-authentication and authorization state;
    所述收发单元,还用于向所述物联网设备发送第一指示信息,所述第一指示信息用于指示所述物联网设备发送所述请求信息。The transceiver unit is further used to send first indication information to the Internet of Things device, where the first indication information is used to instruct the Internet of Things device to send the request information.
  20. 根据权利要求18或19所述的装置,其特征在于,The device according to claim 18 or 19, characterized in that
    所述收发单元,还用于接收来自于所述物联网设备的第二信息,所述第二信息包括所述第一标识与所述第一安全凭证,所述第二信息用于指示所述物联网管理设备或者所述物联网服务器的物联网操作;The transceiver unit is further used to receive second information from the Internet of Things device, where the second information includes the first identifier and the first security credential, and the second information is used to indicate an Internet of Things operation of the Internet of Things management device or the Internet of Things server;
    所述处理单元,还用于确定所述物联网设备通过所述认证授权;The processing unit is further used to determine that the IoT device passes the authentication authorization;
    所述收发单元,还用于所述物联网管理设备或者所述物联网服务器发送所述第二信息。The transceiver unit is also used for the Internet of Things management device or the Internet of Things server to send the second information.
  21. 根据权利要求20所述的装置,其特征在于,The device according to claim 20, characterized in that
    所述收发单元,还用于向所述物联网认证设备发送所述第一标识与所述第一安全凭证;The transceiver unit is further used to send the first identification and the first security credential to the Internet of Things authentication device;
    所述收发单元,还用于接收来自于所述物联网认证设备的反馈信息,所述反馈信息用于指示所述物联网设备通过所述认证授权;The transceiver unit is further used to receive feedback information from the Internet of Things authentication device, where the feedback information is used to indicate that the Internet of Things device has passed the authentication authorization;
    所述处理单元,还用于根据所述反馈信息确定所述物联网设备通过所述认证授权。The processing unit is further used to determine whether the Internet of Things device has passed the authentication authorization based on the feedback information.
  22. 根据权利要求20所述的装置,其特征在于,The device according to claim 20, characterized in that
    所述收发单元,还用于接收来自于所述物联网认证设备的第二安全凭证,所述第二安全凭证用于指示所述物联网设备通过所述认证授权;The transceiver unit is further used to receive a second security credential from the Internet of Things authentication device, where the second security credential is used to indicate that the Internet of Things device has passed the authentication authorization;
    所述处理单元,还用于根据所述第二安全凭证确定所述物联网设备通过所述认证授权。The processing unit is further configured to determine, based on the second security credential, that the IoT device has passed the authentication authorization.
  23. 根据权利要求18至22中任一项所述的装置,其特征在于,所述物联网认证设备包括物联网管理设备与物联网服务器中的至少一项。The apparatus according to any one of claims 18 to 22, characterized in that the Internet of Things authentication device includes at least one of an Internet of Things management device and an Internet of Things server.
  24. 根据权利要求23所述的装置,其特征在于,所述第二信息还包括以下至少一项:The device according to claim 23, wherein the second information further includes at least one of the following:
    物联网标识,或者,第二指示信息;Internet of Things identifier, or second indication information;
    所述第二指示信息用于指示所述通信装置向所述物联网服务器发送所述第二信息;或者,The second indication information is used to instruct the communication device to send the second information to the Internet of Things server; or,
    所述第二指示信息用于指示所述通信装置向所述物联网管理设备发送所述第二信息。The second indication information is used to instruct the communication device to send the second information to the Internet of Things management device.
  25. 一种通信装置,其特征在于,包括:A communication device, comprising:
    收发单元,用于接收来自于物联网网关设备的第一信息,所述第一信息用于指示物联网设备的物 联网操作,所述第一信息包括第一标识与第一安全凭证,所述第一标识与第一安全凭证用于指示所述物联网设备通过认证授权;The transceiver unit is used to receive first information from an Internet of Things gateway device, wherein the first information is used to indicate the Internet of Things device. Networking operation, the first information includes a first identifier and a first security credential, and the first identifier and the first security credential are used to indicate that the IoT device has passed authentication and authorization;
    处理单元,用于确定所述物联网设备通过所述认证授权;A processing unit, configured to determine that the IoT device passes the authentication authorization;
