[go: up one dir, main page]

TWI846184B - System and method for generating an authorization list - Google Patents

System and method for generating an authorization list Download PDF

Info

Publication number
TWI846184B
TWI846184B TW111146640A TW111146640A TWI846184B TW I846184 B TWI846184 B TW I846184B TW 111146640 A TW111146640 A TW 111146640A TW 111146640 A TW111146640 A TW 111146640A TW I846184 B TWI846184 B TW I846184B
Authority
TW
Taiwan
Prior art keywords
user
dut
public
association table
data association
Prior art date
Application number
TW111146640A
Other languages
Chinese (zh)
Other versions
TW202424791A (en
Inventor
鄭茂宏
楊則彥
陳禹先
林則宇
Original Assignee
威聯通科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 威聯通科技股份有限公司 filed Critical 威聯通科技股份有限公司
Priority to TW111146640A priority Critical patent/TWI846184B/en
Priority to CN202211586609.2A priority patent/CN118157864A/en
Publication of TW202424791A publication Critical patent/TW202424791A/en
Application granted granted Critical
Publication of TWI846184B publication Critical patent/TWI846184B/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed is a system for generating an authorization list. The system is connected to a plurality of wide area networks and includes an access token generating module. The module is configured to identify one or more public IP addresses, provided by one or more internet service providers to a user device (DUT), and generates an identification result according to a default MAC address of the DUT. The module further generates an access token based on the identification result of the one or more public IP addresses, and then sends the access token to the DUT so that the DUT accesses one or more local area networks through the one or more public IP addresses. The one or more local area networks are in a firewall enabled state, and only subnet access is allowed. Additionally, the disclosure provides an execution method of the foregoing system for generating the authorization list.

Description

授權名單產生的系統及其方法System and method for generating authorization list

本發明係有關於一種授權名單產生的系統及其方法,尤其係指一種適用於與複數個廣域網(WAN)連接之授權名單產生的系統及其方法。The present invention relates to a system and method for generating an authorization list, and more particularly to a system and method for generating an authorization list suitable for connecting to a plurality of wide area networks (WANs).

網路附加儲存(Network Attached Storage, NAS)裝置是一種檔案級的電腦資料儲存伺服器,它連接到電腦網路,並提供對異構網路使用者的資料存取。網路附加儲存(NAS)裝置是包含一個或多個通常排列成邏輯記憶體、冗餘記憶體或容錯式磁碟陣列(Redundant Array of Independent Disks, RAID)儲存驅動器的網路裝置,例如是可以集中儲存照片、影片、音樂及文件等資料的智慧儲存裝置。在日常生活中將網路附加儲存(NAS)裝置連接家中或辦公室的網路,即可建立安全且易管理的共用空間,集中管理、共享、同步多台裝置的資料,也可以透過電腦或手機上的行動 App 隨時遠端存取網路附加儲存(NAS)裝置裡面的資料。不遜色於公有雲端服務,網路附加儲存(NAS)裝置提供許多便利和有趣的應用。A Network Attached Storage (NAS) device is a file-level computer data storage server that is connected to a computer network and provides data access to heterogeneous network users. A NAS device is a network device that contains one or more storage drives that are usually arranged as logical memory, redundant memory, or fault-tolerant disk arrays (RAID). For example, it is a smart storage device that can centrally store data such as photos, videos, music, and documents. In daily life, by connecting a NAS device to the network at home or in the office, you can create a safe and easy-to-manage shared space to centrally manage, share, and synchronize data on multiple devices. You can also access data on the NAS device remotely at any time through mobile apps on your computer or phone. Not inferior to public cloud services, NAS devices provide many convenient and interesting applications.

然而,現有的網路附加儲存(NAS)裝置存在著一些問題。請參考圖1,圖1係繪示先前技術之授權名單產生的系統的示意圖。如圖1所示,在現有技術中,授權名單產生的系統100主要由一或多個網路附加儲存(NAS)裝置120、130構成,其中位於網際網路140上的網路附加儲存(NAS)裝置的數量可以依據實際需求而調整。另外,授權名單產生的系統100尚包含一認證與授權伺服器150、一使用者裝置(DUT)112、一個人或公司網路110、資料關連表122、資料關連表152。資料關連表122通常包含使用者ID、裝置ID、IP位址等資料,而資料關連表152例如是裝置存取允許表單。使用者裝置(DUT)112係配置於一個人或公司網路110中且可以建立網路連線。However, there are some problems with the existing NAS devices. Please refer to FIG. 1, which is a schematic diagram of a system for generating an authorization list in the prior art. As shown in FIG. 1, in the prior art, the system 100 for generating an authorization list is mainly composed of one or more NAS devices 120, 130, wherein the number of NAS devices located on the Internet 140 can be adjusted according to actual needs. In addition, the system 100 for generating an authorization list also includes an authentication and authorization server 150, a user device (DUT) 112, a personal or corporate network 110, a data association table 122, and a data association table 152. The data association table 122 usually includes data such as user ID, device ID, IP address, etc., and the data association table 152 is, for example, a device access permission form. The user device (DUT) 112 is configured in a personal or corporate network 110 and can establish a network connection.

一般而言,授權名單產生的系統100係處於資安環境下,以有效地保護曝露於外網環境的裝置。當一使用者想要透過使用者裝置(DUT)112存取處於外網環境的裝置(例如NAS裝置120或NAS裝置130)時,NAS裝置120或NAS裝置130等所述待存取裝置只要於防火牆設定允許IP即可。但是,通常個人或是公司網路110背後的網際網路服務提供者(ISP)所提供的公共IP(public IP)位址可能都是一組以上;如圖1所示,若來源端(即使用者裝置(DUT)112)有兩個公共IP(public IP)位址,在使用現有資安技術的情況下,公共IP 1經過認證與授權伺服器150的認證與授權後,除了被登錄在認證與授權伺服器150的資料關連表152內,也會被加入NAS裝置120之資料關連表122的白名單內,但實際上使用者裝置(DUT)112在某些情況下可能使用公共IP 2來存取NAS裝置120,此時會因為公共IP 2不在NAS裝置120的白名單內而導致使用者裝置(DUT)112無法成功存取。Generally speaking, the system 100 for generating the authorization list is in a security environment to effectively protect devices exposed to the external network environment. When a user wants to access a device in the external network environment (e.g., NAS device 120 or NAS device 130) through a user device (DUT) 112, the NAS device 120 or NAS device 130, etc., only needs to set the allowed IP in the firewall setting of the device to be accessed. However, usually the Internet Service Provider (ISP) behind the personal or corporate network 110 may provide more than one set of public IP addresses; as shown in FIG. 1 , if the source end (i.e., the user device (DUT) 112) has two public IP addresses, when using existing information security technology, after the public IP 1 is authenticated and authorized by the authentication and authorization server 150, it is not only logged in the data association table 152 of the authentication and authorization server 150, but also added to the white list of the data association table 122 of the NAS device 120. However, in actual situations, the user device (DUT) 112 may use the public IP 2 to access the NAS device 120. At this time, the user device (DUT) 112 cannot successfully access the NAS device 120 because the public IP 2 is not in the white list of the NAS device 120.

綜上所述,如何提供一種能解決上述問題之授權名單產生的系統及其方法,乃是業界所需解決的課題。In summary, how to provide a system and method for generating an authorization list that can solve the above problems is a problem that the industry needs to solve.

鑒於上述內容,本揭露之一態樣係提供一種授權名單產生的系統,可與複數個廣域網(WAN)連接,該系統包括:一存取憑證(access token)產生模組,配置以根據一使用者裝置(DUT)具有之一預設的閘道器媒體存取控制(MAC)位址,辨識由一或多個網際網路服務提供者(ISP)提供給該使用者裝置(DUT)的一或多個公共IP(public IP)位址並產生一辨識結果,而且根據該一或多個公共IP(public IP)位址的該辨識結果產生一存取憑證(access token),然後將該存取憑證傳送給該使用者裝置(DUT),令該使用者裝置(DUT)得以透過該一或多個公共IP(public IP)位址存取一或多個區域網路,其中該一或多個區域網路係處於防火牆開啟狀態且只允許子網路存取。In view of the above content, one aspect of the present disclosure is to provide a system for generating an authorization list, which can be connected to a plurality of wide area networks (WANs), and the system includes: an access token generation module, configured to identify one or more public IP addresses provided to the user device (DUT) by one or more Internet service providers (ISPs) according to a default gateway media access control (MAC) address of a user device (DUT) and generate an identification result, and generate an access token according to the identification result of the one or more public IP addresses, and then transmit the access token to the user device (DUT), so that the user device (DUT) can access the one or more public IP addresses through the one or more public IP addresses. The invention relates to a method for accessing one or more local area networks through a unique IP address, wherein the one or more local area networks are in a firewall-open state and only subnet access is allowed.

