[go: up one dir, main page]

CN119698803A - Method, device and electronic device for determining unique identification of device - Google Patents

Method, device and electronic device for determining unique identification of device Download PDF

Info

Publication number
CN119698803A
CN119698803A CN202280099057.4A CN202280099057A CN119698803A CN 119698803 A CN119698803 A CN 119698803A CN 202280099057 A CN202280099057 A CN 202280099057A CN 119698803 A CN119698803 A CN 119698803A
Authority
CN
China
Prior art keywords
address
client certificate
mac address
terminal equipment
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202280099057.4A
Other languages
Chinese (zh)
Inventor
刘恒亚
齐麟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens Corp
Original Assignee
Siemens Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Corp filed Critical Siemens Corp
Publication of CN119698803A publication Critical patent/CN119698803A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method and device for determining unique identification of equipment and electronic equipment are provided. The method comprises the steps of obtaining a first equipment identifier of first terminal equipment and a first client certificate of the first terminal equipment, wherein the first equipment identifier comprises a first MAC address and a first IP address, binding the first client certificate and the first equipment identifier as a first binding record, wherein the first binding record is used for uniquely identifying the first terminal equipment, identifying whether the first equipment identifier is changed into a second equipment identifier based on the first client certificate, the second equipment identifier comprises a second MAC address and a second IP address, the second MAC address is different from the first MAC address, and/or the second IP address is different from the first IP address, and if the first equipment identifier is identified to be changed into the second equipment identifier, replacing the first equipment identifier in the first binding record with the second equipment identifier to update the first binding record. Based on the method, the accuracy and the efficiency of equipment identification can be improved.