    所述处理单元,还用于对所述第一信息进行处理。The processing unit is further used to process the first information.
  26. 根据权利要求25所述的装置,其特征在于,所述物联网操作是所述物联网设备请求所述通信装置执行的。The device according to claim 25 is characterized in that the IoT operation is performed by the communication device at the request of the IoT device.
  27. 根据权利要求25所述的装置,其特征在于,所述第一信息用于指示所述通信装置的物联网邀请确认操作,所述收发单元,还用于:The device according to claim 25, wherein the first information is used to indicate an Internet of Things invitation confirmation operation of the communication device, and the transceiver unit is further used to:
    向所述物联网设备发送物联网邀请信息,所述物联网邀请信息用于指示所述物联网设备加入所述通信装置管理的物联网;Sending an Internet of Things invitation message to the Internet of Things device, wherein the Internet of Things invitation message is used to instruct the Internet of Things device to join the Internet of Things managed by the communication device;
    所述处理单元,还用于将所述物联网设备加入所述物联网。The processing unit is also used to add the Internet of Things device to the Internet of Things.
  28. 根据权利要求25至27中任一项所述的装置,其特征在于,The device according to any one of claims 25 to 27, characterized in that
    所述收发单元,还用于向所述物联网设备发送所述物联网服务器的地址,所述物联网服务器的地址用于所述物联网设备确定第一请求信息的接收目标,所述第一请求信息用于请求所述物联网服务器对所述物联网设备进行所述认证授权;以及,The transceiver unit is further used to send the address of the Internet of Things server to the Internet of Things device, the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information, and the first request information is used to request the Internet of Things server to perform the authentication and authorization on the Internet of Things device; and
    所述收发单元,还用于向所述物联网服务器发送所述第一标识与所述第一安全凭证;所述收发单元,还用于接收来自于所述物联网服务器的第一反馈信息,所述第一反馈信息用于指示所述物联网设备通过所述认证授权;所述处理单元,还用于根据所述反馈信息确定所述物联网设备通过所述认证授权。The transceiver unit is further used to send the first identifier and the first security credential to the Internet of Things server; the transceiver unit is further used to receive first feedback information from the Internet of Things server, and the first feedback information is used to indicate that the Internet of Things device has passed the authentication authorization; the processing unit is further used to determine that the Internet of Things device has passed the authentication authorization based on the feedback information.
  29. 根据权利要求25至27中任一项所述的装置,其特征在于,The device according to any one of claims 25 to 27, characterized in that
    所述收发单元,还用于向所述物联网设备发送所述物联网服务器的地址,所述物联网服务器的地址用于所述物联网设备确定第一请求信息的接收目标,所述第一请求信息用于请求所述物联网服务器对所述物联网设备进行所述认证授权;以及,The transceiver unit is further used to send the address of the Internet of Things server to the Internet of Things device, the address of the Internet of Things server is used by the Internet of Things device to determine the receiving target of the first request information, and the first request information is used to request the Internet of Things server to perform the authentication and authorization on the Internet of Things device; and
    所述收发单元,还用于接收来自于所述物联网服务器的第二安全凭证,所述第二安全凭证用于指示所述物联网设备通过所述认证授权;所述处理单元,还用于根据所述第二安全凭证确定所述物联网设备通过所述认证授权。The transceiver unit is further used to receive a second security credential from the Internet of Things server, where the second security credential is used to indicate that the Internet of Things device has passed the authentication authorization; the processing unit is further used to determine that the Internet of Things device has passed the authentication authorization based on the second security credential.
  30. 根据权利要求25至29中任一项所述的装置,其特征在于,The device according to any one of claims 25 to 29, characterized in that
    所述收发单元,还用于接收来自于所述物联网设备的第二信息,所述第二信息用于指示所述通信装置的物联网操作;The transceiver unit is further used to receive second information from the IoT device, where the second information is used to indicate the IoT operation of the communication device;
    所述处理单元,还用于确定所述物联网设备处于非认证授权状态;The processing unit is further used to determine that the IoT device is in a non-authentication and authorization state;
    所述收发单元,还用于向所述物联网设备发送第一指示信息,所述第一指示信息用于指示所述物联网设备发送所述第一请求信息。The transceiver unit is further used to send first indication information to the Internet of Things device, where the first indication information is used to instruct the Internet of Things device to send the first request information.
