CN114338076A - Distributed cross-device access control method and device suitable for smart home environment - Google Patents

Abstract

The present application discloses a distributed cross-device access control method and device suitable for a smart home environment, wherein the method includes: an access subject and an accessed object obtain access control rules; the subject and the object establish a connection, the subject sends a connection request, and the object After passing the legality verification of its identity and authority, it sends the access verification certificate and update certificate to the subject; after the subject receives it, it sends a request with the access verification certificate to the object, and adds random numbers to the request packet; After the validity and validity of the random number are verified, the content of the request is executed, and the request result is returned to the subject; when the access verification certificate expires, the subject sends the update certificate to the object, and sends the random number at the same time; After the validity and validity verification is passed, the object generates a new access verification credential and a corresponding update credential based on the access control rules; the subject replaces the original access verification credential and update credential for subsequent requests. Therefore, the security of the cross-device communication of the smart home can be effectively enhanced, and the connection of malicious devices and the request of malicious applications can be prevented.

Description

Distributed cross-device access control method and device suitable for smart home environment

technical field

The present application relates to the technical field of access control, and in particular, to a distributed cross-device access control method and device suitable for a smart home environment.

Background technique

Cross-device signal transmission allows users to control remote devices by operating applications on local devices, which improves the convenience and intelligence of smart homes, but at the same time, cross-device signal transmission also has many security issues. Verifying the device identity and the legitimacy of the transmitted content, on the other hand, needs to ensure the reliability of the transmission process.

Access control is a technology used to ensure that the access subject has legal access to the object. The implementation of an access control scheme requires the participation of an access control framework and an access control strategy, which provide structural and logical support respectively.

Access control architecture can be divided into two categories: centralized architecture (Centralized Approach) and distributed architecture (Distributed Approach). In the centralized architecture, a central server does the authentication and authorization work, as shown in Figure 1. In the smart home environment, the central server needs to master a large amount of user privacy information, and the object device only acts as a message receiver, and there is a great threat of single point of failure (SPOF), so the current consideration is more distributed Architecture. The structure of the distributed architecture is shown in Figure 2. The participation of third-party services is not required. The logic of access control is directly embedded in the object device, and the object terminal performs authentication and authorization. The distributed architecture solves the problems of the centralized architecture, and at the same time realizes the two-way communication between the main device and the object device, which is conducive to the supervision and protection of cross-device communication security.

There are four mainstream access control strategies: Discretionary Access Control-DAC, Mandatory Access Control-MAC, Role-based Access Control-RBAC, and Attribute-Based Access. Control (Attribute-based AccessControl-ABAC). Due to the complexity and variety of smart home devices and scenarios, and the access control policies of DAC and MAC are not flexible enough, two policies, RBAC and ABAC, are currently applied. However, RBAC and ABAC rely on a large number of pre-established rules (Policy), identity (Role) and attribute (Attribute) information. Under the distributed access control architecture, weak devices with limited computing power and storage resources in IoT are not required. friendly. In recent years, Capability-based Access Control (Capability-based Access Control) has been gradually improved and applied. This strategy uses the concept of a token. A token can describe the identity and authority information of an entity. This information is also called for Capability. When the subject accesses the object, the subject sends a request with a token, and access control no longer requires authentication of identity, attributes or rules, and the access authority of the subject can be verified only by verifying the legitimacy of the token.

In the distributed access control scheme based on Capability, due to factors such as incomplete access control coverage, loopholes in the verification mechanism, or easy forgery of verification information, there are many security problems, which can be mainly divided into the following two categories:

Attacks from malicious devices. This type of attack is attributed to the lack of authentication before the two devices establish a connection, that is, there is no timely judgment on the legitimacy of the token.

Attacks from malicious apps on trusted devices. This type of attack is attributed to the lack of permission verification after the two devices establish a connection, that is, there is no effective judgment on the legitimacy of the token.

Aiming at the security problems existing in the distributed access control scheme based on Capability, the definition method, management mode and verification mechanism of token are very critical. At present, there is very little work that can provide a complete set of access control scheme that meets the requirements.

SUMMARY OF THE INVENTION

The present application provides a distributed cross-device access control method and device suitable for a smart home environment, so as to solve the security problems in the related art due to incomplete access control coverage, loopholes in the verification mechanism, or easy forgery of verification information. .

The embodiment of the first aspect of the present application provides a distributed cross-device access control method applicable to a smart home environment, which is applied to a smart home environment and includes the following steps:

Step S1: The control subject and the object obtain the access control rules of the authority information possessed by the specified process from the cloud, and restrict the sending and response of the request based on the access control rules, wherein the subject and the object are respectively local. Holds a positive integer counter used to identify the packet;

Step S2: control the subject to establish a connection with the object, wherein, when the subject communicates with the object for the first time, the subject first sends a connection request, and the object verifies the identity of the subject and the authority of the subject. Validity, if it is valid, while establishing the connection, the object generates an access verification credential valid within the first preset duration and an update credential valid within the second preset duration based on the access control rule, to return to the destination together. the main body, wherein the second preset duration is greater than the first preset duration;

Step S3: After the subject receives and stores the access verification credential and the update credential, a request carrying the access verification credential is sent to the object, and the positive integer counter is added to the request packet at the same time. ;

Step S4: After the object verifies the legitimacy and validity of the access verification credential sent by the subject, if it is legal and valid, execute the request content of the request, and return the request result to the subject; , then reject the request, report an error and end the communication; and, if it is legal but exceeds the first preset duration, return a credential expiration error to the subject, and continue to perform the following steps;

Step S5: after the subject receives the credential expiration error, it sends the updated credential matching the expired access verification credential to the object, and simultaneously sends the positive integer counter;

Step S6: After the object verifies the validity and validity of the updated credential, the consistency of the positive integer counter is checked at the same time. If it is invalid, the request is rejected, an error is reported and the communication is terminated; The object regenerates a new access verification credential and a corresponding update credential based on the access control rule, and returns it to the subject;

Step S7: After the subject receives and overwrites the storage of the new access verification credential and the corresponding update credential, the step S3 is re-executed.