Description

Method and device for determining unique identifier of equipment and electronic equipment Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for determining a unique identifier of a device, and an electronic device.
Background
Device identification is critical for certain business scenarios (e.g., asset management, network traffic analysis). In the related art, an internet protocol (Internet Protocol, IP) address or a media access Control (MEDIA ACCESS Control, MAC) address of a device is generally used as a unique identification for identifying the device. An IP address is a set of unique numbers used to identify devices connected to the internet. The MAC address is used to identify a unique network interface in the device. The reason for using an IP address or MAC address as the unique identification of a device is that it is easily obtained from the network.
However, in a complex network environment, devices cannot be accurately identified according to IP addresses or MAC addresses. For example, the IP address of the same device may change when the device accesses the same network at different times. As another example, the same device may be connected to different networks at the same time through two or more network cards, and thus the device may be assigned multiple sets of IP addresses and MAC addresses. In these scenarios, depending on the IP address or MAC address of the device, the same device may be identified as a different device, making device identification inaccurate.
Disclosure of Invention
In view of the foregoing, the present invention provides a method, an apparatus, and an electronic device for determining a unique identifier of a device, which are used to at least partially solve the above-mentioned technical problems.
In a first aspect, an embodiment of the present application provides a method for determining a unique identifier of a device, including:
Acquiring a first equipment identifier of first terminal equipment and a first client certificate of the first terminal equipment, wherein the first equipment identifier comprises a first MAC address and a first IP address;
binding the first client certificate and the first equipment identifier as a first binding record, wherein the first binding record is used for uniquely identifying the first terminal equipment;
Identifying, based on the first client certificate, whether the first device identity changes to a second device identity, wherein the second device identity comprises a second MAC address and a second IP address, the second MAC address being different from the first MAC address and/or the second IP address being different from the first IP address;
And if the first equipment identifier is identified to be changed into the second equipment identifier, replacing the first equipment identifier in the first binding record with the second equipment identifier so as to update the first binding record.
In one possible implementation manner, the identifying, based on the first client certificate, whether the first device identifier is changed to a second device identifier includes:
Acquiring the second equipment identifier of the second terminal equipment and a second client certificate of the second terminal equipment;
and if the second client certificate is the same as the first client certificate, determining that the first terminal equipment and the second terminal equipment are the same terminal equipment, and changing the first equipment identifier into the second equipment identifier.
In one possible implementation manner, the obtaining the first device identifier of the first terminal device and the first client certificate of the first terminal device includes:
Acquiring an MAC address and a client certificate of the first terminal equipment from interaction information between the first terminal equipment and an authentication server when the first terminal equipment is accessed to a network, wherein the MAC address and the client certificate are respectively used as the first MAC address and the first client certificate;
And acquiring the IP address of the first terminal equipment from the interaction information of the first terminal equipment and the DHCP server when the IP address is requested, and taking the IP address as the first IP address.
In one possible implementation manner, the obtaining, from the mutual information of the first terminal device and the authentication server when accessing to the network, the MAC address and the client certificate of the first terminal device as the first MAC address and the first client certificate respectively includes:
Acquiring an authentication access start request sent by the first terminal equipment when accessing to a network;
Acquiring the MAC address of the first terminal equipment from the authentication access start request as the first MAC address;
Acquiring an access authentication request sent to the authentication server by the first terminal equipment when network authentication is performed;
And acquiring a client certificate of the first terminal equipment from the access authentication request as the first MAC address.
In one possible implementation manner, the obtaining, from the interaction information of the first terminal device with the DHCP server when the first terminal device requests the IP address, the IP address of the first terminal device as the first IP address includes:
Acquiring a DHCP response sent by the DHCP server in response to the DHCP request of the first terminal equipment;
and acquiring the IP address of the first terminal equipment from the DHCP response as the first IP address.
In a second aspect, an embodiment of the present application provides an apparatus for determining a unique identifier of a device, including:
The device comprises an acquisition module, a first terminal device and a second terminal device, wherein the acquisition module is used for acquiring a first device identifier of the first terminal device and a first client certificate of the first terminal device, and the first device identifier comprises a first MAC address and a first IP address;
the binding module is used for binding the first client certificate and the first equipment identifier to be used as a first binding record, and the first binding record is used for uniquely identifying the first terminal equipment;
An identification module configured to identify, based on the first client certificate, whether the first device identifier changes to a second device identifier, where the second device identifier includes a second MAC address and a second IP address, the second MAC address being different from the first MAC address, and/or the second IP address being different from the first IP address;
And the updating module is used for replacing the first equipment identifier in the first binding record with the second equipment identifier to update the first binding record if the first equipment identifier is identified to be changed into the second equipment identifier.
In one possible implementation manner, the identification module is specifically configured to:
Acquiring the second equipment identifier of the second terminal equipment and a second client certificate of the second terminal equipment;
and if the second client certificate is the same as the first client certificate, determining that the first terminal equipment and the second terminal equipment are the same terminal equipment, and changing the first equipment identifier into the second equipment identifier.
In one possible implementation manner, the acquiring module is specifically configured to:
acquiring a first device identifier of a first terminal device and a first client certificate of the first terminal device, including:
Acquiring an MAC address and a client certificate of the first terminal equipment from interaction information between the first terminal equipment and an authentication server when the first terminal equipment is accessed to a network, wherein the MAC address and the client certificate are respectively used as the first MAC address and the first client certificate;
And acquiring the IP address of the first terminal equipment from the interaction information of the first terminal equipment and the DHCP server when the IP address is requested, and taking the IP address as the first IP address.
In one possible implementation manner, the acquiring module is specifically configured to:
Acquiring an authentication access start request sent by the first terminal equipment when accessing to a network;
Acquiring the MAC address of the first terminal equipment from the authentication access start request as the first MAC address;
Acquiring an access authentication request sent to the authentication server by the first terminal equipment when network authentication is performed;
and acquiring the client certificate of the first terminal equipment from the access authentication request as the first client certificate.
In one possible implementation manner, the acquiring module is specifically configured to:
Acquiring a DHCP response sent by the DHCP server in response to the DHCP request of the first terminal equipment;
and acquiring the IP address of the first terminal equipment from the DHCP response.
In a third aspect, an electronic device is provided, including a processor, a memory, a communication interface, and a communication bus, where the processor, the memory, and the communication interface complete communication with each other through the communication bus, and the memory is configured to store at least one executable instruction, where the executable instruction causes the processor to perform an operation corresponding to the method according to any one of the first aspects.