根據本揭露之一個或多個實施方式,其中該存取憑證(access token)產生模組包括:一零信任伺服器,配置以根據該使用者裝置(DUT)之該預設的閘道器媒體存取控制(MAC)位址,辨識由該一或多個網際網路服務提供者(ISP)提供給該使用者裝置(DUT)的該一或多個公共IP(public IP)位址並產生該辨識結果;以及一認證與授權伺服器,配置以根據該一或多個公共IP(public IP)位址的該辨識結果,產生該存取憑證(access token),並將該存取憑證傳送給該使用者裝置(DUT),令該使用者裝置(DUT)得以透過該一或多個公共IP(public IP)位址存取一或多個區域網路,其中該一或多個區域網路係處於防火牆開啟狀態且只允許子網路存取。According to one or more embodiments of the present disclosure, the access token generation module includes: a zero-trust server, configured to identify the one or more public IP addresses provided to the user device (DUT) by the one or more Internet service providers (ISPs) according to the preset gateway media access control (MAC) address of the user device (DUT) and generate the identification result; and an authentication and authorization server, configured to generate the access token according to the identification result of the one or more public IP addresses, and transmit the access token to the user device (DUT), so that the user device (DUT) can access the network through the one or more public IP addresses. The invention relates to a method for accessing one or more local area networks through a unique IP address, wherein the one or more local area networks are in a firewall-open state and only subnet access is allowed.

根據本揭露之一個或多個實施方式,其中,取得該存取憑證之該使用者裝置(DUT)亦得以透過該一或多個公共IP(public IP)位址存取一或多個網路監控攝影機(network based IP camera),且其中該一或多個網路監控攝影機(network based IP camera)係處於防火牆開啟狀態且只允許子網路存取。According to one or more embodiments of the present disclosure, the user device (DUT) that obtains the access certificate can also access one or more network based IP cameras through the one or more public IP addresses, and the one or more network based IP cameras are in a firewall-open state and only subnet access is allowed.

根據本揭露之一個或多個實施方式,其中該使用者裝置(DUT)包括一身分驗證單元,該身分驗證單元係用以登入該存取憑證(access token)產生模組,並藉由該預設的閘道器媒體存取控制(MAC)位址獲取該存取憑證(access token),使得該使用者裝置(DUT)得以透過該一或多個公共IP(public IP)位址存取該一或多個區域網路或者一或多個網路監控攝影機(network based IP camera)。According to one or more embodiments of the present disclosure, the user device (DUT) includes an identity verification unit, which is used to log in to the access token generation module and obtain the access token through the preset gateway media access control (MAC) address, so that the user device (DUT) can access the one or more local area networks or one or more network based IP cameras through the one or more public IP addresses.

根據本揭露之一個或多個實施方式,更包括多個其他使用者裝置(DUT),且該些其他使用者裝置(DUT)皆具有一預設的閘道器媒體存取控制(MAC)位址。According to one or more embodiments of the present disclosure, a plurality of other user devices (DUTs) are further included, and the other user devices (DUTs) all have a preset gateway media access control (MAC) address.

根據本揭露之一個或多個實施方式,其中各該使用者裝置(DUT)皆具有一裝置ID,各該裝置ID係通用唯一辨識碼(Universally Unique Identifier, UUID)。According to one or more implementations of the present disclosure, each of the user devices (DUT) has a device ID, and each of the device IDs is a Universally Unique Identifier (UUID).

本揭露之另一態樣係提供一種授權名單產生的方法,適用於與複數個廣域網(WAN)連接之授權名單產生的系統,而該授權名單產生的系統內之一或多個網路監控攝影機(network based IP camera)或者一或多個區域網路係處於防火牆開啟狀態且只允許子網路存取,其中該授權名單產生的方法包括下列步驟:根據一或多個使用者裝置(DUT)各自具有之一預設的閘道器媒體存取控制(MAC)位址,辨識由一或多個網際網路服務提供者(ISP)提供給各該使用者裝置(DUT)的一或多個公共IP(public IP)位址並產生一辨識結果;以及根據該一或多個公共IP(public IP)位址的該辨識結果產生一存取憑證(access token),然後將該存取憑證傳送給各該使用者裝置(DUT),令各該使用者裝置(DUT)得以透過該一或多個公共IP(public IP)位址存取該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路,其中該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路係處於防火牆開啟狀態且只允許子網路存取。Another aspect of the present disclosure is to provide a method for generating an authorization list, which is applicable to an authorization list generating system connected to a plurality of wide area networks (WANs), and one or more network based IP cameras or one or more local area networks in the authorization list generating system are in a firewall-open state and only allow subnet access, wherein the method for generating an authorization list includes the following steps: according to a preset gateway media access control (MAC) address of one or more user devices (DUTs), one or more public IP addresses provided by one or more Internet service providers (ISPs) to each user device (DUT) are identified and an identification result is generated; and according to the one or more public IP addresses, one or more public IP addresses are identified. The identification result of the one or more public IP addresses generates an access token, and then transmits the access token to each user device (DUT), so that each user device (DUT) can access the one or more network based IP cameras or the one or more local area networks through the one or more public IP addresses, wherein the one or more network based IP cameras or the one or more local area networks are in a firewall-open state and only subnet access is allowed.

根據本揭露之一個或多個實施方式,其中,在各該使用者裝置(DUT)取得該存取憑證之前,該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路會先取得該存取憑證,並建立一第一資料關連表以及一第二資料關連表;該第一資料關連表係用以表示一使用者將本身之帳號綁定的各該使用者裝置(DUT)授權給其他使用者以其他帳號進行存取的映射關係;該第二資料關連表係用以表示該使用者從各該使用者裝置(DUT)存取該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路的映射關係。According to one or more embodiments of the present disclosure, before each user device (DUT) obtains the access certificate, the one or more network based IP cameras or the one or more local area networks will first obtain the access certificate and establish a first data association table and a second data association table; the first data association table is used to represent a mapping relationship in which a user authorizes other users to access each user device (DUT) bound to his or her own account with other accounts; the second data association table is used to represent a mapping relationship in which the user accesses the one or more network based IP cameras or the one or more local area networks from each user device (DUT).

根據本揭露之一個或多個實施方式,其中該第一資料關連表的資料包括一或多個使用者ID以及一或多個裝置名稱,且其中至少該一或多個使用者ID與該一或多個裝置名稱之間具有映射關係,以決定該些資料的傳送對象;另外,該第二資料關連表的資料包括該一或多個使用者ID、一或多個裝置ID、該預設的閘道器媒體存取控制(MAC)位址、以及該一或多個公共IP(public IP)位址,其中該存取憑證與該一或多個使用者ID具有連結性。According to one or more embodiments of the present disclosure, the data in the first data association table includes one or more user IDs and one or more device names, and at least the one or more user IDs and the one or more device names have a mapping relationship to determine the transmission object of the data; in addition, the data in the second data association table includes the one or more user IDs, the one or more device IDs, the default gateway media access control (MAC) address, and the one or more public IP addresses, wherein the access certificate is linked to the one or more user IDs.

根據本揭露之一個或多個實施方式,其中,在各該使用者裝置(DUT)取得該存取憑證之前,係由該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路向一認證與授權伺服器發送一登入與綁定裝置請求,當該認證與授權伺服器回覆一請求成功的訊息後建立一第一資料關連表,而該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路取得該存取憑證;然後,該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路向一零信任伺服器發送一訂閱請求,而此時該認證與授權伺服器會根據該第一資料關連表提供該些資料給該零信任伺服器,以便該零信任伺服器決定該些資料的傳送對象並回覆一請求成功的訊息,而該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路則根據該些資料建立該第二資料關連表,其中該訂閱請求的內容包含該存取憑證與該一或多個裝置名稱。According to one or more embodiments of the present disclosure, before each user device (DUT) obtains the access credential, the one or more network based IP cameras or the one or more local area networks send a login and binding device request to an authentication and authorization server. When the authentication and authorization server responds with a request success message, a first data association table is established, and the one or more network based IP cameras or the one or more local area networks obtain the access credential. Then, the one or more network based IP cameras camera) or the one or more local area networks sends a subscription request to a zero-trust server, and at this time the authentication and authorization server provides the data to the zero-trust server according to the first data association table, so that the zero-trust server determines the transmission object of the data and replies with a message of successful request, and the one or more network based IP cameras or the one or more local area networks establish the second data association table according to the data, wherein the content of the subscription request includes the access certificate and the one or more device names.

根據本揭露之一個或多個實施方式,其中,在該第一資料關連表以及第二資料關連表建立完成後,該使用者透過各該使用者裝置(DUT)發送一內容包括該一或多個使用者ID與該一或多個密碼的請求給該認證與授權伺服器;若認證成功,該認證與授權伺服器會回覆並核發該存取憑證給各該使用者裝置(DUT),其中該存取憑證係對應該一或多個使用者ID。According to one or more embodiments of the present disclosure, after the first data association table and the second data association table are established, the user sends a request including the one or more user IDs and the one or more passwords to the authentication and authorization server through each user device (DUT); if the authentication is successful, the authentication and authorization server will respond and issue the access token to each user device (DUT), wherein the access token corresponds to the one or more user IDs.