According to the embodiment of the present application, the method further includes: updating the access control rules of the subject and the object at the same time when updating the access control rules of the cloud.

According to the embodiment of the present application, the positive integer counter is a random integer, which is stored in the subject and the object, and the initial value is 0. After each communication ends, the subject and the object both use their own counter values. Add one to update the counter value synchronously.

According to the embodiment of the present application, before the step S2, the method further includes: verifying the legality of the subject's identity and the legality of the requested authority by using the object, and establishing a relationship between the subject and the object after the verification is passed. connect.

According to the embodiment of the present application, the step S3 further includes: the subject stores the access verification credential and the corresponding update credential locally, and the data packet of the access verification credential passes through the agent of the subject side, It is encrypted using the HMAC algorithm, and sent after adding the positive integer counter. The value of the positive integer counter starts from 0 and increases automatically based on the data packet.

According to the embodiment of the present application, when the object verifies the positive integer counter, the counter value in the data packet is consistent with the locally stored counter value.

According to the embodiment of the present application, the method further includes: sending or receiving data packets of all communications of the subject and verifying the data packets through a transparent proxy on the subject side; sending data packets of all communications of the object through a transparent proxy on the object side Or receive and validate the packet.

The embodiment of the second aspect of the present application provides a distributed cross-device access control device suitable for a smart home environment, which is applied to a smart home environment, including:

The preparation module is used to control the access control rules for the subject and the object to obtain the permission information of the specified process from the cloud, and restrict the sending and response of the request based on the access control rules, wherein the subject and the object are in the Each local holds a positive integer counter used to identify the data packet;

A connection establishment module is used to control the subject to establish a connection with the object, wherein, when the subject communicates with the object for the first time, the subject first sends a connection request, and the object verifies the identity of the subject and the object. The legitimacy of the subject authority, if it is legitimate, the object generates an access verification credential valid within the first preset duration and an update credential valid for the second preset duration based on the access control rule at the same time as the connection is established, so as to Returning to the main body, wherein the second preset duration is greater than the first preset duration;

The first request module is configured to send a request carrying the access verification credential to the object after the subject receives and stores the access verification credential and the update credential, and at the same time adds all the access verification credentials to the request package. the positive integer counter;

The first verification module is used to execute the request content of the request and return the request result to the subject after the object verifies the legality and validity of the access verification credential sent by the subject, if it is legal and valid ; If it is not legal, reject the request, report an error and end the communication; and, if legal but exceed the first preset time period, return a credential expiration error to the subject, and continue to perform the following steps;

a second request module, configured to send the updated credential matching the expired access verification credential to the object after the subject receives the credential expiration error, and simultaneously send the positive integer counter;

The second verification module is used to check the consistency of the positive integer counter after the object verifies the validity and validity of the updated credential. If it is invalid, reject the request, report an error and end the communication; , then the object regenerates a new access verification credential and a corresponding update credential based on the access control rule, and returns it to the subject;

The update module is configured to re-execute the function of the first request module after the subject receives and overwrites and stores the new access verification credential and the update credential corresponding to it.

An embodiment of a third aspect of the present application provides an electronic device, including: a memory, a processor, and a computer program stored on the memory and executable on the processor. The processor executes the program, and can implement the distributed cross-device access control method applicable to the smart home environment as described in the foregoing embodiments.

Embodiments of the fourth aspect of the present application provide a computer-readable storage medium. The computer-readable storage medium can store computer instructions for causing the computer to execute the distributed cross-device access control method suitable for a smart home environment as described in the above embodiments.

The distributed cross-device access control method and device applicable to the smart home environment according to the embodiments of the present application have the following beneficial effects:

The distributed access control scheme of the present application authenticates each data packet based on the access authentication credential, gets rid of the dependence of access control on third-party services or rule data sets, increases the monitoring of each communication data packet, and at the same time It also reduces the resource overhead of IoT devices for access control. The parallel approach of access verification credential and update credential can avoid the potential security risks caused by the permanent validity of the access verification credential once issued, and avoid frequent authorization and authentication by users. The proxy is used to encrypt and forward data packets, which solves the security problem caused by establishing a connection before authentication between the two parties during cross-device communication. s attack.

Additional aspects and advantages of the present application will be set forth, in part, in the following description, and in part will be apparent from the following description, or learned by practice of the present application.