In a fourth aspect, there is provided a computer readable storage medium having stored thereon computer executable instructions, wherein the computer executable instructions when executed cause the processor to perform the method of any of the first aspects.
The embodiment of the application provides a method, a device and electronic equipment for determining equipment unique identification, which are characterized in that due to the uniqueness of a first client certificate of first terminal equipment, even when the first equipment identification of the first terminal equipment is changed into second equipment identification, namely when the MAC address of the first terminal equipment is changed from a first MAC address to a second MAC address and/or the IP address of the first terminal equipment is changed from a first IP address to a second MAC address, the change can be immediately identified and updated based on the first client certificate of the first terminal equipment, so that equipment is uniquely and accurately identified, and the accuracy of equipment identification is improved. In addition, because the first binding record is ensured to be always uniquely identified to the first terminal device based on the uniqueness and the persistence of the first client certificate, the complexity of service logic processing can be remarkably reduced and the working efficiency can be improved when service logic such as device inquiry, device updating, device merging and device binding is processed. Meanwhile, based on the uniqueness and durability of the first client certificate, the first binding record is ensured to be always uniquely identified to the first terminal equipment, so that the first terminal equipment is prevented from being uniquely identified by manually setting other identity identifiers for the first terminal equipment, and the labor cost is saved.
Drawings
FIG. 1 is an architecture diagram of a system suitable for use in a method for determining a unique identification of a device provided by an embodiment of the present application;
FIG. 2 is a schematic flow chart of a method for determining a unique identification of a device provided by an embodiment of the present application;
Fig. 3 is a schematic diagram of a procedure for acquiring a MAC address and a client certificate of a first terminal device according to an embodiment of the present application;
Fig. 4 is a schematic diagram of a procedure for acquiring an IP address of a first terminal device according to an embodiment of the present application;
Fig. 5 is a signal flow diagram of a process for acquiring a MAC address, a client certificate, and an IP address of a first terminal device according to an embodiment of the present application;
FIG. 6 is a schematic structural diagram of an apparatus for determining a unique identifier of a device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
List of reference numerals:
10 terminal device 20 access device 30 authentication server
40:Dhcp server 30a:radius server
S201, acquiring a first equipment identifier of a first terminal equipment and a first client certificate of the first terminal equipment
S202, binding a first client certificate and a first device identifier as a first binding record
S203, based on the first client certificate, identifying whether the first device identifier is changed into the second device identifier
S204, if the first equipment identifier is identified to be changed into the second equipment identifier, the first equipment identifier in the first binding record is changed
The device identification is replaced with the second device identification to update to the first binding record.
301. 401 Mac address 302 client certificate 402 ip address
1A first terminal device sends an authentication access start message < EAPoL start > to an access device
2 The access device may send an identification Request < EAP-Request/Identity > to the first terminal device
3 The first terminal device sends an identification response message < EAP-Respons/Identity > to the access device
The access device encapsulates the identification response message < EAP-Respons/Identity > into a Radius access request message < RADIUS AcessRequset/Identity > and transmits the Radius access request message to the Raduis server
5 Raduis server sends a TLS-Start Request message < EAP-TLS-Request/StartTLS > to the first terminal device via the access device
6 The first terminal device sends a client hello message < EAP-TLS-Request/ClientHello > to Raduis server via the access device
7, The Radius server sends a server hello message < Radius Access-change/ServerHello > to the first terminal device via the Access device
8 The first terminal device sends a TLS Response message < EAP-TLS-Response/authentication > to Raduis server via the access device
9 Raduis server sends handshake complete message < EAP-TLS-Request/ChangeCipherSpec_finished > to first terminal device via access device
10 Raduis server sends an Accept access response message < Radius AccessResponse/Accept > to access device
11 The access device sends an authentication Success message < EAP-Success > to the first terminal device
12 The first terminal device sends a DHCP Request < DHCP Request > to the DHCP server via the access device
The DHCP server sends a DHCP response < DHCP ACK > to the first terminal via the access device
S501, receiving an authentication access Start message (EAPoL Start) message from a first terminal device to acquire the MAC address of the first terminal device
S502 obtaining the client Certificate of the first terminal device 1 from the TLS Response message < EAP-TLS-Response/authentication >
S503, obtaining the MAC address of the first terminal device from the DHCP request
S504, obtaining the IP address of the first terminal equipment from the DHCP response
60 Method 601 for determining a unique device identity, acquisition module
602, Binding module 603, identification module 604, updating module
70 Electronic device 702 processor 704 communication interface
706, Memory 708, communication bus 710, executable instructions
Detailed Description
The present application will be described in further detail below with reference to the drawings and examples in order to make the objects, technical solutions, and advantages of the present application more apparent. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other technical solutions obtained by a person skilled in the art based on the embodiments of the present application fall within the scope of protection of the present application.
Device identification is critical for certain business scenarios (e.g., asset management, network traffic analysis). In the related art, in view of the ease of acquisition of an IP address and a MAC address from a network, an IP address or a MAC address is generally employed as a unique identifier for identifying a device connected to the network.
However, as mentioned above, in some scenarios, the IP address of a device may change when the same device accesses the same network at different times, e.g., the IP address of the device switches from 172.X.x.2 to 172. X.3. Thus, in this scenario, the IP address cannot be a persistent unique identification of the device. Based on the IP address identifying device, the same device may be identified as two different devices, resulting in inaccurate device identification.
As another example, in another scenario, a device has two different network cards, which may be connected to different networks at the same time. Since the device has two different network cards, the device will be assigned two sets of IP addresses and MAC addresses, i.e. the device has a multi-value unique identification. In such a scenario, the same device may be identified as two or more different devices based on the IP address and the MAC address, resulting in inaccurate device identification.
Furthermore, for some traffic scenarios, there are other problems with using MAC addresses as device unique identifiers. For example, in performing network traffic analysis, it is often necessary to identify the data source of the packet (i.e., the device that sent the packet). However, since the packet is behind a network device (e.g., a switch or router), its MAC address may change, at which point the MAC address cannot be used to identify the source of the data.
Based on the above problems, embodiments of the present application provide a method and an apparatus for determining a unique identifier of a device, so as to at least partially solve the above technical problems.
Specific implementations of embodiments of the application are described in detail below with reference to the accompanying drawings.
For ease of understanding, an architecture diagram of a system to which embodiments of the present application are applicable will be first described with reference to fig. 1. FIG. 1 is an architecture diagram of an exemplary system suitable for use in the method for determining a device unique identification provided by embodiments of the present application. As shown in fig. 1, the system includes a terminal device 10 such as a factory device or the like that needs to access an IT network or an OT network, an access device 20 such as a switch and a router, an authentication server 30 for authenticating the terminal device 10 when the terminal device 10 accesses the network, such as a Radius server, and a DHCP server 40 for assigning a dynamic IP address to the terminal device 10 within a local area network. The terminal device 10 accesses the network through the access device 20. The terminal device 10 needs to interact with the authentication server 30 through the access device 20 when accessing the network to complete access authentication. After the access authentication of the terminal device 10 is successful, the DHCP server 40 is interacted with through the access device 20 to request an IP address from the DHCP server 40, which allocates the IP address to the terminal device 10 in response to the request from the terminal device 10.