根據本揭露之一個或多個實施方式,其中,在該認證與授權伺服器回覆並核發該存取憑證給各該使用者裝置(DUT)後,該使用者透過各該使用者裝置(DUT)向該零信任伺服器發送一內容包括該存取憑證、該一或多個裝置ID、以及該預設的閘道器媒體存取控制(MAC)位址的請求,接著當該零信任伺服器自該認證與授權伺服器成功取得該第一資料關連表時,該零信任伺服器會根據其中之特定各該使用者ID可以存取之特定各該裝置名稱的映射關係,將特定各該使用者ID、該一或多個裝置ID 、該預設的閘道器媒體存取控制(MAC)位址、以及該一或多個公共IP(public IP)位址傳送至特定各該裝置名稱;當特定各該使用者ID、該一或多個裝置ID 、該預設的閘道器媒體存取控制(MAC)位址相同,但是該一或多個公共IP(public IP)位址相異時,將所有相異之該一或多個公共IP(public IP)位址皆存入該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路之該第二資料關連表中,藉此將該第二資料關連表內的存取名單延伸而非取代先前存入之該一或多個公共IP(public IP)位址。According to one or more embodiments of the present disclosure, after the authentication and authorization server responds and issues the access certificate to each of the user devices (DUT), the user sends a request including the access certificate, the one or more device IDs, and the default gateway media access control (MAC) address to the zero-trust server through each of the user devices (DUT). Then, when the zero-trust server successfully obtains the first data association table from the authentication and authorization server, the zero-trust server maps the specific user ID, the one or more device IDs, the default gateway media access control (MAC) address, and the one or more public IPs (public IP addresses) to the first data association table. When the specific user ID, the one or more device IDs, and the default gateway media access control (MAC) address are the same, but the one or more public IP addresses are different, all the different one or more public IP addresses are stored in the second data association table of the one or more network based IP cameras or the one or more local area networks, thereby extending the access list in the second data association table instead of replacing the one or more public IP addresses previously stored.

根據本揭露之一個或多個實施方式,其中,當各該使用者裝置(DUT)與該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路建立網路連線時,可以透過該第二資料關連表內該延伸之存取名單上的該一或多個公共IP(public IP)位址,對該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路進行存取。According to one or more embodiments of the present disclosure, when each user device (DUT) establishes a network connection with the one or more network based IP cameras or the one or more local area networks, the one or more network based IP cameras or the one or more local area networks can be accessed through the one or more public IP addresses on the extended access list in the second data association table.

為便貴審查委員能對本發明之目的、形狀、構造裝置特徵及其功效,做更進一步之認識與瞭解,茲舉實施例配合圖式,詳細說明如下。In order to help the review committee members to have a deeper understanding of the purpose, shape, structural features and effects of the present invention, the following embodiments are provided with accompanying drawings for detailed description.

以下揭露提供不同的實施例或示例,以建置所提供之標的物的不同特徵。以下敘述之成分以及排列方式的特定示例是為了簡化本公開,目的不在於構成限制;元件的尺寸和形狀亦不被揭露之範圍或數值所限制,但可以取決於元件之製程條件或所需的特性。例如,利用剖面圖描述本發明的技術特徵,這些剖面圖是理想化的實施例示意圖。因而,由於製造工藝和/公差而導致圖示之形狀不同是可以預見的,不應為此而限定。The following disclosure provides different embodiments or examples to implement different features of the subject matter provided. The specific examples of components and arrangements described below are for the purpose of simplifying the present disclosure and are not intended to be limiting; the size and shape of the components are not limited by the disclosed range or values, but may depend on the process conditions or required characteristics of the components. For example, cross-sectional views are used to describe the technical features of the present invention, and these cross-sectional views are idealized schematic views of embodiments. Therefore, it is foreseeable that the shapes of the diagrams will be different due to manufacturing processes and/or tolerances, and should not be limited thereto.

再者,空間相對性用語,例如「下方」、「在…之下」、「低於」、「在…之上」以及「高於」等,是為了易於描述圖式中所繪示的元素或特徵之間的關係;此外,空間相對用語除了圖示中所描繪的方向,還包含元件在使用或操作時的不同方向。Furthermore, spatially relative terms, such as “below,” “under,” “lower than,” “above,” and “higher than,” are intended to easily describe the relationship between elements or features depicted in the diagrams; in addition, spatially relative terms include different directions of the components when in use or operation in addition to the directions depicted in the diagrams.

首先,將本案之說明書內所使用的主要名詞說明如下。First, the main terms used in the description of this case are explained as follows.

「廣域網路(Wide-Area Network, WAN)」係指連接不同地區之區域網路或都會網路電腦通訊的遠端網,一般而言可以視為連接區域網路及其他各種通訊設備的主幹。廣域網路(WAN)通常涵蓋很大的地理範圍,從幾十公里到幾千公里不等,它能連接多個地區、城市和國家,或橫跨幾個洲並能提供遠距離通訊,形成國際性的遠端網路。實務上,通常可以區分為公用網路(Public Network)以及私有網路(Private Network)。"Wide-Area Network (WAN)" refers to a remote network that connects local area networks or metropolitan network computers in different regions. Generally speaking, it can be regarded as a backbone that connects local area networks and other various communication equipment. Wide area networks (WAN) usually cover a large geographical range, ranging from tens of kilometers to thousands of kilometers. It can connect multiple regions, cities and countries, or span across several continents and provide long-distance communications to form an international remote network. In practice, it can usually be divided into public networks and private networks.

「MAC位址(Media Access Control address, MAC address) 係指媒體存取控制位址,也稱為區域網路位址(LAN address)、乙太網路位址(ethernet address)或實體位址(physical address),它是一個用來確認網路裝置位置的位址。"MAC address (Media Access Control address, MAC address) refers to the media access control address, also known as the local area network address (LAN address), Ethernet address (ethernet address) or physical address (physical address). It is an address used to identify the location of a network device.

「預設閘道(default gateway)」係指一部TCP/IP 電腦與另一個網路上的主機進行通訊時所透過之一部稱為路由器的裝置。也就是說,預設閘道即是主機上所指定的一台可將主機的子網路連結到其他網路的路由器。The default gateway is a device called a router that a TCP/IP computer uses to communicate with a host on another network. In other words, the default gateway is a router specified on the host that connects the host's subnet to other networks.

接著,要說明的是,本發明之實施例提供一種授權名單產生的系統,可與複數個廣域網(WAN)連接,所述系統包括一存取憑證(access token)產生模組。所述存取憑證(access token)產生模組係能根據一使用者裝置(DUT)具有之一預設的閘道器媒體存取控制(MAC)位址,辨識由一或多個網際網路服務提供者(ISP)提供給所述使用者裝置(DUT)的一或多個公共IP(public IP)位址並產生一辨識結果,而且根據所述一或多個公共IP(public IP)位址的所述辨識結果產生一存取憑證(access token),然後將所述存取憑證傳送給所述使用者裝置(DUT),令所述使用者裝置(DUT)得以透過所述一或多個公共IP(public IP)位址存取一或多個NAS裝置,其中所述一或多個NAS裝置係處於防火牆開啟狀態且只允許子網路存取。在此要特別說明的是,在本發明之實施例中,所述一或多個NAS裝置例如是一或多個區域網路或者是一或多個網路監控攝影機(network based IP camera)。Next, it is explained that an embodiment of the present invention provides a system for generating an authorization list, which can be connected to a plurality of wide area networks (WANs). The system includes an access token generation module. The access token generation module can identify one or more public IP addresses provided to a user device (DUT) by one or more Internet service providers (ISPs) according to a preset gateway media access control (MAC) address of a user device (DUT) and generate an identification result, and generate an access token according to the identification result of the one or more public IP addresses, and then transmit the access token to the user device (DUT), so that the user device (DUT) can access one or more NAS devices through the one or more public IP addresses, wherein the one or more NAS devices are in a firewall-open state and only subnet access is allowed. It should be particularly noted that in the embodiment of the present invention, the one or more NAS devices are, for example, one or more local area networks or one or more network based IP cameras.

另外,本發明之實施例也提供一種授權名單產生的方法,適用於與複數個廣域網(WAN)連接之授權名單產生的系統,而所述授權名單產生的系統內之一或多個網路監控攝影機(network based IP camera)或者一或多個區域網路係處於防火牆開啟狀態且只允許子網路存取。其中,所述授權名單產生的方法包括下列步驟:根據一或多個使用者裝置(DUT)各自具有之一預設的閘道器媒體存取控制(MAC)位址,辨識由一或多個網際網路服務提供者(ISP)提供給各該使用者裝置(DUT)的一或多個公共IP(public IP)位址並產生一辨識結果;以及根據所述一或多個公共IP(public IP)位址的所述辨識結果產生一存取憑證(access token),然後將所述存取憑證傳送給各該使用者裝置(DUT),令各該使用者裝置(DUT)得以透過所述一或多個公共IP(public IP)位址存取所述一或多個網路監控攝影機(network based IP camera)或者所述一或多個區域網路。其中,所述一或多個網路監控攝影機(network based IP camera)或者所述一或多個區域網路係處於防火牆開啟狀態且只允許子網路存取。In addition, an embodiment of the present invention also provides a method for generating an authorization list, which is applicable to a system for generating an authorization list connected to multiple wide area networks (WANs), and one or more network based IP cameras or one or more local area networks in the system for generating the authorization list are in a firewall-open state and only subnet access is allowed. The method for generating the authorization list includes the following steps: identifying one or more public IP addresses provided to each user device (DUT) by one or more Internet service providers (ISPs) and generating an identification result according to a preset gateway media access control (MAC) address of each of the one or more user devices (DUT); and generating an access token according to the identification result of the one or more public IP addresses, and then transmitting the access token to each user device (DUT), so that each user device (DUT) can access the one or more network based IP cameras or the one or more local area networks through the one or more public IP addresses. The one or more network based IP cameras or the one or more local area networks are in a firewall-opened state and only subnet access is allowed.