Description of drawings

The above and/or additional aspects and advantages of the present application will become apparent and readily understood from the following description of embodiments taken in conjunction with the accompanying drawings, wherein:

1 is a schematic diagram of a centralized access control architecture;

2 is a schematic diagram of a distributed access control architecture;

3 is a flowchart of a distributed cross-device access control method suitable for a smart home environment provided according to an embodiment of the present application;

4 is a schematic diagram of an implementation mechanism of initial access and access verification provided according to an embodiment of the present application;

5 is a schematic diagram of an implementation mechanism of timeout access and access verification provided according to an embodiment of the present application;

6 is a schematic diagram of an implementation mechanism of packet loss/retransmission access and access verification provided according to an embodiment of the present application;

7 is an exemplary diagram of a distributed cross-device access control device suitable for a smart home environment according to an embodiment of the present application;

FIG. 8 is a schematic diagram of an electronic device according to an embodiment of the present application.

Detailed ways

Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary, and are intended to be used to explain the present application, but should not be construed as a limitation to the present application.

The framework that can be applied includes two entities: the subject and the subject. The subject is the sender of the request, which requests access rights and sends the corresponding credentials; the object is the receiver of the request, that is, the provider of the resource or the executor of the instruction, responsible for the credentials. verify. In the subsequent description of this application, Access Token (AT) represents the access verification credential corresponding to the process; RefreshToken (RT) represents the update credential corresponding to the process; Proxy represents the proxy deployed on the subject and the object.

Hash-based message authentication code (HMAC) is a message authentication code (MAC) generated after a special calculation method, using a cryptographic hash function, combined with an encryption key. It can be used to ensure the integrity of data, and can be used for authentication of a message. The operation formula of HMAC is: HMAC(K,m)=H((K'⊕opad||H((K'⊕ipad)||text)), where H is a cryptographic hash function (such as SHA family), K is the secret key, text is the message to be authenticated, and K' is another secret key derived from the original key K (padding to the right if K is shorter than the input block size of the hash function). ) zero; if longer than the block size, hash K), || stands for concatenation, ⊕ stands for exclusive-or (XOR), opad is external padding (0x5c5c5c...5c5c, a hexadecimal constant), The ipad is filled internally (0x363636...3636, a hexadecimal constant).

FIG. 3 is a flowchart of a distributed cross-device access control method suitable for a smart home environment according to an embodiment of the present application.

As shown in FIG. 3 , the distributed cross-device access control method suitable for a smart home environment, applied to a smart home environment, includes the following steps:

Step S1: The control subject and the object obtain the access control rules of the authority information of the specified process from the cloud, and restrict the sending and response of the request based on the access control rules, wherein the subject and the object respectively hold a local ID for identifying the access control rules. A positive integer counter for the packet.

In an embodiment of the present application, when the access control rules of the cloud are updated, the access control rules of the subject and the object are updated at the same time.

Specifically, the subject and object obtain the access control rules from the cloud. The access control rules are defined by the operator according to the product function and authorized by the user through the UI interface according to the individual needs. Responses are limited. There are no conflicts between access control rules. Once the access control rules are generated, they will be uploaded to the cloud, and the device will download the rules from the cloud to the local when it is accessed for the first time. Once the rules in the cloud are updated, the local rules are also updated immediately.

Both the host and the object hold a positive integer counter locally, which is used to identify the data packet and realize anti-replay attack.

Step S2: Controlling the establishment of a connection between the subject and the object, wherein, when the subject and the object communicate for the first time, the subject first sends a connection request, and the object verifies the subject's identity and the legitimacy of the subject's authority. The access control rule generates an Access Token, an access verification credential valid for a first preset duration, and a Refresh Token, an update credential valid for a second preset duration, to return to the subject together, where the second preset duration is greater than the first preset duration , Refresh Credentials Refresh Token is used to update the access authentication credentials Access Token.

In an embodiment of the present application, before step S2, the method further includes: verifying the validity of the subject's identity and the legality of the request authority through the object, and establishing a connection between the subject and the object after the verification is passed.

Specifically, the verification of the subject by the object includes the legitimacy of the identity and the legitimacy of the request authority. The verification is completed by the agent of the object, which occurs before the actual process of the subject and the object establishes the connection, and the connection is established after the verification is passed. Access Token and Refresh Token are issued by the object, and both contain validity period information and identity information of both communication parties. In addition, Refresh Token also contains its corresponding Access Token information.

Step S3: After the subject receives and stores the access verification credential Access Token and the update credential RefreshToken, a request carrying the access verification credential Access Token is sent to the object, and a positive integer counter is added to the request packet.

In the embodiment of this application, the counter is a random integer, which is stored in both the subject and the object. The initial value is 0. After each communication ends, the subject and the object must add one to their counter to ensure synchronization. Update the counter value.

Further, the subject stores both the access verification credential Access Token and the update credential Refresh Token locally, but only sends the access verification credential Access Token. The data packet is encrypted by the HMAC algorithm through the agent of the main body, and sent after adding the counter. At this time, the counter starts to increase from 0 based on the data packet.

Step S4: After the object verifies the validity and validity of the access verification certificate Access Token sent by the subject, if it is legal and valid, execute the requested content of the request, and return the request result to the subject; if not, reject the request and report an error and end the communication; and, if it is valid but exceeds the first preset time period, return a credential expired error to the subject, and continue to perform the following steps.

In the embodiment of the present application, the verification of the object is performed by the proxy of the object, including the verification of the Access Token and the verification of the counter, and the verification of the Access Token by the object includes the verification of its signature and the verification of the validity period, so as to ensure legality and validity , if the signature verification fails, the communication is terminated. If the signature verification passes but the validity period verification fails, an error is reported but the communication is not terminated. The object's verification of the counter needs to ensure that the counter value in the package is consistent with the locally stored counter value.