The method for determining a device unique identifier provided by the embodiment of the present application may be performed by the access device 20 or other devices communicatively connected to the access device 20. The method for determining the unique identifier of the device according to the embodiment of the present application is described in detail below based on the system of fig. 1.
Fig. 2 is a flowchart of a method for determining a unique identification of a device provided by an embodiment of the present application. The method may be performed by access device 20 of fig. 1, or by other devices communicatively coupled to access device 20. As shown in fig. 2, the method includes:
s201, a first device identifier of the first terminal device 10 and a first client certificate of the first terminal device 10 are acquired.
Wherein the first device identification includes a first MAC address and a first IP address.
The first terminal device 10 corresponds to the terminal equipment shown in fig. 1, which may comprise a factory device or other similar device accessing an OT network or an IT network.
The first client certificate is a digital certificate verifying the legal identity of the first terminal device 10 during network communication. The first client certificate is unique and persistent for the first terminal device 10.
In one implementation of the present application, step S201 may include:
Step a, the MAC address and the client certificate of the first terminal device 10 are obtained from the interaction information between the first terminal device 10 and the authentication server 30 when accessing the network, and are respectively used as the first MAC address and the first client certificate.
Specifically, as shown in fig. 3, when the first terminal device 10 is networked, the first terminal device 10 first needs to interact with the authentication server 30 through the access device 20 to complete access authentication. In the interworking procedure, the first terminal device 10 first provides its MAC address to the access device 20. The access device 20 interacts with the first terminal device 10 according to the MAC address transmitted by the first terminal device 10 to request information such as the user name, the client certificate, etc. of the first terminal device 10 to be provided to the authentication server 30, so as to complete authentication between the first terminal device 10 and the authentication server 30.
In the above interaction process, the access device 20 may acquire the MAC address and the client certificate of the first terminal device 10 from the interaction information of the first terminal device 10 and the authentication server 30, as the first MAC address and the first client certificate, respectively. In one possible implementation, the access device 20 obtains an authentication access start request sent by the first terminal device 10 when accessing the network, obtains the MAC address 301 of the first terminal device 10 from the authentication access start request as the first MAC address, obtains an access authentication request sent by the first terminal device 10 to the authentication server 30 via the access device 20 when performing network authentication, and obtains the client certificate 302 of the first terminal device 10 from the access authentication request as the first client certificate.
To facilitate an understanding of the above process, the following describes the detailed process in connection with the example of fig. 5. Fig. 5 is a signal flow diagram of a procedure for acquiring a MAC address, a client certificate, and an IP address of the first terminal device 10 according to an embodiment of the present application. In fig. 5, the server 30A of Raduis is taken as an authentication server, and the access authentication is performed between the first terminal device 10 and the server of Raduis by using EAP-TLS protocol. It should be understood that fig. 5 is only an example, and in other embodiments, the first terminal device 10 and the authentication server 30 may use other suitable protocols for access authentication, which is not limited in this embodiment.
As shown in fig. 5, in the information flow 1, the first terminal device 10 transmits an authentication access start message < EAPoL start > (i.e., authentication access start request) to the access device 20, indicating the start of access authentication, and the MAC address of the first terminal device 10 is carried in the authentication access start message < EAPoL start >.
Based on the authentication access start message, the access device 20 may acquire the MAC address of the first terminal device 10 from the authentication access start message (i.e., S501). Specifically, the MAC address of the first terminal device 10 is acquired from the data link layer as the first MAC address in accordance with the authentication access start message. And, in response to receiving the authentication access start message, in the information flow 2, the access device 20 may send an identification Request < EAP-Request/Identity > to the first terminal device 10 asking the first terminal device 10 to provide an Identity.
In response to receiving the identification Request message < EAP-Request/Identity >, the first-terminal device 10 sends an identification response message < EAP-Respons/Identity >, the content of which is the Identity of the user, to the access device 20 in the information flow 3.
In information flow 4, access device 20 encapsulates the identification response message < EAP-Respons/Identity > into a Radius access request message < RADIUS AcessRequset/Identity > that is transmitted to Raduis server 30A.
Raduis server 30A, after having acquired the Identity of the first terminal device 10 from the Radius access Request message < RADIUS AccessRequset/Identity >, sends a TLS-Start Request message < EAP-TLS-Request/StartTLS > to the first terminal device 10 via access device 20 in information flow 5. It should be appreciated that the process of the access device 20 performing the message encapsulation and decapsulation process to forward messages between the first terminal device 10 and Raduis server 30A is omitted from fig. 5 for simplicity of illustration. In practical applications, the communication process between the first terminal device 10 and the Raduis server 30A is performed via the access device 20, which will not be described in detail later.
After the first terminal device 10 receives the TLS-Start Request message < EAP-TLS-Request/StatTLS >, a client hello message < EAP-TLS-Request/ClientHello > is sent in the signal flow 6 via the access device 20 to the Raduis server 30A, the message containing the supported TLS protocol version, the supported encryption algorithm, the supported compression party, etc.
In response to receiving the client hello message < EAP-TLS-Request/ClientHello >, raduis a sends a server hello message < Radius Access-Challenge/ServerHello > to the first terminal device 10 via the Access device 20 in the signal flow 7, which contains information confirming the TLS protocol version used, confirming the encryption algorithm used, server certificate, requesting the client to provide a certificate, etc.
After receiving the server hello message < EAP-TLS-Request/ServerHello >, the first terminal device 10 sends a TLS Response message < EAP-TLS-Response/authentication > in the signal flow 8 to Raduis the server 30A via the access device 20, which message contains the client Certificate of the first terminal device 10. At this time, the access device 20 may also acquire the client Certificate of the first terminal device 10 from the TLS Response message < EAP-TLS-Response/authentication > (i.e., S502). Specifically, the client certificate of the first terminal apparatus 10 is acquired from the transport layer as the first client certificate according to the message.
In Response to receiving the TLS Response message < EAP-TLS-Response/authentication >, in signal flow 9, raduis server 30A sends a handshake complete message < EAP-TLS-Request/changecipherespec_finished > to first terminal device 10 via access device 20, indicating that the handshake is ended, and in signal flow 10, raduis server 30A sends an Accept access Response message < Radius AccessResponse/Accept > to access device 20, indicating that authentication is complete. After decapsulating the message, the access device 20 sends an authentication Success message < EAP-Success > to the first terminal device 10 in the signal flow 11, at which point authentication is completed.
As described above, in the process in which the first terminal device 10 interacts with the Raduis server 30A via the access device 20, the access device 20 may perform step S501 to acquire the MAC address of the first terminal device according to receiving the authentication access Start message < EAPoL Start > message from the first terminal device 10 in the signal flow 1. Specifically, the MAC address of the first terminal device 10 is acquired from the data link layer as the first MAC address according to the message. In addition, the access device 20 may perform step S502 to obtain the client Certificate of the first terminal device 10 from the TLS Response message < EAP-TLS-Response/authentication > received from the first terminal device 10 in the signal stream 8. Specifically, the client certificate of the first terminal apparatus 10 is acquired from the transport layer as the first client certificate according to the message.