以下,搭配圖式說明本案之實施例中授權名單產生的系統,以及透過所述系統產生授權名單的方法。請參考圖2至圖5,圖2至圖5係繪示本發明一實施例之授權名單產生的系統以及透過所述系統產生授權名單的方法的示意圖。The following is a diagram illustrating a system for generating an authorization list and a method for generating an authorization list using the system in an embodiment of the present invention. Please refer to Figures 2 to 5, which are schematic diagrams of a system for generating an authorization list and a method for generating an authorization list using the system in an embodiment of the present invention.

首先,如圖2至圖5所示,本發明一實施例之授權名單產生的系統200內之存取憑證(access token)產生模組係包括彼此獨立的一零信任伺服器260以及一認證與授權伺服器250。在本發明其他實施例中,所述存取憑證(access token)產生模組也可以是一個兼具零信任伺服器260以及認證與授權伺服器250兩者功能的整合式伺服器。另外,雖然圖2至圖5所示之授權名單產生的系統200僅以一個使用者裝置(DUT)212作為例示,但並非用以限定本發明;在本發明之其他實施例中,授權名單產生的系統200也可以包括多個其他使用者裝置(DUT),且該些其他使用者裝置(DUT)皆具有一預設的閘道器媒體存取控制(MAC)位址。First, as shown in FIG. 2 to FIG. 5 , the access token generation module in the authorization list generation system 200 of one embodiment of the present invention includes a zero-trust server 260 and an authentication and authorization server 250 that are independent of each other. In other embodiments of the present invention, the access token generation module may also be an integrated server that has the functions of both the zero-trust server 260 and the authentication and authorization server 250. In addition, although the authorization list generation system 200 shown in Figures 2 to 5 only uses one user device (DUT) 212 as an example, it is not intended to limit the present invention; in other embodiments of the present invention, the authorization list generation system 200 may also include multiple other user devices (DUTs), and these other user devices (DUTs) all have a preset gateway media access control (MAC) address.

接下來,如圖2至圖5所示,零信任伺服器260係用以根據使用者裝置(DUT)212之預設的閘道器媒體存取控制(MAC)位址,辨識由一或多個網際網路服務提供者(ISP)提供給使用者裝置(DUT)212的一或多個公共IP(public IP)位址並產生一辨識結果。另外,認證與授權伺服器250係用以根據自零信任伺服器260取得之所述一或多個公共IP(public IP)位址的辨識結果,產生一存取憑證(access token),並將所述存取憑證傳送給使用者裝置(DUT)212,令使用者裝置(DUT)212得以透過所述一或多個公共IP(public IP)位址存取一或多個網路監控攝影機(network based IP camera)或者一或多個區域網路,其中所述一或多個網路監控攝影機(network based IP camera)或者所述一或多個區域網路係處於防火牆開啟狀態且只允許子網路存取。所述一或多個公共IP(public IP)位址例如是公共IP 1、公共IP 2或他公共IP N,其中N為自然數,代表所述一或多個網際網路服務提供者(ISP)所提供之公共IP的數目。Next, as shown in Figures 2 to 5, the zero-trust server 260 is used to identify one or more public IP addresses provided to the user device (DUT) 212 by one or more Internet service providers (ISPs) based on the default gateway media access control (MAC) address of the user device (DUT) 212 and generate an identification result. In addition, the authentication and authorization server 250 is used to generate an access token based on the identification results of the one or more public IP addresses obtained from the zero-trust server 260, and transmit the access token to the user device (DUT) 212, so that the user device (DUT) 212 can access one or more network based IP cameras or one or more local area networks through the one or more public IP addresses, wherein the one or more network based IP cameras or the one or more local area networks are in a firewall-open state and only subnet access is allowed. The one or more public IP addresses are, for example, public IP 1, public IP 2 or another public IP N, where N is a natural number representing the number of public IPs provided by the one or more Internet Service Providers (ISPs).

在本發明之實施例中,使用者裝置(DUT)212除了配置於一個人或公司網路210中且可以建立網路連線之外,亦具有一預設的閘道器媒體存取控制(MAC)位址以及一裝置ID。因此,取得所述存取憑證之使用者裝置(DUT)212得以透過所述一或多個公共IP(public IP)位址,存取一或多個網路監控攝影機(network based IP camera)或者所述一或多個區域網路等一或多個NAS裝置220、230,而且所述一或多個NAS裝置220、230係處於防火牆開啟狀態且只允許子網路存取。在本發明之實施例中,每一所述裝置ID係通用唯一辨識碼(Universally Unique Identifier, UUID)。In the embodiment of the present invention, the user device (DUT) 212 is not only configured in a personal or corporate network 210 and can establish a network connection, but also has a preset gateway media access control (MAC) address and a device ID. Therefore, the user device (DUT) 212 that obtains the access certificate can access one or more network surveillance cameras (network based IP cameras) or one or more NAS devices 220, 230 such as one or more local area networks through the one or more public IP addresses, and the one or more NAS devices 220, 230 are in a firewall-open state and only subnet access is allowed. In the embodiment of the present invention, each of the device IDs is a Universally Unique Identifier (UUID).

接下來,逐圖說明利用授權名單產生的系統產生授權名單的方法。Next, the method of generating an authorization list using the system for generating an authorization list is described diagram by diagram.

如圖2所示,在本發明之實施例中,在各該使用者裝置(DUT)212取得所述存取憑證之前,係由一或多個NAS裝置220、230或其他NAS裝置向一認證與授權伺服器250發送一登入與綁定裝置請求,當認證與授權伺服器250回覆一請求成功的訊息後建立一第一資料關連表252,而所述一或多個NAS裝置220、230或其他NAS裝置取得所述存取憑證。然後,所述一或多個NAS裝置220、230或其他NAS裝置向一零信任伺服器260發送一訂閱請求,而此時認證與授權伺服器250會根據第一資料關連表252提供該些資料給零信任伺服器260,以便零信任伺服器260決定該些資料的傳送對象並回覆一請求成功的訊息,而所述一或多個NAS裝置220、230或其他NAS裝置則根據該些資料建立第二資料關連表222,其中所述訂閱請求的內容包含所述存取憑證與一或多個裝置名稱。在本發明之實施例中,NAS裝置220、NAS裝置230或其他NAS裝置係指一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路,但本發明並不以此為限。當然,在本發明其他實施例中,NAS裝置220、NAS裝置230或其他NAS裝置也可以是任何提供網路服務的裝置或其他具有網路連線功能的硬體裝置,後續不再贅述。As shown in FIG. 2 , in an embodiment of the present invention, before each user device (DUT) 212 obtains the access credential, one or more NAS devices 220, 230 or other NAS devices send a login and device binding request to an authentication and authorization server 250. When the authentication and authorization server 250 responds with a request success message, a first data association table 252 is established, and the one or more NAS devices 220, 230 or other NAS devices obtain the access credential. Then, the one or more NAS devices 220, 230 or other NAS devices send a subscription request to a zero-trust server 260, and the authentication and authorization server 250 provides the data to the zero-trust server 260 according to the first data association table 252, so that the zero-trust server 260 determines the transmission object of the data and replies with a message of successful request, and the one or more NAS devices 220, 230 or other NAS devices establish a second data association table 222 based on the data, wherein the content of the subscription request includes the access certificate and one or more device names. In the embodiment of the present invention, the NAS device 220, NAS device 230 or other NAS devices refers to one or more network based IP cameras or one or more local area networks, but the present invention is not limited thereto. Of course, in other embodiments of the present invention, the NAS device 220, NAS device 230 or other NAS devices may also be any device that provides network services or other hardware devices with network connection functions, which will not be elaborated in the following.

進一步而言,如圖2所示,在步驟S1A中,NAS裝置220(或NAS裝置230或其他NAS裝置,下同)透過網際網路240向認證與授權伺服器250發送登入與綁定裝置請求,其中,必要資訊為使用者ID、密碼與裝置名稱。在本發明之實施例中,裝置名稱是唯一。Further, as shown in FIG2 , in step S1A, the NAS device 220 (or NAS device 230 or other NAS devices, the same below) sends a login and binding device request to the authentication and authorization server 250 via the Internet 240, wherein the necessary information is the user ID, password and device name. In the embodiment of the present invention, the device name is unique.

然後,在步驟S1B中,認證與授權伺服器250會針對所述登入與綁定裝置請求,回覆一成功或失敗的訊息至NAS裝置220,成功時NAS裝置220會取得一存取憑證(access token)。在本發明之實施例中,所述存取憑證(access token)具有時效性,幾小時到數天不等。Then, in step S1B, the authentication and authorization server 250 will respond to the login and binding device request with a success or failure message to the NAS device 220. If successful, the NAS device 220 will obtain an access token. In the embodiment of the present invention, the access token has a time limit, ranging from a few hours to a few days.

接著,在步驟S1C1中,NAS裝置220向零信任伺服器260發送一訂閱請求,請求的內容包含所述存取憑證(access token)與步驟S1A提及之所述裝置名稱。另外,在步驟S1C2中,零信任伺服器260會將所述訂閱請求傳送至認證與授權伺服器250。Next, in step S1C1, the NAS device 220 sends a subscription request to the zero-trust server 260, the content of the request includes the access token and the device name mentioned in step S1A. In addition, in step S1C2, the zero-trust server 260 transmits the subscription request to the authentication and authorization server 250.