Step S5: After the subject receives the certificate expiration error, it sends the updated certificate Refresh Token matching the expired access verification certificate AccessToken to the object, and sends a positive integer counter at the same time.

It can be understood that the refresh token Refresh Token is used to update the expired access verification certificate AccessToken. Since the validity period of the update certificate Refresh Token is much longer than that of the access verification certificate Access Token, the update certificate Refresh Token usually does not expire.

Specifically, the subject sends the update certificate RefreshToken corresponding to the expired access verification certificate Access Token. The data packet is encrypted by the HMAC algorithm through the proxy of the subject end, and sent after adding the counter. At this time, the counter continues to increment automatically based on the data packet.

Step S6: After the object verifies the validity and validity of the refresh token Refresh Token, the consistency of the positive integer counter is checked at the same time. If it is invalid, the request is rejected, an error is reported and the communication is terminated; if it is valid, the object is re-based on the access control rules. Generate a new access verification credential Access Token and the corresponding update credential Refresh Token, and return it to the subject.

Further, the verification of the object is performed by the object-side proxy, including the verification of the Refresh Token and the verification of the counter. The verification of the object's Refresh Token includes the verification of its signature and the verification of the validity period to ensure legal validity. If one of the If the verification fails, the communication ends. The object's verification of the counter needs to ensure that the counter value in the package is consistent with the locally stored counter value.

Step S7: After the subject receives and overwrites the storage of the new access verification credential and the corresponding update credential, step S3 is performed again.

Further, the original access verification credential Access Token and the update credential Refresh Token are overwritten and stored on the principal side, and the original access verification credential Access Token and the update credential Refresh Token are invalid.

In an embodiment of the present application, the transmission or reception of data packets of all communications of the subject and the verification of the data packets are carried out through the transparent proxy of the subject; 's verification.

Specifically, processing the data packets of the subject through the transparent proxy on the subject side specifically includes the following steps:

S101: Deploy a transparent proxy on the main device side, the main process establishes a connection with the proxy, the main process port is invisible to the outside world, the proxy port is virtualized as a process port externally, and all communication data packets can only be sent or received through the proxy.

S102: When the subject and the object communicate for the first time, the subject agent sends a request for connecting with the object to the object, and the agent uses the subject's private key to sign the data packet and forward it to the object to identify the subject's identity. If the object generates Access Token and Refresh Token, it is first received by the agent, and the agent verifies whether the issuer of the Token is the object through the public key of the object. If the issuer is the object, the two tokens are decrypted and stored locally; if the issuer If it is not an object, repeat this step.

S103: The main process sends a request to the object, the agent receives the request, adds AccessToken and counter to the request packet, and at the same time encrypts the data packet with HMAC using the key dynamically negotiated with the object, and then sends the processed data packet to the object . If the proxy receives the re-negotiation counter request returned by the object, the proxy divides the original counter by 100, rounds it up, and then multiplies it by 100 as a new counter, and then repeats this step.

S104: If the agent receives an error that the object returns an expired Access Token, the agent encrypts the Refresh Token corresponding to the expired Access Token together with the counter and sends it to the object again after HMAC encryption. If the agent receives the new Access Token and Refresh Token, the agent verifies whether the issuer of the two Tokens is an object through the HMAC key. If the issuer is an object, the two Tokens are decrypted and stored locally, and the process goes to S103; If the publisher is not an object, repeat this step. If the proxy receives the re-negotiation counter request returned by the object, the proxy divides the original counter by 100, rounds it up, and then multiplies it by 100 as a new counter, and repeats this step.

S105: If the agent receives the request result or the requested resource returned by the object, the agent uses the HMAC key to decrypt and sends the original text information to the subject process.

Specifically, the object processing the data packets of the object through the object-side transparent proxy specifically includes the following steps:

S201: Deploy a transparent proxy on the object side, the proxy is connected with the object process, the object process port is invisible to the outside world, the proxy port is virtualized as a process port externally, and all communication data packets can only be sent or received through the proxy.

S202: The agent receives the connection request from the subject, the agent uses the subject's public key to verify the subject's identity, and verifies the subject's authority based on the access control rules. If both the identity and the authority are legal, the agent generates an Access Token and a RefreshToken, and sends it to the subject after signing with the private key , and enter S203; if one of them is invalid, the agent returns an error and ends the communication.

S203: The proxy receives the request that the subject contains Access Token and counter, and uses the HMAC key to decrypt and verify the validity of the data packet. If the decryption fails, the data packet is invalid, the proxy returns an error, and the communication ends; if the decryption is successful, the verification is performed. Whether the Access Token has expired and whether the counter is the same. If the Access Token expires, go to S204; if the counter is inconsistent, go to S205; if both are legal and valid, the agent sends the decrypted data packet to the object process after removing the AccessToken and the counter, and the object process executes the request, and the agent sends the request to the subject Return the request result.

S204: The agent sends the incorrect information of the Access Token to the subject, and receives the Refresh Token and the counter sent by the subject. The agent uses the local information to verify the identity and authority of the Refresh Token, and at the same time verifies whether the counter is consistent. If the Refresh Token is invalid, the agent returns an error and ends the communication; if the counter is inconsistent, execute S205; if both are valid, the agent generates a new Access Token and a Refresh Token, encrypts them with HMAC and sends them to the subject, and then goes to S203 .