Step B, the IP address of the first terminal device 10 is obtained as the first IP address from the interaction information of the first terminal device 10 with the DHCP server 40 when the IP address is requested.
Specifically, after the first terminal device 10 completes the access authentication, the first terminal device 10 interacts with the DHCP server via the access device 20 to acquire a dynamic IP address assigned thereto by the DHCP server. For example, as shown in fig. 4, the first terminal device 10 may send its MAC address 401 to the access device 20, which access device 20 forwards to the DHCP server. After determining the IP address for the MAC address, the DHCP server sends the IP address 402 to the access device 20 for forwarding by the access device 20 to the first terminal device 10. Whereby the first terminal device 10 acquires the IP address dynamically allocated to it by the access device 20. In the interaction process between the DHCP server and the first terminal 10, the access device 20 may acquire the MAC address sent to the DHCP server by the first terminal 10 and the IP address allocated to the first terminal 10 by the DHCP server, and use the IP address as the first IP address.
For ease of understanding, with continued reference to fig. 5, upon Request of the IP address by the first terminal device 10, the first terminal device 10 sends a DHCP Request < DHCP Request > in the signal flow 12 via the access device 20 to the DHCP server, the DHCP Request containing the MAC address of the first terminal device 10. In response to receiving the DHCP request, in signal flow 13, DHCP server 40 sends a DHCP response < DHCP ACK > to first terminal device 10 via access device 20, the DHCP response containing the IP address assigned by DHCP server 40 for first terminal device 10. It should be understood that, for simplifying the view, the process of forwarding the DHCP request and the DHCP response by the access device 20 is omitted in fig. 5, and it should be understood that, in the actual application process, the communication between the first terminal device 10 and the DHCP server 40 is performed via the access device 20. When the access device 20 receives the DHCP request from the first terminal device 10 to the DHCP server 40, the access device 20 performs step S503 to acquire the MAC address of the first terminal device 10 from the DHCP request. Further, when the access device 20 receives the DHCP response transmitted from the DHCP server 40 to the first terminal device 10, step S504 is performed, and the IP address of the first terminal device 10 is acquired from the DHCP response.
Returning to fig. 2, according to S202 in fig. 2, binding the first client certificate and the first device identifier as a first binding record;
Wherein the first binding record is used for uniquely identifying the first terminal device 10.
Specifically, after the access device 20 acquires the MAC address and the client certificate of the first terminal device 10, the MAC address and the client certificate are bound, that is, the first MAC address and the first client certificate are bound. After that, after receiving the MAC address and the IP address of the first terminal device 10, the MAC address and the IP address may be bound, so that the MAC address, the client certificate, and the IP address of the first terminal device 10 are bound as a first binding record to uniquely identify the first terminal device 10.
It will be appreciated that when the first terminal device 10 accesses the network, the access device 20 may always obtain a triplet of the MAC address, the client certificate and the IP address of the first terminal device 10, from which the first terminal device 10 is identified.
S203, based on the first client certificate, whether the first device identification is changed into the second device identification is identified.
Wherein the second device identifier comprises a second MAC address and a second IP address, the second MAC address being different from the first MAC address and/or the second IP address being different from the first IP address;
As mentioned above, the MAC address of the same terminal device acquired by the access device 20 may vary due to the fact that the same terminal device may have two MAC addresses in a complex application scenario or due to other various reasons. Due to the uniqueness of the client certificate, the same terminal device has only a unique and persistent client certificate. When the MAC address of the same terminal equipment changes, the change is easily identified based on the client certificate of the terminal equipment in the authentication access process. Therefore, when the first MAC address of the first terminal device 10 changes from the first MAC address to the second MAC address, the access device 20 can easily identify the change based on the client certificate, thereby facilitating subsequent timely updating of the MAC address and ensuring unique identification of the first terminal device 10.
Also, as mentioned above, since the DHCP server 40 dynamically allocates an IP address, after the first terminal device 10 completes authentication access, the network is accessed at a different time, and its IP address is also changed. Such a change may be identified based on the first client certificate due to its uniqueness and persistence. In addition, since whether the MAC address of the first terminal device 10 is changed is recognized based on the first client certificate in the authentication access process, the MAC address is updated in time when the MAC address is changed. Therefore, at a later stage, it is also possible to identify whether the IP address of the first terminal device 10 is changed from the first IP address to the second IP address directly based on the MAC address of the first terminal device 10.
In a specific implementation of the application, based on the first client certificate, identifying whether the first device identifier is changed to the second device identifier comprises obtaining a second device identifier of the second terminal device and a second client certificate of the second terminal device, and if the second client certificate is identical to the first client certificate, determining that the first terminal device 10 and the second terminal device are identical terminal devices, and the first device identifier is changed to the second device identifier.
The second terminal device may be the same device as the first terminal device 10, or may be a different device. The access device 20 may obtain the second device identity of the second terminal device in the same way as the first device identity of the first terminal device 10. Because of the uniqueness and persistence of the client certificate, the access device 20 may determine whether the second terminal device is the same terminal device as the first terminal device 10 based on whether the second client certificate in the second device identity of the second terminal device is the same as the first client certificate. If the first client certificate is the same as the first client certificate but the first MAC address is different from the second MAC address in the authentication access procedure, it may be determined that the first terminal device 10 and the second terminal device are the same terminal device, and the MAC address of the first terminal device 10 changes. Likewise, if the first terminal device 10 and the second terminal device having the same MAC address are acquired to have the first IP address and the second IP address, respectively, after the access authentication is completed, and the first IP address and the second IP address are different, it may be determined that the first terminal device 10 and the second terminal device are the same terminal device, and the IP address of the first terminal device 10 is changed from the first IP address to the second IP address.
S204, if the first equipment identifier is identified to be changed into the second equipment identifier, replacing the first equipment identifier in the first binding record with the second equipment identifier so as to update the first binding record.
Specifically, in the case where it is recognized that the MAC address of the first terminal device 10 is changed from the first MAC address to the second MAC address, the first MAC address in the first binding record may be updated to the second MAC address to update the first binding record, thereby ensuring unique identification of the first terminal device 10. Also, in the case where the IP address of the first terminal device 10 is changed from the first IP address to the second IP address, the first IP address in the first binding record may be updated to the second IP address to update the first binding record. In case that it is recognized that the MAC address of the first terminal device 10 is changed from the first MAC address to the second MAC address and the IP address of the end device is changed from the first IP address to the second IP address, the first MAC address in the first binding record may be updated to the second MAC address and the first IP address may be updated to the second IP address to update the first binding record, thereby ensuring a unique identification of the first terminal device 10.