之後,在步驟S1D中,認證與授權伺服器250會建立一第一資料關連表252,並將第一資料關連表252內一特定使用者ID映射的所述裝置名稱回應給零信任伺服器260。Thereafter, in step S1D, the authentication and authorization server 250 creates a first data association table 252 and responds to the zero trust server 260 with the device name mapped to a specific user ID in the first data association table 252 .

所述訂閱請求成功後,接著在步驟S1E中,NAS裝置220(或NAS裝置230或其他NAS裝置)就會等著接收來自零信任伺服器260的資訊。在此要特別說明的是,在步驟S1D時即已決定零信任伺服器260要傳送資訊的對象為NAS裝置220、NAS裝置230或其他NAS裝置。如此一來,NAS裝置220(或NAS裝置230或其他NAS裝置)會建立一第二資料關連表222。在本發明之實施例中,第一資料關連表252係用以表示一使用者將本身之帳號綁定的各該使用者裝置(DUT)212授權給其他使用者以其他帳號進行存取的映射關係;第二資料關連表222係用以表示所述使用者從各該使用者裝置(DUT)212存取NAS裝置220(或NAS裝置230或其他NAS裝置)的映射關係。其中,NAS裝置220(或NAS裝置230或其他NAS裝置)例如是所述一或多個網路監控攝影機(network based IP camera)或者所述一或多個區域網路等。After the subscription request is successful, in step S1E, the NAS device 220 (or NAS device 230 or other NAS devices) will wait to receive information from the zero-trust server 260. It should be particularly noted that in step S1D, it has been determined that the object to which the zero-trust server 260 is to send information is the NAS device 220, the NAS device 230 or other NAS devices. In this way, the NAS device 220 (or NAS device 230 or other NAS devices) will establish a second data association table 222. In the embodiment of the present invention, the first data association table 252 is used to represent the mapping relationship of a user authorizing other users to access the user devices (DUT) 212 bound to his own account with other accounts; the second data association table 222 is used to represent the mapping relationship of the user accessing the NAS device 220 (or NAS device 230 or other NAS devices) from each user device (DUT) 212. The NAS device 220 (or NAS device 230 or other NAS devices) is, for example, the one or more network based IP cameras or the one or more local area networks.

另外,在本發明之實施例中,對認證與授權伺服器250進行驗證後,根據開放授權(OAuth)即一個開放標準,可以取得所述存取憑證(access token)與所謂的更新憑證(refresh token),其中,前者時效比較短,而後者時效比較長。假設所述存取憑證(access token)過期了,我們可以使用所述更新憑證(refresh token)再向認證與授權伺服器250呼叫以便取得新的存取憑證(access token)。In addition, in the embodiment of the present invention, after the authentication and authorization server 250 is authenticated, the access token and the so-called refresh token can be obtained according to OAuth, which is an open standard, wherein the former has a shorter validity period and the latter has a longer validity period. If the access token expires, we can use the refresh token to call the authentication and authorization server 250 again to obtain a new access token.

另外,在本發明之實施例中,第一資料關連表252的資料包括一或多個使用者ID以及一或多個裝置名稱,且其中至少所述一或多個使用者ID與所述一或多個裝置名稱之間具有映射關係,以決定該些資料的傳送對象。也就是說,第一資料關連表252表示某一帳號綁訂的裝置授權給哪些帳號來進行存取。舉例來說,NAS裝置220被使用者A綁定,而有一個裝置(唯一)名稱為裝置A,則使用者A可以把裝置A分享給使用者B與使用者C。In addition, in the embodiment of the present invention, the data in the first data association table 252 includes one or more user IDs and one or more device names, and at least the one or more user IDs and the one or more device names have a mapping relationship to determine the transmission object of the data. In other words, the first data association table 252 indicates which accounts are authorized to access the device bound to a certain account. For example, the NAS device 220 is bound to user A, and there is a device (unique) name of device A, then user A can share device A with user B and user C.

另外,第二資料關連表222的資料包括所述一或多個使用者ID、一或多個裝置ID、所述預設的閘道器媒體存取控制(MAC)位址、以及所述一或多個公共IP(public IP)位址,其中所述存取憑證(access token)與所述一或多個使用者ID具有連結性。也就是說,第二資料關連表222表示某個使用者從某個使用者裝置來存取欲被保護的裝置間的映射關係。In addition, the data of the second data association table 222 includes the one or more user IDs, the one or more device IDs, the preset gateway media access control (MAC) address, and the one or more public IP addresses, wherein the access token is linked to the one or more user IDs. In other words, the second data association table 222 represents the mapping relationship between a certain user accessing a device to be protected from a certain user device.

也就是說,在本發明之實施例中,在各該使用者裝置(DUT)212取得所述存取憑證之前,NAS裝置220、NAS裝置230或其他NAS裝置會先取得所述存取憑證,並建立一第一資料關連表252以及一第二資料關連表222。第一資料關連表252係用以表示一使用者將本身之帳號綁定的各該使用者裝置(DUT)212授權給其他使用者以其他帳號進行存取的映射關係。另外,第二資料關連表222係用以表示使用者從各該使用者裝置(DUT)212存取NAS裝置220、NAS裝置230或其他NAS裝置的映射關係。同樣地,NAS裝置220、NAS裝置230或其他NAS裝置係指一或多個網路監控攝影機(network based IP camera)、或該一或多個區域網路、或者是任何提供網路服務的裝置或其他具有網路連線功能的硬體裝置。That is, in the embodiment of the present invention, before each user device (DUT) 212 obtains the access certificate, the NAS device 220, NAS device 230 or other NAS devices will first obtain the access certificate and establish a first data association table 252 and a second data association table 222. The first data association table 252 is used to indicate the mapping relationship of a user authorizing other users to access the user device (DUT) 212 bound to his own account with other accounts. In addition, the second data association table 222 is used to indicate the mapping relationship of the user accessing the NAS device 220, NAS device 230 or other NAS devices from each user device (DUT) 212. Similarly, the NAS device 220, the NAS device 230 or other NAS devices refers to one or more network based IP cameras, or one or more local area networks, or any device providing network services or other hardware devices with network connection function.

另外,要特別說明的是,在本發明之實施例中,使用者裝置(DUT)212具備瀏覽網路能力時,會有個預設閘道(default gateway),而所述預設閘道(default gateway)會有一個對應之預設的閘道器媒體存取控制(MAC)位址。所述預設的閘道器媒體存取控制(MAC)位址例如可以透過路由跟蹤(traceroute) 8.8.8.8 找到預設閘道 IP,再用ARP 去找到該IP對應的媒體存取控制(MAC)位址。In addition, it should be particularly noted that in the embodiment of the present invention, when the user device (DUT) 212 has the ability to browse the Internet, there will be a default gateway, and the default gateway will have a corresponding default gateway media access control (MAC) address. The default gateway media access control (MAC) address can be found by, for example, traceroute 8.8.8.8 to find the default gateway IP, and then use ARP to find the media access control (MAC) address corresponding to the IP.

接下來,如圖3所示,在本發明之實施例中,在第一資料關連表252以及第二資料關連表222建立完成後,使用者透過各該使用者裝置(DUT)212發送一內容包括所述一或多個使用者ID與所述一或多個密碼的請求給認證與授權伺服器250。此時若認證成功,認證與授權伺服器250會回覆並核發所述存取憑證給各該使用者裝置(DUT)212,其中所述存取憑證乃是與一或多個使用者ID相對應。Next, as shown in FIG3 , in the embodiment of the present invention, after the first data association table 252 and the second data association table 222 are established, the user sends a request including the one or more user IDs and the one or more passwords to the authentication and authorization server 250 through each user device (DUT) 212. If the authentication is successful, the authentication and authorization server 250 will respond and issue the access token to each user device (DUT) 212, wherein the access token corresponds to the one or more user IDs.

進一步而言,如圖3所示,在步驟S2A中,使用者在使用者裝置(DUT)212上透過網際網路240發送請求至認證與授權伺服器250,請求的內容有使用者ID與密碼。在本發明一實施例中,使用者裝置(DUT)212更包括一身分驗證單元214,而身分驗證單元214係用以登入認證與授權伺服器250,並藉由所述預設的閘道器媒體存取控制(MAC)位址獲取所述存取憑證(access token),使得使用者裝置(DUT)212得以透過所述一或多個公共IP(public IP)位址存取所述一或多個NAS裝置220、230,其中所述一或多個NAS裝置220、230即一或多個區域網路或者一或多個網路監控攝影機(network based IP camera)。另外,在本發明其他實施例中,身分驗證單元214係用以登入所述存取憑證(access token)產生模組,並藉由所述預設的閘道器媒體存取控制(MAC)位址獲取所述存取憑證(access token),使得使用者裝置(DUT)212得以透過所述一或多個公共IP(public IP)位址存取所述一或多個區域網路或者一或多個網路監控攝影機(network based IP camera)。Furthermore, as shown in FIG. 3 , in step S2A, the user sends a request to the authentication and authorization server 250 via the Internet 240 on the user device (DUT) 212, and the content of the request includes a user ID and a password. In one embodiment of the present invention, the user device (DUT) 212 further includes an identity verification unit 214, and the identity verification unit 214 is used to log in to the authentication and authorization server 250, and obtain the access token through the preset gateway media access control (MAC) address, so that the user device (DUT) 212 can access the one or more NAS devices 220, 230 through the one or more public IP addresses, wherein the one or more NAS devices 220, 230 are one or more local area networks or one or more network based IP cameras. In addition, in other embodiments of the present invention, the identity verification unit 214 is used to log in to the access token generation module and obtain the access token through the preset gateway media access control (MAC) address, so that the user device (DUT) 212 can access the one or more local area networks or one or more network based IP cameras through the one or more public IP addresses.