S205: The agent sends a request for re-negotiation of the counter to the subject, requesting to use HMAC encryption, the subject and the object synchronize a new counter, and the new counter value is divided by 100 of the original counter, rounded up, and then multiplied by 100.

The distributed access control scheme of the present invention can effectively strengthen the security of smart home cross-device communication, prevent the connection of malicious devices and the request of malicious applications, and the present invention takes into account the weak computing power and small storage space of some IoT devices. , suitable for real smart home environment.

The specific flow of the access control solution of the present application is described below with reference to the accompanying drawings and specific embodiments. First, it will describe how two entities that communicate for the first time establish a connection, then will give the verification mechanisms and execution results of various situations, and explain in detail the security guarantee of access control in this application.

Initial visit:

The initial access mechanism is implemented when the subject process and the object process communicate for the first time, wherein the first communication refers to the communication performed when the subject and object directly do not have a trusted connection record. This mechanism is used to generate Access Token and Refresh Token, and initialize the counter value.

When the subject process sends a request, the subject agent will first receive the request, and according to the target object requested by the subject, send a request to the agent of the object and obtain the connection information, and establish the "subject process→subject agent→object agent→object process". Connect and then perform communication forwarding, which is shown in Algorithm 1 of Table 1.

Table 1

The principal agent is transparent to the principal user, that is, the user does not know the existence of the agent, and the transparent agent does not require manual configuration by the user. Figure 4 shows the implementation details of the initial access mechanism. The processing and forwarding of data packets are completed by the agent. The solid line represents the transmission of the data packet, and the dashed line represents the read and write of the host and object storage space by the agent. Since the process does not require the active participation of the subject and object processes, this scheme does not modify the subject and object processes.

After the connection is established, the subject will first send the locally stored access control rules to the subject agent. The processing mechanism of the subject for data packets is shown in Algorithm 2 of Table 2. The subject agent obtains the access control rules and adds them to the packets with the rules. Go to the counter, and then use the object's public key to encrypt and the subject's private key to sign, and send the signed data packet to the object. The modification of the data packet by the main agent here can effectively ensure the security of the data during the transmission process and prevent the data from being tampered with or stolen.

Table 2

The object first needs to download the access control rules from the cloud to the local for subsequent verification. Packets sent by the subject will first be taken over by the guest proxy. After the object receives the data packet containing the access control rules from the subject, it first decrypts the data packet with the private key, and then uses the subject's public key to verify the signature to confirm that the subject's identity is credible and the message is reliable, otherwise the request is rejected directly. After the verification is passed, the object then compares the local access control rules with the rules in the data package to ensure that the subject and object have consistent rules. If the rules are inconsistent, the application will return to the prompt that the application needs to be updated, and both parties will download the latest version of the rules from the cloud again. ; If the rules are consistent, the object generates Access Token and RefreshToken according to the rules, and negotiates with the subject a random number as the key for subsequent HMAC encryption. Add a counter to the data packet, encrypt and sign it and send it to the subject. Access Token and Refresh Token are always bound to the port number of the main process, the main agent writes them into the main storage space, and the object only stores the Refresh Token.

Access verification:

The access verification mechanism is implemented when the principal side obtains the pair of Access Token and Refresh Token, and then uses the Access Token for access. This mechanism is used to verify the legitimacy of the Access Token and counter, and call the timeout access mechanism or the packet loss/retransmission mechanism in abnormal situations.

As shown in Figure 4, after the subject sends the request, the subject agent listens to the message, copies the content of the request data packet, obtains the Access Token corresponding to the request process from the subject storage space, adds the Access Token and the counter to the data packet, and then checks the The packet is sent after HMAC encryption. Algorithm 3 of Table 3 presents the processing and forwarding mechanism of the request by the principal agent.

table 3

After the object agent receives the data packet containing the Access Token, it will perform the verification work. At this time, the object only needs to verify the validity of the Access Token and the counter, and no longer needs to perform identity authentication and authorization. If both are valid, the request will be sent to the object process, and the object process will perform the requested operation. The legality of Access Token here refers to:

1. The Access Token is issued by the object and has not been tampered with (verified by the signature).

2. The Access Token contains the authority requested by the subject (verified by the authority information).

3. The Access Token has not expired (verified by the issuance time and validity period).

If the Access Token has not expired but is not legal, it means that the user has changed the rules to withdraw the permission. At this time, the object returns the information that the request failed, and the request is directly rejected; if the Access Token expires, the object returns an error code indicating that the Token is invalid. The Token needs to be updated, that is, the timeout access mechanism is called. If the counter is invalid, the packet loss/replay access mechanism is called.

Algorithm 4 of Table 4 presents the authentication mechanism of the object agent, including the authentication of the data packets with access control rules and the authentication of the data packets with Access Token. The object proxy is a reverse proxy. The reverse proxy is also transparent to the subject user. The reverse proxy is responsible for receiving the data packets sent by the subject, decrypting and verifying, and then forwarding the decrypted packets to the real object after the verification is passed. process, as shown in Figure 4, the packet received by the guest process will no longer contain a counter or signature, but a directly executable request.

Table 4

Timeout access:

The timeout access mechanism is implemented when the access verification mechanism finds that the Access Token has expired. This mechanism is used to request the Refresh Token of the subject, verify the validity of the Refresh Token and generate a new Access Token and RefreshToken.