  31. 根据权利要求30所述的装置,其特征在于,所述第一指示信息包括所述物联网服务器的地址。The device according to claim 30 is characterized in that the first indication information includes the address of the Internet of Things server.
  32. 根据权利要求25至31中任一项所述的装置,其特征在于,The device according to any one of claims 25 to 31, characterized in that
    所述收发单元,还用于接收来自于所述物联网设备的第三信息,所述第三信息用于指示所述物联网管理设备的物联网操作,所述第三信息包括所述物联网设备的设备标识与设备凭证;The transceiver unit is further used to receive third information from the IoT device, where the third information is used to indicate the IoT operation of the IoT management device, and the third information includes a device identification and a device certificate of the IoT device;
    所述处理单元,还用于确定所述物联网设备处于非认证授权状态;The processing unit is further used to determine that the IoT device is in a non-authentication and authorization state;
    所述收发单元,还用于向所述物联网服务器发送第二请求信息,所述第二请求信息用于请求所述物联网服务器对所述物联网设备进行所述认证授权,所述第二请求信息包括所述设备标识与所述设备凭证。The transceiver unit is further used to send second request information to the Internet of Things server, where the second request information is used to request the Internet of Things server to perform the authentication and authorization on the Internet of Things device, and the second request information includes the device identifier and the device credential.
  33. 根据权利要求25至32中任一项所述的装置,其特征在于,所述第一信息还包括以下至少一项:The device according to any one of claims 25 to 32, characterized in that the first information further includes at least one of the following:
    物联网标识,或者,第二指示信息;Internet of Things identifier, or second indication information;
    所述第二指示信息用于指示所述通信装置向所述物联网服务器发送所述第一信息。The second indication information is used to instruct the communication device to send the first information to the Internet of Things server.
  34. 根据权利要求25至33中任一项所述的装置,其特征在于,The device according to any one of claims 25 to 33, characterized in that
    所述收发单元,还用于接收来自于所述物联网网关设备的验证信息,所述验证信息用于请求所述通信装置确定所述物联网设备通过所述认证授权,所述验证信息包括所述第一标识与所述第一安全凭 证;The transceiver unit is further used to receive verification information from the Internet of Things gateway device, the verification information is used to request the communication device to determine that the Internet of Things device has passed the authentication authorization, and the verification information includes the first identification and the first security credential. certificate;
    所述收发单元,还用于向所述物联网网关设备发送第二反馈信息,所述第二反馈信息用于指示所述物联网设备通过所述认证授权。The transceiver unit is further used to send second feedback information to the Internet of Things gateway device, where the second feedback information is used to indicate that the Internet of Things device has passed the authentication authorization.
  35. 一种计算机可读存储介质,其特征在于,存储有计算机程序或指令,所述计算机程序或指令用于实现权利要求1至17中任一项所述的方法。A computer-readable storage medium, characterized in that a computer program or instruction is stored therein, wherein the computer program or instruction is used to implement the method according to any one of claims 1 to 17.
  36. 一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上运行时,使得所述计算机执行权利要求1至17中任一项所述的方法。A computer program product, characterized in that when the computer program product is run on a computer, the computer is caused to execute the method according to any one of claims 1 to 17.
  37. 一种通信***,其特征在于,所述通信***包括物联网网关设备与物联网管理设备,A communication system, characterized in that the communication system includes an Internet of Things gateway device and an Internet of Things management device,
    所述物联网网关设备用于执行权利要求1至7中任一项所述的方法,The Internet of Things gateway device is used to execute the method described in any one of claims 1 to 7,
    所述物联网管理设备用于执行权利要求8至17中任一项所述的方法。 The Internet of Things management device is used to execute the method described in any one of claims 8 to 17.
PCT/CN2023/121110 2022-10-10 2023-09-25 Authentication and authorization method and communication apparatus WO2024078313A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211234895.6A CN117880808A (en) 2022-10-10 2022-10-10 Authentication and authorization method and communication device
CN202211234895.6 2022-10-10