如圖3所示,接續步驟S2A,若認證成功,之後在步驟S2B中,認證與授權伺服器250會回覆所述存取憑證(access token)給使用者裝置(DUT)212,其中所述存取憑證(access token)背後係有對應的使用者ID。As shown in FIG. 3 , after step S2A, if the authentication is successful, in step S2B, the authentication and authorization server 250 will return the access token to the user device (DUT) 212, wherein the access token has a corresponding user ID.

如圖4所示,在本發明之實施例中,在認證與授權伺服器250回覆並核發所述存取憑證給各該使用者裝置(DUT)212後,使用者透過各該使用者裝置(DUT)212向零信任伺服器260發送一內容包括所述存取憑證、所述一或多個裝置ID、以及所述預設的閘道器媒體存取控制(MAC)位址的請求。接著當零信任伺服器260自認證與授權伺服器250成功取得第一資料關連表252時,零信任伺服器260會根據其中之特定各該使用者ID可以存取之特定各該裝置名稱的映射關係,將特定各該使用者ID、所述一或多個裝置ID 、所述預設的閘道器媒體存取控制(MAC)位址、以及所述一或多個公共IP(public IP)位址傳送至特定各該裝置名稱。當特定各該使用者ID、所述一或多個裝置ID、所述預設的閘道器媒體存取控制(MAC)位址相同,但是所述一或多個公共IP(public IP)位址相異時,將所有相異之所述一或多個公共IP(public IP)位址皆存入NAS裝置220、NAS裝置230或其他NAS裝置之所述第二資料關連表222中,藉此將第二資料關連表222內的存取名單延伸而非取代先前存入之所述一或多個公共IP(public IP)位址。As shown in FIG. 4 , in an embodiment of the present invention, after the authentication and authorization server 250 responds and issues the access certificate to each of the user devices (DUT) 212, the user sends a request including the access certificate, the one or more device IDs, and the default gateway media access control (MAC) address to the zero trust server 260 through each of the user devices (DUT) 212. Then, when the zero-trust server 260 successfully obtains the first data association table 252 from the authentication and authorization server 250, the zero-trust server 260 will transmit the specific user ID, the one or more device IDs, the default gateway media access control (MAC) address, and the one or more public IP addresses to the specific device names based on the mapping relationship between the specific user IDs and the specific device names that can be accessed. When the specific user ID, the one or more device IDs, and the default gateway media access control (MAC) address are the same, but the one or more public IP addresses are different, all the different one or more public IP addresses are stored in the second data association table 222 of the NAS device 220, the NAS device 230 or other NAS devices, thereby extending the access list in the second data association table 222 instead of replacing the one or more public IP addresses previously stored.

進一步而言,如圖4所示,完成步驟S2B後在步驟S3A中,使用者在使用者裝置(DUT)212上發送請求至零信任伺服器260,請求的內容有所述存取憑證(access token)、所述裝置ID、所述預設的閘道器媒體存取控制(MAC)位址。Furthermore, as shown in FIG. 4 , after completing step S2B, in step S3A, the user sends a request to the zero-trust server 260 on the user device (DUT) 212, and the content of the request includes the access token, the device ID, and the default gateway media access control (MAC) address.

如圖4所示,零信任伺服器260接收到請求後,接著在步驟S3B中,將步驟S3A之請求傳往認證與授權伺服器250並且取得第一資料關連表252,其中第一資料關連表252裡面有特定使用者ID可以存取的裝置名稱。As shown in FIG. 4 , after receiving the request, the zero trust server 260 then transmits the request of step S3A to the authentication and authorization server 250 in step S3B and obtains the first data association table 252 , wherein the first data association table 252 contains the device names that can be accessed by the specific user ID.

如圖4所示,若步驟S3B成功,之後在步驟S3C中,零信任伺服器260會把所述使用者ID、所述裝置ID、所述預設的閘道器媒體存取控制(MAC)位址以及IP位址往特定裝置名稱發送,而此些資料便在所述一或多個NAS裝置220、230或其他NAS裝置之一中建立為第二資料關連表222。在本發明之實施例中,若往NAS裝置220發送,則所述IP位址為使用者裝置(DUT)212的公共IP(public IP)位址。在此要特別說明的是,透過所建立的映射關係(例如所述使用者ID、所述裝置ID、所述預設的閘道器媒體存取控制(MAC)位址),當所述使用者ID、所述裝置ID、所述預設的閘道器媒體存取控制(MAC)位址相同但公共IP(public IP)位址不同時,授權名單產生的系統200會在使用者裝置(DUT)212中將存取名單延伸,而不是取代;也就是說,在此情況下,若使用者裝置(DUT)212的公共IP(public IP)位址有數組,這些公共IP(public IP)位址都會被加到使用者裝置(DUT)212存取列表即第二資料關連表222中。As shown in FIG4 , if step S3B is successful, then in step S3C, the zero-trust server 260 sends the user ID, the device ID, the default gateway media access control (MAC) address, and the IP address to the specific device name, and these data are established as a second data association table 222 in one of the one or more NAS devices 220, 230 or other NAS devices. In the embodiment of the present invention, if sent to the NAS device 220, the IP address is the public IP address of the user device (DUT) 212. It should be particularly noted here that, through the established mapping relationship (e.g., the user ID, the device ID, the default gateway media access control (MAC) address), when the user ID, the device ID, and the default gateway media access control (MAC) address are the same but the public IP (public IP) address is different, the authorization list generation system 200 will extend the access list in the user device (DUT) 212 instead of replacing it; that is, in this case, if the user device (DUT) 212 has an array of public IP (public IP) addresses, these public IP (public IP) addresses will be added to the user device (DUT) 212 access list, i.e., the second data association table 222.

之後,如圖5所示,在步驟S4中,在使用者裝置(DUT)212之所述預設的閘道器媒體存取控制(MAC)位址)沒有改變的情況下,公共IP 1(public IP 1)與公共IP 2(public IP 2)都會被加入到NAS裝置220的存取列表即第二資料關連表222中。如此一來,使用者裝置(DUT)212可以正常瀏覽NAS裝置220。當然,類似地,在本發明其他實施例中,例如多個使用者裝置(DUT)的情況下,透過本發明實施例之授權名單產生的系統200以及方法,任何一個具有多個公共IP(public IP)位址的使用者裝置(DUT)均可以正常瀏覽任一資安環境下被保護的NAS裝置。Afterwards, as shown in FIG. 5 , in step S4, when the default gateway media access control (MAC) address of the user device (DUT) 212 is not changed, public IP 1 and public IP 2 are added to the access list of the NAS device 220, i.e., the second data association table 222. In this way, the user device (DUT) 212 can browse the NAS device 220 normally. Of course, similarly, in other embodiments of the present invention, such as when there are multiple user devices (DUT), through the system 200 and method for generating the authorization list of the embodiments of the present invention, any user device (DUT) with multiple public IP addresses can browse the NAS device protected in any information security environment normally.

相較於先前技術,本發明實施例之授權名單產生的系統200以及方法係透過增加一預設的閘道器媒體存取控制(MAC)位址的方式,只要閘道器媒體存取控制(MAC)位址沒改變,對於要被保護的裝置來說,要來存取的使用者(或稱客戶端)的網路沒有更動,表示該使用者(或稱客戶端)背後的網路環境有一個以上的Public IP,即需將這些公共IP(public IP)位址都納入授權允許名單的列表中。因此,本發明實施例不同於先前技術的地方在於,使用者(或稱客戶端)使用任何一個公共IP(public IP)位址均可存取被保護的裝置,不會發生圖1之先前技術中使用公共IP 2無法存取被保護裝置的情況。Compared to the prior art, the system 200 and method for generating the authorization list of the embodiment of the present invention is to add a preset gateway media access control (MAC) address. As long as the gateway media access control (MAC) address does not change, for the device to be protected, the network of the user (or client) who wants to access it does not change, which means that the network environment behind the user (or client) has more than one Public IP, that is, all these public IP addresses need to be included in the list of the authorization permission list. Therefore, the embodiment of the present invention is different from the prior art in that the user (or client) can access the protected device using any public IP address, and the situation in the prior art of FIG. 1 where the protected device cannot be accessed using public IP 2 will not occur.

綜上所述,在本發明之實施例中,當各該使用者裝置(DUT)212與NAS裝置220、NAS裝置230或其他NAS裝置建立網路連線時,可以透過第二資料關連表222內所述延伸之存取名單上的所述一或多個公共IP(public IP)位址,對NAS裝置220、NAS裝置230或其他NAS裝置進行存取。In summary, in the embodiment of the present invention, when each user device (DUT) 212 establishes a network connection with the NAS device 220, the NAS device 230 or other NAS devices, the NAS device 220, the NAS device 230 or other NAS devices can be accessed through the one or more public IP addresses on the extended access list in the second data association table 222.