As shown in Figure 5, the object returns an error that the Access Token is invalid. At this time, the subject sends the Refresh Token together with the expired Access Token to the object, and the object agent verifies the legitimacy of the Refresh Token. Similarly, the solid line represents the transmission of data packets, and the dashed line represents the read and write of the Proxy to the storage space of the host and the guest, and does not require the active participation of the host and guest processes. Among them, the legality of Refresh Token refers to:

1. The Refresh Token is issued by the object and has not been tampered with (verified by the signature).

2. Refresh Token is not disabled (verified by the object storage space).

3. The Refresh Token matches the Access Token (verified by the Access Token information).

4. The Refresh Token has not expired (verified by the issuance time and validity period).

If the Refresh Token is legal, a new Access Token and Refresh Token will be issued. The contents of the new Access Token payload remain unchanged except for the issuance time and validity period. In the payload content, except for the issuance time and validity period, only one Access Token with the same information can exist at the same time, and only one corresponding Refresh Token can exist. If there are multiple, the latest issuance time is Valid Access Token and Refresh Token. When you need to disable an Access Token, you only need to delete or add the object's Refresh Token to the blacklist. Under the time-out access mechanism, all the information exchanged between the subject and the object needs to be encrypted by HMAC, and the encryption mechanism is similar to Algorithm 3.

Packet loss/replay access:

The packet loss/replay access mechanism is implemented when the access verification mechanism finds that the counter in the received packet is inconsistent with the local counter. This mechanism is used to call the function that resets the counter to keep the host and object counters consistent.

The method of the present application uses an integer counter to identify the data packet carrying the Token to avoid replay attacks. The initial value of the counter is 0. Considering the transmission difference between the TCP protocol and the UDP protocol, different counter synchronization mechanisms are used for the two protocols here: For a connection based on the TCP protocol, the counter is initialized after the three handshakes between the two parties. The value remains the same in the same TCP connection until the end of the four waves. After the TCP connection is disconnected, the two parties in the communication synchronously increase the counter value by one; for the connection based on the UDP protocol, the counter value carried by each data packet is Differently, the sender increments its counter by one each time it sends a packet, and the receiver increments its counter by one each time it receives a packet.

In the packet loss/replay access mechanism, two proxies negotiate a new counter value, which is the field in the box in Figure 6. If the counter of the receiver is less than the counter in the packet, it means that the sender sends more packets than the receiver receives. This situation mostly occurs in UDP connections, indicating that packet loss occurred during the transmission process; if the counter of the receiver is greater than the packet If the counter inside, it means that the sender has sent duplicate packets, which means that there may be a replay attack. At this time, it will be considered that there is a problem with the communication. If the counter is inconsistent, the object will return the information requesting to renegotiate the counter, and the host and the object will reset the counter. If packet loss occurs, retransmission is required.

Since the value of the counter is based on data packets, the difference between the counters between the two communicating parties should usually be less than 10. We expand the error range to 100. The formula for setting and resetting the counter is:

According to the distributed cross-device access control method suitable for the smart home environment proposed by the embodiments of the present application, each data packet is authenticated based on the access authentication credential, which eliminates the dependence of access control on third-party services or rule data sets, and increases the The monitoring strength of each communication data packet, while reducing the resource overhead of IoT device access control. The parallel approach of access verification credential and update credential can avoid the security risks caused by the permanent validity of the access verification credential once issued, and avoid frequent authorization and authentication by users. The proxy is used to encrypt and forward data packets, which solves the security problem caused by establishing a connection before authentication between the two communicating parties during cross-device communication. s attack.

Next, a distributed cross-device access control device suitable for a smart home environment proposed according to an embodiment of the present application will be described with reference to the accompanying drawings.

FIG. 7 is an exemplary diagram of a distributed cross-device access control apparatus suitable for a smart home environment according to an embodiment of the present application.

As shown in FIG. 7 , the distributed cross-device access control device 10 suitable for a smart home environment is applied to a smart home environment, and the device 10 includes: a preparation module 100, a connection establishment module 200, a first request module 300, a first verification module Module 400 , second request module 500 , second verification module 600 and update module 700 .

Among them, the preparation module 100 is used to control the access control rules for the subject and the object to obtain the permission information of the specified process from the cloud, and to restrict the sending and response of the request based on the access control rules, wherein the subject and the object are held locally respectively. There is a positive integer counter used to identify the packet.

The connection establishment module 200 is used to control the subject and the object to establish a connection, wherein, when the subject and the object communicate for the first time, the subject first sends a connection request, and the object verifies the subject's identity and the legitimacy of the subject's authority. At the same time, the object generates an access verification credential valid within a first preset duration and an update credential valid within a second preset duration based on the access control rule, and returns to the subject together, wherein the second preset duration is greater than the first preset duration .

The first request module 300 is configured to send a request carrying the access verification credential to the object after the subject receives and stores the access verification credential and the update credential, and adds a positive integer counter to the request packet.

The first verification module 400 is used for verifying the validity and validity of the access verification credential sent by the subject, if it is legal and valid, execute the requested content of the request, and return the request result to the subject; if not, reject it Request, report an error and end the communication; and, if it is valid but exceeds the first preset time period, return a certificate expiration error to the subject, and continue to perform the following steps.

The second request module 500 is configured to send an updated credential matching the expired access verification credential to the object after the subject receives the credential expiration error, and simultaneously send a positive integer counter.