Publications (1)

Publication Number Publication Date
WO2024078313A1 true WO2024078313A1 (en) 2024-04-18

Family

ID=90592334

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/121110 WO2024078313A1 (en) 2022-10-10 2023-09-25 Authentication and authorization method and communication apparatus

Country Status (2)

Country Link
CN (1) CN117880808A (en)
WO (1) WO2024078313A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108650212A (en) * 2018-03-14 2018-10-12 北京云信万致科技有限公司 A kind of Internet of Things certification and access control method and Internet of Things security gateway system
CN110995759A (en) * 2019-12-23 2020-04-10 中国联合网络通信集团有限公司 Access method and device of Internet of things
CN112512045A (en) * 2019-08-27 2021-03-16 华为技术有限公司 Communication system, method and device
CN113015165A (en) * 2021-03-11 2021-06-22 青岛海信智能商用***股份有限公司 Internet of things platform device access method, device and system
CN114567650A (en) * 2021-12-29 2022-05-31 西安天和防务技术股份有限公司 Data processing method and Internet of things platform system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108650212A (en) * 2018-03-14 2018-10-12 北京云信万致科技有限公司 A kind of Internet of Things certification and access control method and Internet of Things security gateway system
CN112512045A (en) * 2019-08-27 2021-03-16 华为技术有限公司 Communication system, method and device
CN110995759A (en) * 2019-12-23 2020-04-10 中国联合网络通信集团有限公司 Access method and device of Internet of things
CN113015165A (en) * 2021-03-11 2021-06-22 青岛海信智能商用***股份有限公司 Internet of things platform device access method, device and system
CN114567650A (en) * 2021-12-29 2022-05-31 西安天和防务技术股份有限公司 Data processing method and Internet of things platform system

Also Published As

Publication number Publication date
CN117880808A (en) 2024-04-12

Similar Documents

Publication Publication Date Title
EP3627793B1 (en) Session processing method and device
KR102345932B1 (en) Network Security Management Methods and Devices
US20220095111A1 (en) Flexible authorization in 5g service based core network
US20210168151A1 (en) Method for implementing user plane security policy, apparatus, and system
JP2020506578A (en) Secondary authentication of user equipment
WO2023011210A1 (en) Method and apparatus for acquiring edge service
CN112449315B (en) Network slice management method and related device
US20230099786A1 (en) Methods and Apparatus for Provisioning Private Network Devices During Onboarding
CN112534851A (en) Delegating data connections
WO2020141355A1 (en) Optimizing nf service discovery
CN113498217A (en) Communication method and communication device
WO2020217224A1 (en) Amf and scp behavior in delegated discovery of pcf
WO2021218878A1 (en) Slice authentication method and apparatus
US11558813B2 (en) Apparatus and method for network automation in wireless communication system
US20220272577A1 (en) Communication method and communication apparatus
JP2022535933A (en) Apparatus, system, method and computer readable medium for performing service delivery for multi-user mobile terminals
US20230132454A1 (en) Method and apparatus for supporting edge computing service for roaming ue in wireless communication system
WO2024078313A1 (en) Authentication and authorization method and communication apparatus
TW202416740A (en) Method and communication apparatus for authenticating and authorizating
WO2023015973A1 (en) Network slice admission control method and apparatus
WO2024067398A1 (en) Emergency service processing method and device
WO2024032226A1 (en) Communication method and communication apparatus
WO2023142887A1 (en) Communication method and communication apparatus
EP3972142B1 (en) Policy control function fallback
WO2023143212A1 (en) Communication method and apparatus