另外,在本發明之實施例中,網際網路240包括一公有雲、一私有雲、一社群雲及一混合雲。In addition, in the embodiment of the present invention, the Internet 240 includes a public cloud, a private cloud, a social cloud, and a hybrid cloud.

以上實施方式僅用以說明本發明的技術方案而非限制,儘管參照較佳實施方式對本發明進行了詳細說明,本領域的普通技術人員應當理解,可以對本發明的技術方案進行修改或等同替換,而不脫離本發明技術方案的精神和範圍。The above embodiments are only used to illustrate the technical solution of the present invention rather than to limit it. Although the present invention is described in detail with reference to the preferred embodiments, ordinary technicians in this field should understand that the technical solution of the present invention can be modified or replaced by equivalents without departing from the spirit and scope of the technical solution of the present invention.

100~授權名單產生的系統;110~個人或是公司網路;112~使用者裝置(DUT);120、130~NAS裝置;122~資料關連表;140~網際網路;認證與授權伺服器150;資料關連表152;公共IP 1;公共IP 2;200~授權名單產生的系統;210~個人或是公司網路;212~使用者裝置(DUT);214~身分驗證單元;220、230~NAS裝置;222~第二資料關連表;240~網際網路;認證與授權伺服器250;第一資料關連表252;S1A、S1B、S1C1、S1C2、S1D、S1E、S2A、S2B、S3A、S3B、S3C、S4~步驟。100~System for generating the authorization list; 110~Personal or corporate network; 112~User device (DUT); 120, 130~NAS device; 122~Data association table; 140~Internet; Authentication and authorization server 150; Data association table 152; Public IP 1; Public IP 2; 200~authorization list generation system; 210~personal or corporate network; 212~user device (DUT); 214~identity verification unit; 220, 230~NAS device; 222~second data association table; 240~Internet; authentication and authorization server 250; first data association table 252; S1A, S1B, S1C1, S1C2, S1D, S1E, S2A, S2B, S3A, S3B, S3C, S4~step.

為讓本發明的上述與其他目的、特徵、優點與實施例能更淺顯易懂,所附圖式之說明如下: 圖1係繪示先前技術之授權名單產生的系統的示意圖。 圖2至圖5係繪示本發明一實施例之授權名單產生的系統以及透過所述系統產生授權名單的方法的示意圖。 In order to make the above and other purposes, features, advantages and embodiments of the present invention more clearly understandable, the attached drawings are described as follows: FIG. 1 is a schematic diagram of a system for generating an authorization list of the prior art. FIG. 2 to FIG. 5 are schematic diagrams of a system for generating an authorization list of an embodiment of the present invention and a method for generating an authorization list by the system.

根據慣常的作業方式,圖中各種特徵與元件並未依實際比例繪製,其繪製方式是為了以最佳的方式呈現與本發明相關的具體特徵與元件。此外,在不同圖式間,以相同或相似的元件符號指稱相似的元件及部件。According to conventional operation methods, various features and components in the figure are not drawn according to the actual scale, and the drawing method is to present the specific features and components related to the present invention in the best way. In addition, between different figures, the same or similar element symbols are used to refer to similar elements and components.

200~授權名單產生的系統;210~個人或是公司網路;212~使用者裝置(DUT);214~身分驗證單元;220、230~NAS裝置;222~第二資料關連表;240~網際網路;認證與授權伺服器250;第一資料關連表252; S1A、S1B、S1C1、S1C2、S1D、S1E、S2A、S2B、S3A、S3B、S3C、S4~步驟。200~System for generating an authorization list; 210~Personal or corporate network; 212~User device (DUT); 214~Identity verification unit; 220, 230~NAS device; 222~Second data association table; 240~Internet; Authentication and authorization server 250; First data association table 252; S1A, S1B, S1C1, S1C2, S1D, S1E, S2A, S2B, S3A, S3B, S3C, S4~Steps.

Claims (11)