In the embodiment of the application, due to the uniqueness of the first client certificate of the first terminal equipment, even when the first equipment identifier of the first terminal equipment is changed into the second equipment identifier, namely when the MAC address of the first terminal equipment is changed from the first MAC address to the second MAC address and/or the IP address of the first terminal equipment is changed from the first IP address to the second MAC address, the change can be immediately identified and updated based on the first client certificate of the first terminal equipment, so that the equipment is uniquely and accurately identified, and the accuracy of equipment identification is improved. In addition, because the first binding record is ensured to be always uniquely identified to the first terminal device based on the uniqueness and the persistence of the first client certificate, the complexity of service logic processing can be remarkably reduced and the working efficiency can be improved when service logic such as device inquiry, device updating, device merging and device binding is processed. Meanwhile, based on the uniqueness and durability of the first client certificate, the first binding record is ensured to be always uniquely identified to the first terminal equipment, so that the first terminal equipment is prevented from being uniquely identified by manually setting other identity identifiers for the first terminal equipment, and the labor cost is saved.
Fig. 6 is a schematic structural diagram of an apparatus for determining a unique identifier of a device according to an embodiment of the present application. The apparatus 60 may be the access device of fig. 1, may be integrated in the access device, or may be communicatively coupled to the access device to perform the method for uniquely identifying a determination device provided by the foregoing method embodiment. As shown in fig. 5, the apparatus includes:
An obtaining module 601, configured to obtain a first device identifier of a first terminal device and a first client certificate of the first terminal device, where the first device identifier includes a first MAC address and a first IP address;
a binding module 602, configured to bind the first client certificate and the first device identifier, as a first binding record, where the first binding record is used to uniquely identify the first terminal device;
An identifying module 603, configured to identify, based on the first client certificate, whether the first device identifier is changed to a second device identifier, where the second device identifier includes a second MAC address and a second IP address, and the second MAC address is different from the first MAC address and/or the second IP address is different from the first IP address;
And the updating module 604 is configured to replace the first device identifier in the first binding record with the second device identifier to update the first binding record if the first device identifier is identified to be changed to the second device identifier.
In one possible implementation, the identification module is specifically configured to:
Acquiring a second equipment identifier of a second terminal equipment and a second client certificate of the second terminal equipment;
If the second client certificate is the same as the first client certificate, the first terminal device and the second terminal device are determined to be the same terminal device, and the first device identifier is changed into the second device identifier.
In one possible implementation manner, the acquiring module is specifically configured to:
Acquiring a first device identifier of a first terminal device and a first client certificate of the first terminal device, including:
Acquiring an MAC address and a client certificate of the first terminal equipment from interaction information of the first terminal equipment and an access authentication server when the first terminal equipment is accessed to a network, wherein the MAC address and the client certificate are respectively used as a first MAC address and a first client certificate;
And acquiring the IP address of the first terminal equipment from the interaction information of the first terminal equipment and the DHCP server when the IP address is requested, and taking the IP address as the first IP address.
In one possible implementation manner, the acquiring module is specifically configured to:
acquiring an authentication access start request sent by a first terminal device when accessing a network;
acquiring the MAC address of the first terminal equipment from the authentication access start request;
Acquiring an access authentication request sent to an authentication server by a first terminal device when network authentication is performed;
a client certificate of the first terminal device is obtained from the access authentication request.
In one possible implementation manner, the acquiring module is specifically configured to:
Acquiring a DHCP response sent by a DHCP server in response to a DHCP request of the first terminal equipment;
The IP address of the first terminal device is obtained from the DHCP response.
The device for determining the unique identifier of the device provided in this embodiment is used to implement the corresponding method for determining the unique identifier of the device in the foregoing multiple method embodiments, and has the beneficial effects of the corresponding method embodiments, which are not described herein again. In addition, the functional implementation of each module in the apparatus for determining a device unique identifier in this embodiment may refer to the description of the corresponding part in the foregoing method embodiment, which is not repeated herein.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device 70 may be the access device 20 of fig. 1, may be integrated into the access device 20, or may be communicatively coupled to the access device 20 to perform the method for uniquely identifying a determination device provided by the foregoing method embodiments. As shown in fig. 7, the electronic device may include a processor 702, a communication interface 704, a memory 706 storing programs (at least one executable instruction 710), and a communication bus 708.
The processor, communication interface, and memory communicate with each other via a communication bus.
And the communication interface is used for communicating with other electronic devices or servers.
And a processor, configured to execute a program, and specifically may execute relevant steps in the foregoing method embodiment.
In particular, the program may include program code including computer-operating instructions.
The processor may be a processor CPU or an Application-specific integrated Circuit ASIC (Application SPECIFIC INTEGRATED Circuit) or one or more integrated circuits configured to implement embodiments of the present application. The one or more processors included in the smart device may be the same type of processor, such as one or more CPUs, or different types of processors, such as one or more CPUs and one or more ASICs.
And the memory is used for storing programs. The memory may comprise high-speed RAM memory or may further comprise non-volatile memory, such as at least one disk memory.
The program may in particular be operative to cause a processor to perform the method for determining a unique identification of a device provided in the foregoing method embodiments.
In addition, the specific implementation of each step in the program may refer to the corresponding steps and corresponding descriptions in the units in the above method embodiments, which are not repeated herein. It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus and modules described above may refer to corresponding procedure descriptions in the foregoing method embodiments, which are not repeated herein.
It should be noted that, according to implementation requirements, each component/step described in the embodiments of the present application may be split into more components/steps, or two or more components/steps or part of operations of the components/steps may be combined into new components/steps, so as to achieve the objects of the embodiments of the present application.
The above-described methods according to embodiments of the present application may be implemented in hardware, firmware, or as software or computer code storable in a recording medium such as a CD ROM, RAM, floppy disk, hard disk, or magneto-optical disk, or as computer code originally stored in a remote recording medium or a non-transitory machine-readable medium and to be stored in a local recording medium downloaded through a network, so that the methods described herein may be stored on such software processes on a recording medium using a general purpose computer, special purpose processor, or programmable or special purpose hardware such as an ASIC or FPGA. It is understood that a computer, processor, microprocessor controller, or programmable hardware includes a storage component (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code that, when accessed and executed by a computer, processor, or hardware, performs the methods described herein. Furthermore, when a general purpose computer accesses code for implementing the methods illustrated herein, execution of the code converts the general purpose computer into a special purpose computer for performing the methods illustrated herein.
Embodiments of the present application also provide a computer-readable storage medium having stored thereon computer-executable instructions, wherein the computer-executable instructions, when executed, cause the processor to perform the method of any of the preceding method embodiments. Which has the same working principle and technical effects as the previous method embodiment. For the avoidance of brevity, detailed description is omitted herein.
While the invention has been illustrated and described in detail in the drawings and in the preferred embodiments, the invention is not limited to the disclosed embodiments, and it will be appreciated by those skilled in the art that the code audits of the various embodiments described above may be combined to produce further embodiments of the invention, which are also within the scope of the invention.