The second verification module 600 is configured to check the consistency of the positive integer counter after the object verifies the validity and validity of the updated credential. If it is invalid, the request is rejected, an error is reported and the communication is terminated; if it is valid, the object is re-based on the The access control rule generates a new access verification credential and a corresponding update credential, and returns it to the principal.

The update module 700 is configured to re-execute the function of the first request module after the subject receives and overwrites the storage of the new access verification credential and the corresponding update credential.

It should be noted that the foregoing explanations of the embodiment of the distributed cross-device access control method applicable to the smart home environment are also applicable to the distributed cross-device access control device applicable to the smart home environment of this embodiment, and are not repeated here. Repeat.

According to the distributed cross-device access control device suitable for the smart home environment proposed by the embodiment of the present application, each data packet is authenticated based on the access authentication credential, which gets rid of the dependence of the access control on the third-party service or the rule data set, and increases the This improves the monitoring of each communication data packet and reduces the resource overhead of access control for IoT devices. The parallel approach of access verification credential and update credential can avoid the potential security risks caused by the permanent validity of the access verification credential once issued, and avoid frequent authorization and authentication by users. The proxy is used to encrypt and forward data packets, which solves the security problem caused by establishing a connection before authentication between the two parties during cross-device communication. s attack.

FIG. 8 is a schematic structural diagram of an electronic device provided by an embodiment of the present application. The electronic device may include:

Memory 801 , processor 802 , and computer programs stored on memory 801 and executable on processor 802 .

When the processor 802 executes the program, the distributed cross-device access control method applicable to the smart home environment provided in the above embodiments is implemented.

Further, the electronic device also includes:

The communication interface 803 is used for communication between the memory 801 and the processor 802 .

The memory 801 is used to store computer programs that can be executed on the processor 802 .

The memory 801 may include high-speed RAM memory, and may also include non-volatile memory, such as at least one disk memory.

If the memory 801, the processor 802 and the communication interface 803 are independently implemented, the communication interface 803, the memory 801 and the processor 802 can be connected to each other through a bus and complete communication with each other. The bus may be an Industry Standard Architecture (referred to as ISA) bus, a Peripheral Component (referred to as PCI) bus, or an Extended Industry Standard Architecture (referred to as EISA) bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is used in FIG. 8, but it does not mean that there is only one bus or one type of bus.

Optionally, in terms of specific implementation, if the memory 801, the processor 802 and the communication interface 803 are integrated on one chip, the memory 801, the processor 802 and the communication interface 803 can communicate with each other through the internal interface.

The processor 802 may be a central processing unit (Central Processing Unit, CPU for short), or a specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), or is configured to implement one or more of the embodiments of the present application integrated circuit.

This embodiment also provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the above distributed cross-device access control method suitable for a smart home environment.

In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or N of the embodiments or examples. Furthermore, those skilled in the art may combine and combine the different embodiments or examples described in this specification, as well as the features of the different embodiments or examples, without conflicting each other.

In addition, the terms "first" and "second" are only used for descriptive purposes, and should not be construed as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature delimited with "first", "second" may expressly or implicitly include at least one of that feature. In the description of the present application, "N" means at least two, such as two, three, etc., unless otherwise expressly and specifically defined.

Any process or method description in the flowchart or otherwise described herein may be understood to represent a module, segment or portion of code comprising one or N more executable instructions for implementing custom logical functions or steps of the process , and the scope of the preferred embodiments of the present application includes alternative implementations in which the functions may be performed out of the order shown or discussed, including performing the functions substantially concurrently or in the reverse order depending upon the functions involved, which should It is understood by those skilled in the art to which the embodiments of the present application belong.

The logic and/or steps represented in flowcharts or otherwise described herein, for example, may be considered an ordered listing of executable instructions for implementing the logical functions, may be embodied in any computer-readable medium, For use with, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can fetch instructions from and execute instructions from an instruction execution system, apparatus, or apparatus) or equipment. For the purposes of this specification, a "computer-readable medium" can be any device that can contain, store, communicate, propagate, or transport the program for use by or in connection with an instruction execution system, apparatus, or apparatus. More specific examples (non-exhaustive list) of computer readable media include the following: electrical connections (electronic devices) with one or N wires, portable computer disk cartridges (magnetic devices), random access memory (RAM), Read Only Memory (ROM), Erasable Editable Read Only Memory (EPROM or Flash Memory), Fiber Optic Devices, and Portable Compact Disc Read Only Memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program may be printed, as the paper or other medium may be optically scanned, for example, followed by editing, interpretation, or other suitable medium as necessary process to obtain the program electronically and then store it in computer memory.

It should be understood that various parts of this application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the N steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware as in another embodiment, it can be implemented by any one of the following techniques known in the art, or a combination thereof: discrete with logic gates for implementing logic functions on data signals Logic circuits, application specific integrated circuits with suitable combinational logic gates, Programmable Gate Arrays (PGA), Field Programmable Gate Arrays (FPGA), etc.

Those skilled in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing the relevant hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be stored in a computer-readable storage medium. When executed, one or a combination of the steps of the method embodiment is included.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may exist physically alone, or two or more units may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. If the integrated modules are implemented in the form of software functional modules and sold or used as independent products, they may also be stored in a computer-readable storage medium.