一種授權名單產生的系統,可與複數個廣域網(WAN)連接,該系統包括:一零信任伺服器,配置以接收來自使用者透過各使用者裝置(DUT)發送一內容包括存取憑證、一或多個裝置ID以及預設的閘道器媒體存取控制(MAC)位址的請求;以及一認證與授權伺服器,配置以當該零信任伺服器自該認證與授權伺服器成功取得第一資料關連表時,該零信任伺服器會根據其中之特定各使用者ID可以存取之特定各裝置名稱的映射關係,將特定各該使用者ID、該一或多個裝置ID、該預設的閘道器媒體存取控制(MAC)位址以及一或多個公共IP(public IP)位址傳送至特定各該裝置名稱,其中,當特定各該使用者ID、該一或多個裝置ID、該預設的閘道器媒體存取控制(MAC)位址相同,但是該一或多個公共IP(public IP)位址相異時,將所有相異之該一或多個公共IP(public IP)位址皆存入該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路之第二資料關連表中,藉此將該第二資料關連表內的存取名單延伸而非取代先前存入之該一或多個公共IP(public IP)位址,且該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路係處於防火牆開啟狀態進行存取。 A system for generating an authorized list, which can be connected to a plurality of wide area networks (WANs), includes: a zero-trust server, configured to receive a request from a user through each user device (DUT) to send a content including an access certificate, one or more device IDs, and a default gateway media access control (MAC) address; and an authentication and authorization server, configured to when the zero-trust server successfully obtains a first data association table from the authentication and authorization server, the zero-trust server will map the specific user IDs, the one or more device IDs, the default gateway media access control (MAC) address, and one or more public IPs (public IP addresses) to the specific device names that can be accessed by the specific user IDs. The method further comprises: transmitting a specific IP address to each specific device name, wherein when the specific user ID, the one or more device IDs, and the preset gateway media access control (MAC) address are the same, but the one or more public IP addresses are different, all the different one or more public IP addresses are stored in the second data association table of the one or more network based IP cameras or the one or more local area networks, thereby extending the access list in the second data association table instead of replacing the one or more public IP addresses previously stored, and the one or more network based IP cameras or the one or more local area networks are accessed with the firewall open. 如請求項1所述之授權名單產生的系統,其中,取得該存取憑證之該使用者裝置(DUT)亦得以透過該一或多個公共IP(public IP)位址存取一或多個網路監控攝影機(network based IP camera),且其中該一或多個網路監控攝影機(network based IP camera)係處於防火牆開啟狀態且只允許子網路存取。 A system for generating an authorization list as described in claim 1, wherein the user device (DUT) that obtains the access certificate can also access one or more network based IP cameras through the one or more public IP addresses, and wherein the one or more network based IP cameras are in a firewall-open state and only subnet access is allowed. 如請求項1所述之授權名單產生的系統,其中該使用者裝置(DUT)包括一身分驗證單元,該身分驗證單元係用以登入該認證與授權伺服器, 並藉由該預設的閘道器媒體存取控制(MAC)位址獲取該存取憑證(access token),使得該使用者裝置(DUT)得以透過該一或多個公共IP(public IP)位址存取該一或多個區域網路或者該一或多個網路監控攝影機(network based IP camera)。 A system for generating an authorization list as described in claim 1, wherein the user device (DUT) includes an identity verification unit, which is used to log in to the authentication and authorization server, and obtain the access token through the preset gateway media access control (MAC) address, so that the user device (DUT) can access the one or more local area networks or the one or more network based IP cameras through the one or more public IP addresses. 如請求項1所述之授權名單產生的系統,更包括:多個其他使用者裝置(DUT),且該些其他使用者裝置(DUT)皆具有一預設的閘道器媒體存取控制(MAC)位址。 The system for generating the authorization list as described in claim 1 further includes: a plurality of other user devices (DUTs), and each of the other user devices (DUTs) has a default gateway media access control (MAC) address. 如請求項1或4所述之授權名單產生的系統,其中各該使用者裝置(DUT)皆具有一裝置ID,各該裝置ID係通用唯一辨識碼(Universally Unique Identifier,UUID)。 A system for generating an authorization list as described in claim 1 or 4, wherein each user device (DUT) has a device ID, and each device ID is a universally unique identifier (UUID). 一種授權名單產生的方法,適用於與複數個廣域網(WAN)連接之授權名單產生的系統,而該授權名單產生的系統內之一或多個網路監控攝影機(network based IP camera)或者一或多個區域網路係處於防火牆開啟狀態進行存取,其中該授權名單產生的方法包括下列步驟:使用者透過各使用者裝置(DUT)向一零信任伺服器發送一內容包括存取憑證、一或多個裝置ID以及預設的閘道器媒體存取控制(MAC)位址的請求;以及當該零信任伺服器自一認證與授權伺服器成功取得第一資料關連表時,該零信任伺服器會根據其中之特定各使用者ID可以存取之特定各裝置名稱的映射關係,將特定各該使用者ID、該一或多個裝置ID、該預設的閘道器媒體存取控制(MAC)位址以及一或多個公共IP(public IP)位址傳送至特定各該裝置名稱,其中,當特定各該使用者ID、該一或多個裝置ID、該預設的閘道器媒體存取控制(MAC)位址相同,但是該一或多個公共IP(public IP)位址相異時,將所有相異之該一或多個公共IP(public IP)位址皆存入該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路之第二資料關連表中,藉此將 該第二資料關連表內的存取名單延伸而非取代先前存入之該一或多個公共IP(public IP)位址。 A method for generating an authorization list is applicable to an authorization list generating system connected to a plurality of wide area networks (WANs), wherein one or more network based IP cameras (network based IP cameras) in the authorization list generating system are camera) or one or more local area networks are in a firewall-open state for access, wherein the method for generating the authorization list includes the following steps: a user sends a request including an access certificate, one or more device IDs and a preset gateway media access control (MAC) address to a zero-trust server through each user device (DUT); and when the zero-trust server successfully obtains a first data association table from an authentication and authorization server, the zero-trust server will map the specific user IDs, the one or more device IDs, the preset gateway media access control (MAC) address and one or more public IPs (public IP addresses) to the specific device names that can be accessed by the specific user IDs. The method further comprises: transmitting a specific IP address to each specific device name, wherein when the specific user ID, the one or more device IDs, and the default gateway media access control (MAC) address are the same, but the one or more public IP addresses are different, all the different one or more public IP addresses are stored in a second data association table of the one or more network based IP cameras or the one or more local area networks, thereby extending the access list in the second data association table instead of replacing the one or more public IP addresses previously stored. 如申請專利範圍第6項所述之授權名單產生的方法,更包括:在各該使用者裝置(DUT)取得該存取憑證之前,該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路會先取得該存取憑證,並建立該第一資料關連表以及該第二資料關連表;該第一資料關連表係用以表示該使用者將本身之帳號綁定的各該使用者裝置(DUT)授權給其他使用者以其他帳號進行存取的映射關係;該第二資料關連表係用以表示該使用者從各該使用者裝置(DUT)存取該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路的映射關係。 The method for generating the authorization list as described in item 6 of the patent application scope further includes: before each user device (DUT) obtains the access certificate, the one or more network based IP cameras or the one or more local area networks will first obtain the access certificate and establish the first data association table and the second data association table; the first data association table is used to indicate the mapping relationship of the user authorizing other users to access the user devices (DUT) bound to their own accounts with other accounts; the second data association table is used to indicate the mapping relationship of the user accessing the one or more network based IP cameras or the one or more local area networks from each user device (DUT). 如申請專利範圍第7項所述之授權名單產生的方法,其中,該第一資料關連表的資料包括一或多個使用者ID以及一或多個裝置名稱,且其中,至少該一或多個使用者ID與該一或多個裝置名稱之間具有映射關係,以決定該些資料的傳送對象;且該第二資料關連表的資料包括該一或多個使用者ID、一或多個裝置ID、該預設的閘道器媒體存取控制(MAC)位址、以及該一或多個公共IP(public IP)位址,其中,該存取憑證與該一或多個使用者ID具有連結性。 As described in item 7 of the patent application scope, the data of the first data association table includes one or more user IDs and one or more device names, and at least there is a mapping relationship between the one or more user IDs and the one or more device names to determine the transmission object of the data; and the data of the second data association table includes the one or more user IDs, one or more device IDs, the preset gateway media access control (MAC) address, and the one or more public IP addresses, wherein the access certificate is linked to the one or more user IDs. 如申請專利範圍第8項所述之授權名單產生的方法,更包括:在各該使用者裝置(DUT)取得該存取憑證之前,係由該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路向一認證與授權伺服器發送一登入與綁定裝置請求,當該認證與授權伺服器回覆一請求成功的訊息後建立該第一資料關連表,而該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路取得該存取憑證;然後,該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路向該零信任伺服器發送一訂閱請求,而此時該認證與授權伺服器會根據該第一資料關連表提供該些資料給 該零信任伺服器,以便該零信任伺服器決定該些資料的傳送對象並回覆一請求成功的訊息,而該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路則根據該些資料建立該第二資料關連表,其中該訂閱請求的內容包含該存取憑證與該一或多個裝置名稱。 The method for generating an authorization list as described in item 8 of the patent application further includes: before each user device (DUT) obtains the access certificate, the one or more network based IP cameras or the one or more local area networks send a login and binding device request to an authentication and authorization server, and when the authentication and authorization server responds with a request success message, the first data association table is established, and the one or more network based IP cameras or the one or more local area networks obtain the access certificate; then, the one or more network based IP cameras camera) or the one or more local area networks sends a subscription request to the zero-trust server, and at this time the authentication and authorization server provides the data to the zero-trust server according to the first data association table, so that the zero-trust server determines the transmission object of the data and replies with a successful request message, and the one or more network based IP cameras or the one or more local area networks establish the second data association table according to the data, wherein the content of the subscription request includes the access certificate and the one or more device names. 如申請專利範圍第9項所述之授權名單產生的方法,更包括:在該第一資料關連表以及第二資料關連表建立完成後,該使用者透過各該使用者裝置(DUT)發送一內容包括該一或多個使用者ID與該一或多個密碼的請求給該認證與授權伺服器;若認證成功,該認證與授權伺服器會回覆並核發該存取憑證給各該使用者裝置(DUT),其中該存取憑證係對應該一或多個使用者ID。 The method for generating an authorization list as described in item 9 of the patent application further includes: after the first data association table and the second data association table are established, the user sends a request including the one or more user IDs and the one or more passwords to the authentication and authorization server through each user device (DUT); if the authentication is successful, the authentication and authorization server will respond and issue the access certificate to each user device (DUT), wherein the access certificate corresponds to the one or more user IDs. 如申請專利範圍第6項所述之授權名單產生的方法,其中,當各該使用者裝置(DUT)與該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路建立網路連線時,可以透過該第二資料關連表內該延伸之存取名單上的該一或多個公共IP(public IP)位址,對該一或多個網路監控攝影機(network based IP camera)或者該一或多個區域網路進行存取。 A method for generating an authorization list as described in item 6 of the patent application, wherein when each user device (DUT) establishes a network connection with the one or more network based IP cameras or the one or more local area networks, the one or more network based IP cameras or the one or more local area networks can be accessed through the one or more public IP addresses on the extended access list in the second data association table.
TW111146640A 2022-12-05 2022-12-05 System and method for generating an authorization list TWI846184B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW111146640A TWI846184B (en) 2022-12-05 2022-12-05 System and method for generating an authorization list
CN202211586609.2A CN118157864A (en) 2022-12-05 2022-12-09 System and method for generating authorization list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111146640A TWI846184B (en) 2022-12-05 2022-12-05 System and method for generating an authorization list

Publications (2)

Publication Number Publication Date
TW202424791A TW202424791A (en) 2024-06-16
TWI846184B true TWI846184B (en) 2024-06-21

Family

ID=91284110

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111146640A TWI846184B (en) 2022-12-05 2022-12-05 System and method for generating an authorization list

Country Status (2)

Country Link
CN (1) CN118157864A (en)
TW (1) TWI846184B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1381201A2 (en) * 2002-07-10 2004-01-14 Sony Corporation System, method and program for remote access to a resource using certificates
TW201739284A (en) * 2016-03-18 2017-11-01 Pcms控股公司 System and method for network-level smart home security
TWI759908B (en) * 2020-10-15 2022-04-01 威聯通科技股份有限公司 The method of generating the authorization allow list and the information security system using it

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1381201A2 (en) * 2002-07-10 2004-01-14 Sony Corporation System, method and program for remote access to a resource using certificates
TW201739284A (en) * 2016-03-18 2017-11-01 Pcms控股公司 System and method for network-level smart home security
TWI759908B (en) * 2020-10-15 2022-04-01 威聯通科技股份有限公司 The method of generating the authorization allow list and the information security system using it

Also Published As

Publication number Publication date
TW202424791A (en) 2024-06-16
CN118157864A (en) 2024-06-07

Similar Documents

Publication Publication Date Title
US10484359B2 (en) Device-level authentication with unique device identifiers
US9602292B2 (en) Device-level authentication with unique device identifiers
TWI545446B (en) A method and system for use with a public cloud network
US8522333B2 (en) Client/server system for communicating according to the standard protocol OPC UA and having single sign-on mechanisms for authenticating, and method for performing single sign-on in such a system
CN106664291B (en) System and method for providing secure access to local network devices
US12034769B2 (en) Systems and methods for scalable zero trust security processing
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
KR20160127167A (en) Multi-factor certificate authority
US20080276294A1 (en) Legal intercept of communication traffic particularly useful in a mobile environment
WO2018095416A1 (en) Information processing method, device and system
EP2781049B1 (en) Distributing overlay network ingress information
JP2016532984A (en) Network connection automation
TW201828645A (en) Network authentication method and apparatus
WO2016191376A1 (en) Initial provisioning through shared proofs of knowledge and crowdsourced identification
JP4835569B2 (en) Virtual network system and virtual network connection device
CN112335215B (en) Method for coupling terminal devices into a network-enabled computer infrastructure
JP6185934B2 (en) Integrate server applications with many authentication providers
US11722310B2 (en) Automatically discovering and securely identifying connected systems
TWI846184B (en) System and method for generating an authorization list
JP2018022307A (en) Connection management device, connection management method, and connection management program
CN121334126A (en) Remote control method, apparatus, and computer readable medium
CN119603052A (en) Rights management method, device, equipment and medium for realizing user access control
RU2722393C2 (en) Telecommunication system for secure transmission of data in it and a device associated with said system
CA2943294A1 (en) Device-level authentication with unique device identifiers