Claims (10)

  1. A method for determining a unique identification of a device, comprising:
    Acquiring a first device identifier of a first terminal device and a first client certificate of the first terminal device (S201), wherein the first device identifier comprises a first MAC address and a first IP address;
    Binding the first client certificate with the first device identifier as a first binding record (S202), the first binding record being used for uniquely identifying the first terminal device;
    identifying, based on the first client certificate, whether the first device identity changes to a second device identity (S203), wherein the second device identity comprises a second MAC address and a second IP address, the second MAC address being different from the first MAC address and/or the second IP address being different from the first IP address;
    if it is recognized that the first device identifier is changed to the second device identifier, the first device identifier in the first binding record is replaced with the second device identifier to update to the first binding record (S204).
  2. The method according to claim 1, wherein said identifying, based on said first client certificate, whether said first device identity has changed to a second device identity (S203), comprises:
    Acquiring the second equipment identifier of the second terminal equipment and a second client certificate of the second terminal equipment;
    and if the second client certificate is the same as the first client certificate, determining that the first terminal equipment and the second terminal equipment are the same terminal equipment, and changing the first equipment identifier into the second equipment identifier.
  3. The method according to claim 1 or 2, wherein said obtaining a first device identification of a first terminal device and a first client certificate of said first terminal device comprises:
    Acquiring an MAC address and a client certificate of the first terminal equipment from interaction information between the first terminal equipment and an authentication server when the first terminal equipment is accessed to a network, wherein the MAC address and the client certificate are respectively used as the first MAC address and the first client certificate;
    And acquiring the IP address of the first terminal equipment from the interaction information of the first terminal equipment and the DHCP server when the IP address is requested, and taking the IP address as the first IP address.
  4. A method according to claim 3, wherein said obtaining, from the mutual information of the first terminal device and the authentication server when accessing the network, the MAC address and the client certificate of the first terminal device as the first MAC address and the first client certificate, respectively, comprises:
    Acquiring an authentication access start request sent by the first terminal equipment when accessing to a network;
    Acquiring the MAC address of the first terminal equipment from the authentication access start request as the first MAC address;
    Acquiring an access authentication request sent to the authentication server by the first terminal equipment when network authentication is performed;
    and acquiring the client certificate of the first terminal equipment from the access authentication request as the first client certificate.
  5. A method according to claim 3, wherein said obtaining, from the interaction information of the first terminal device with the DHCP server when requesting the IP address, the IP address of the first terminal device as the first IP address includes:
    Acquiring a DHCP response sent by the DHCP server in response to the DHCP request of the first terminal equipment;
    and acquiring the IP address of the first terminal equipment from the DHCP response as the first IP address.
  6. An apparatus for determining a device unique identification, comprising:
    An obtaining module (601) configured to obtain a first device identifier of the first terminal device and a first client certificate of the first terminal device, where the first device identifier includes a first MAC address and a first IP address;
    A binding module (602) configured to bind the first client certificate and the first device identifier, as a first binding record, where the first binding record is used to uniquely identify the first terminal device;
    -an identification module (603) for identifying, based on the first client certificate, whether the first device identity is changed to a second device identity, wherein the second device identity comprises a second MAC address and a second IP address, the second MAC address being different from the first MAC address and/or the second IP address being different from the first IP address;
    And the updating module (604) is used for replacing the first device identifier in the first binding record with the second device identifier to update the first binding record if the first device identifier is identified to be changed into the second device identifier.
  7. The device according to claim 6, characterized in that said identification module (603) is specifically configured to:
    Acquiring the second equipment identifier of the second terminal equipment and a second client certificate of the second terminal equipment;
    and if the second client certificate is the same as the first client certificate, determining that the first terminal equipment and the second terminal equipment are the same terminal equipment, and changing the first equipment identifier into the second equipment identifier.
  8. The apparatus according to claim 7, wherein the acquisition module (602) is specifically configured to:
    acquiring a first device identifier of a first terminal device and a first client certificate of the first terminal device, including:
    Acquiring an MAC address and a client certificate of the first terminal equipment from interaction information between the first terminal equipment and an authentication server when the first terminal equipment is accessed to a network, wherein the MAC address and the client certificate are respectively used as the first MAC address and the first client certificate;
    And acquiring the IP address of the first terminal equipment from the interaction information of the first terminal equipment and the DHCP server when the IP address is requested, and taking the IP address as the first IP address.
  9. An electronic device comprising a processor (702), a memory (706), a communication interface (704) and a communication bus (708), said processor, memory and communication interface completing communication with each other via said communication bus, said memory for storing at least one executable instruction (710) for causing said processor to perform operations corresponding to the method according to any one of claims 1-5.
  10. A computer readable storage medium having stored thereon computer executable instructions, wherein the computer executable instructions when executed cause the processor to perform the method according to any of claims 1 to 5.
CN202280099057.4A 2022-08-31 2022-08-31 Method, device and electronic device for determining unique identification of device Pending CN119698803A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/116362 WO2024045092A1 (en) 2022-08-31 2022-08-31 Method and apparatus for determining unique identifier of device, and electronic device