The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, and the like. Although the embodiments of the present application have been shown and described above, it should be understood that the above embodiments are exemplary and should not be construed as limitations to the present application. Embodiments are subject to variations, modifications, substitutions and variations.

Claims (10)

1. a distributed cross-device access control method applicable to smart home environment, applied to smart home environment, is characterized in that, comprises the following steps: Step S1: The control subject and the object obtain the access control rules of the authority information possessed by the specified process from the cloud, and restrict the sending and response of the request based on the access control rules, wherein the subject and the object are respectively local. Holds a positive integer counter used to identify the packet; Step S2: control the subject to establish a connection with the object, wherein, when the subject communicates with the object for the first time, the subject first sends a connection request, and the object verifies the identity of the subject and the authority of the subject. Validity, if it is valid, while establishing the connection, the object generates an access verification credential valid within the first preset duration and an update credential valid within the second preset duration based on the access control rule, to return to the destination together. the main body, wherein the second preset duration is greater than the first preset duration; Step S3: After the subject receives and stores the access verification credential and the update credential, a request carrying the access verification credential is sent to the object, and the positive integer counter is added to the request packet at the same time. ; Step S4: After the object verifies the legitimacy and validity of the access verification credential sent by the subject, if it is legal and valid, execute the request content of the request, and return the request result to the subject; , then reject the request, report an error and end the communication; and, if it is legal but exceeds the first preset duration, return a credential expiration error to the subject, and continue to perform the following steps; Step S5: after the subject receives the credential expiration error, it sends the updated credential matching the expired access verification credential to the object, and simultaneously sends the positive integer counter; Step S6: After the object verifies the validity and validity of the updated credential, the consistency of the positive integer counter is checked at the same time. If it is invalid, the request is rejected, an error is reported and the communication is terminated; The object regenerates a new access verification credential and a corresponding update credential based on the access control rule, and returns it to the subject; Step S7: After the subject receives and overwrites the storage of the new access verification credential and the corresponding update credential, the step S3 is re-executed. 2. The method of claim 1, further comprising: When the access control rules of the cloud are updated, the access control rules of the subject and the object are updated simultaneously. 3. The method according to claim 1, wherein the positive integer counter is a random integer, stored in the subject and the object, and the initial value is 0. After each communication ends, the subject and all The above objects add one to their own counter value to update the counter value synchronously. 4. The method according to claim 1, characterized in that, before the step S2, further comprising: The validity of the identity of the subject and the legitimacy of the request authority are verified by the object, and after the verification is passed, the connection between the subject and the object is established. 5. The method according to claim 1, wherein the step S3 further comprises: The subject stores the access verification credential and the corresponding update credential locally, and the data packet of the access verification credential is encrypted by the HMAC algorithm through the agent of the subject side, and sent after adding the positive integer counter. , the value of the positive integer counter starts from 0 and increments based on the data packet. 6 . The method according to claim 1 , wherein when the object verifies the positive integer counter, the counter value in the data packet is consistent with the locally stored counter value. 7 . 7. The method according to any one of claims 1-6, further comprising: Send or receive data packets of all communications of the subject and verify the data packets through the transparent proxy on the subject side; The sending or receiving of data packets of all communications of the object and the verification of the data packets are performed through the transparent proxy on the object side. 8. A distributed cross-device access control device applicable to a smart home environment, applied to a smart home environment, is characterized in that, comprising: The preparation module is used to control the access control rules for the subject and the object to obtain the permission information of the specified process from the cloud, and restrict the sending and response of the request based on the access control rules, wherein the subject and the object are in the Each local holds a positive integer counter used to identify the data packet; A connection establishment module is used to control the subject to establish a connection with the object, wherein, when the subject communicates with the object for the first time, the subject first sends a connection request, and the object verifies the identity of the subject and the object. The legitimacy of the subject authority, if it is legitimate, the object generates an access verification credential valid within the first preset duration and an update credential valid for the second preset duration based on the access control rule at the same time as the connection is established, so as to Returning to the main body, wherein the second preset duration is greater than the first preset duration; The first request module is configured to send a request carrying the access verification credential to the object after the subject receives and stores the access verification credential and the update credential, and at the same time adds all the access verification credentials to the request package. the positive integer counter; The first verification module is used to execute the request content of the request and return the request result to the subject after the object verifies the legality and validity of the access verification credential sent by the subject, if it is legal and valid ; If it is not legal, reject the request, report an error and end the communication; and, if legal but exceed the first preset time period, return a credential expiration error to the subject, and continue to perform the following steps; a second request module, configured to send the updated credential matching the expired access verification credential to the object after the subject receives the credential expiration error, and simultaneously send the positive integer counter; The second verification module is used to check the consistency of the positive integer counter after the object verifies the validity and validity of the updated credential. If it is invalid, reject the request, report an error and end the communication; , then the object regenerates a new access verification credential and a corresponding update credential based on the access control rule, and returns it to the subject; The update module is configured to re-execute the function of the first request module after the subject receives and overwrites and stores the new access verification credential and the update credential corresponding to it. 9. An electronic device, characterized in that it comprises: a memory, a processor and a computer program stored on the memory and running on the processor, the processor executing the program to realize the method as claimed in the claim The distributed cross-device access control method applicable to a smart home environment according to any one of requirements 1-7. 10. A computer-readable storage medium on which a computer program is stored, characterized in that the program is executed by a processor to implement the smart home environment according to any one of claims 1-7. Distributed cross-device access control method.

Images