Publications (1)

Publication Number Publication Date
CN119698803A true CN119698803A (en) 2025-03-25

Family

ID=90100013

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202280099057.4A Pending CN119698803A (en) 2022-08-31 2022-08-31 Method, device and electronic device for determining unique identification of device

Country Status (2)

Country Link
CN (1) CN119698803A (en)
WO (1) WO2024045092A1 (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1167227C (en) * 2001-10-31 2004-09-15 华为技术有限公司 Virtual Local Area Network Access Method in Fiber-Coaxial Hybrid Access Network
US8290498B2 (en) * 2004-07-28 2012-10-16 Broadcom Corporation Mobile handoff through multi-network simulcasting
CN107911384B (en) * 2014-05-29 2018-09-25 深圳市正骏科技有限公司 A kind of cell management system and method based on digital certificate
CN104468862B (en) * 2014-12-15 2018-07-27 北京奇安信科技有限公司 A kind of method, apparatus and system of IP address binding
US10341332B2 (en) * 2016-07-26 2019-07-02 International Business Machines Corporation System and method for providing persistent user identification

Also Published As

Publication number Publication date
WO2024045092A1 (en) 2024-03-07

Similar Documents

Publication Publication Date Title
CN112887444A (en) VPN (virtual private network) request processing method, client device and system
CN111711659B (en) Method and device for remotely managing terminal, equipment and storage medium thereof
CN110247848B (en) Method, network device and computer-readable storage medium for sending message
US8601568B2 (en) Communication system for authenticating or relaying network access, relaying apparatus, authentication apparatus, and communication method
CN113839882B (en) Message flow splitting method and device
US11418951B2 (en) Method for identifying encrypted data stream, device, storage medium and system
US20250063052A1 (en) Relay method, relay apparatus, and relay system
CN108429739B (en) Method, system and terminal equipment for identifying honeypots
CN116032507A (en) Data transmission method, proxy server and business client
CN102984138B (en) A kind of methods, devices and systems obtaining object
CN111030914A (en) Data transmission method and data transmission system
CN103973648B (en) Application data method for pushing, apparatus and system
CN114363902B (en) 5G private network service security assurance method, device, equipment and storage medium
CN119698803A (en) Method, device and electronic device for determining unique identification of device
CN107078941B (en) Method for transmitting IP data packet to IP address, processing device and mobile equipment
CN109462589B (en) Method, device and equipment for controlling network access of application program
CN116156497B (en) Gateway authentication method, device and storage medium
CN110838967B (en) Virtual private network connection method, server, client and storage medium
CN117527655A (en) A NAT type detection method, device and electronic equipment
CN114731338A (en) System and method for controlling load of domain name system server
CN110798542A (en) Method and system for acquiring IP address
CN119892940B (en) A system and method for resolving source addresses of cloud network clients
US20190020628A1 (en) Smart Sender Anonymization in Identity Enabled Networks
CN121357231A (en) Method, apparatus, and device for explicitly specifying DNS servers when using SOCKS5 proxy
CN116668160A (en) Connection method, device, equipment and storage medium of Internet of things equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination