[go: up one dir, main page]

WO2018196465A1 - Authentication method, terminal and server - Google Patents

Authentication method, terminal and server Download PDF

Info

Publication number
WO2018196465A1
WO2018196465A1 PCT/CN2018/075088 CN2018075088W WO2018196465A1 WO 2018196465 A1 WO2018196465 A1 WO 2018196465A1 CN 2018075088 W CN2018075088 W CN 2018075088W WO 2018196465 A1 WO2018196465 A1 WO 2018196465A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
key
image data
server
signaling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/075088
Other languages
French (fr)
Chinese (zh)
Inventor
张路
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2018196465A1 publication Critical patent/WO2018196465A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of Internet of Things technologies, and in particular, to an authentication method, a terminal, and a server.
  • Authentication authentication usually exists during each human-computer interaction process. For example, before the access control of the residential community, the card is swiped by using the access card, or the fingerprint is swiped, or the key is used to authenticate the authentication; on the bus, the card is used by using the bus card or the chip inside the mobile phone. Right authentication; before the bank's automatic teller machine (ATM), the information of the bank card is read by the ATM, and the user inputs the password to perform authentication.
  • ATM automatic teller machine
  • An embodiment of the present invention provides an authentication method, which is applied to a first terminal, where the method includes: acquiring image data of a second terminal; and when the wireless access bearer is in a released state, using an Internet of Things protocol to transmit data. Transmitting the image data to the server, wherein the image data is used to request the server to send a key corresponding to the first terminal; receiving a key sent by the server, and sending the key to the first The second terminal; the key is used by the second terminal to authenticate the first terminal.
  • An embodiment of the present invention further provides an authentication method, which is applied to a server, where the method includes: receiving image data of a second terminal that is used by a first terminal to transmit signaling by using an Internet of Things protocol; and using the The image data is searched in a preset database to obtain a key corresponding to the first terminal, and the key is sent to the first terminal, where the key is used to be sent by the first terminal. And authenticating the first terminal after the second terminal is authenticated.
  • the embodiment of the present invention further provides a first terminal, where the first terminal includes: an acquiring module, configured to acquire image data of the second terminal; and a first sending module configured to: when the radio access bearer is in a released state Transmitting, by the Internet of Things protocol, the image data to a server by using signaling for transmitting data, the image data being used to request the server to send a key corresponding to the first terminal, and configured to Sending a key to the second terminal, the key is used by the second terminal to authenticate the first terminal; and the first receiving module is configured to receive the key sent by the server .
  • the first terminal includes: an acquiring module, configured to acquire image data of the second terminal; and a first sending module configured to: when the radio access bearer is in a released state Transmitting, by the Internet of Things protocol, the image data to a server by using signaling for transmitting data, the image data being used to request the server to send a key corresponding to the first terminal, and configured to Sending a key to the second terminal, the key
  • the embodiment of the present invention further provides a computer storage medium, the computer storage medium comprising a set of instructions, when executed, causing at least one processor to perform the above-mentioned authentication method applied to the first terminal.
  • the embodiment of the invention further provides a computer storage medium, the computer storage medium comprising a set of instructions, when executed, causing at least one processor to perform the above-mentioned authentication method applied to the server.
  • FIG. 1 is a schematic diagram of an implementation process of an authentication method according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic diagram of a protocol structure of an NB-IoT network according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a manner of transmitting image data on a signaling plane according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a manner of transmission of image data on a user plane according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of an implementation process of an authentication method according to Embodiment 2 of the present invention.
  • FIG. 6 is a schematic diagram showing the structure of a first terminal according to Embodiment 3 of the present invention.
  • FIG. 7 is a schematic diagram showing the composition of a server according to Embodiment 4 of the present invention.
  • FIG. 8 is a schematic diagram showing the structure of an internal module of a first terminal according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a specific implementation process of an authentication method according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of a specific implementation process of entering a new key according to an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of a specific implementation process of changing a key according to an embodiment of the present invention.
  • the Internet of Things is a major trend in the development of current communication technologies.
  • cellular-based Narrow Band Internet of Things NB-IoT, Narrow Band Internet of Things
  • eMTC Enhanced Machine Type Counterparts
  • Both are consistently optimistic in the IoT market.
  • NB-IoT and eMTC protocols of the Internet of Things support the transmission of a small amount of user data on the signaling plane.
  • the authentication scenario in the human-computer interaction scenario is an IoT application scenario, which has the characteristics of small data volume and discontinuous transmission.
  • the first terminal side is taken as an example to describe the authentication method in detail.
  • the method includes the following steps:
  • Step 101 Acquire image data of the second terminal.
  • Step 101 may specifically include: searching for at least one terminal; determining the second terminal from the at least one terminal; and collecting an image of the second terminal to obtain the image data.
  • the first terminal may search for at least one terminal through Bluetooth, and may also search for at least one terminal by using other local area network protocols, such as Wireless Fidelity (WiFi), ZigBee, and the like.
  • the terminal may specifically be an ATM machine, an access security gate, a smart bus or a credit card machine on a subway, and the like.
  • At least one terminal Before searching, at least one terminal can be identified.
  • the ATM machine uses the 001 number
  • the access security gate uses the 002 number
  • the smart bus or the credit card on the subway uses the 003 number.
  • the manner in which the first terminal determines the second terminal from the at least one terminal obtained by the searching may be: the first terminal searches for at least one terminal, and is displayed by the user interface or the form of a button confirmation or a voice prompt, by the first terminal user.
  • a terminal is determined as the second terminal in the at least one terminal.
  • the method may further be: the first terminal pre-sets the rule, and determines the second rule according to the rule.
  • the rule may be that the first terminal separately measures the distance between each terminal and the first terminal obtained by the search. And selecting the terminal closest to the first terminal to determine the second terminal.
  • the method may be: the first terminal compares the distance between each terminal and the first terminal measured according to the preset rule, and displays the second terminal by the first terminal user according to actual needs.
  • the method may further include: when the state of the first terminal is in a locked state, generating a first prompt message, where the first prompt message is used to prompt the first terminal user to unlock a first terminal; an obtaining operation, wherein the operation is a response operation to the first prompt message; and in response to the operation, performing an unlocking operation on the first terminal; and after the unlocking is successful, entering a working state.
  • the first terminal in order to reduce power consumption and ensure security, the first terminal cannot always be in a working state or search for the state of at least one terminal.
  • the working time of the first terminal can be set according to user requirements. For example, the first terminal enters a locked state after working for 1 minute or 10 minutes.
  • Step 102 When the radio access bearer is in a release state, the image data is sent to the server by using the signaling for transmitting data through the Internet of Things protocol.
  • the image data is used to request the server to send a key corresponding to the first terminal.
  • the radio access bearer includes a radio bearer (RB, Radio Bearer) between the user equipment (UE, UserEquipment) and the UTTS (UMTS Terrestrial Radio Access Network), and a core network.
  • RB Radio Bearer
  • Iu bearer between (CN, Core Network) and UTRAN.
  • the step of transmitting image data to a server by using an IoT protocol using signaling for transmitting data may include: transmitting image data to the server through a non-access stratum of a signaling plane, wherein The non-access stratum is capable of transmitting data between the terminal and the core network.
  • the Internet of Things protocol may be an NB-IoT protocol or an eMTC protocol.
  • step 102 further includes: reading state variable information of the radio access bearer; and determining that the radio access bearer is in a released state when the state variable information is invalid information.
  • a series of variables corresponding to the radio access bearer are stored in the protocol stack memory of the first terminal, and the read variables can be used to query whether the first terminal saves the radio access bearer.
  • the valid state variable information if the variables are empty or the memory is released, the first terminal does not save the valid state variable information related to the radio access bearer between the first terminal and the core network, and the state variable information is The invalid information can further determine that the radio access bearer is in a released state.
  • the radio access bearer when the radio access bearer is in the released state, only the signaling plane protocol architecture of the network supports transmitting data through the signaling plane, and the image data can be sent to the server through the non-access stratum of the signaling plane, and the condition is met.
  • the network protocol specifically includes NB-IoT, eMTC, and the like.
  • Figure 2 shows the protocol structure of the NB-IoT network.
  • the protocol structure includes the UE, the base station (E-NodeB), the mobility management entity (MME, Mobility Management Entity), and the service gateway. SGW, Serving GateWay).
  • the protocol architecture of the NB-IoT network includes a control plane protocol architecture and a user plane protocol architecture.
  • the control plane is also referred to as a signaling plane.
  • the protocol structure of the signaling plane includes: Non-Access Stratum (NAS), Radio Resource Control (RRC), Packet Data Convergence Protoco (PDCP), and Radio Link Control Layer.
  • RLC Radio Link Control
  • MAC Media Access Control Layer
  • PHY Physical Layer
  • the protocol architecture of the signaling plane is the NAS layer at the layer on the MME side. Among them, the NAS layer supports signaling and data transmission between the terminal and the core network.
  • the RRC layer processes the third layer information of the control plane between the terminal and the base station, and the functions of the RRC include RB control, broadcast, paging, and the like.
  • the PDCP layer is responsible for compressing and decompressing IP headers, transmitting user data, and the like.
  • the RLC layer is responsible for segmentation and connection, retransmission processing, and sequential transmission of high-level data.
  • the MAC layer serves the RLC layer in a logical channel manner.
  • the PHY layer is responsible for coding, modulation, demodulation, multi-antenna mapping, and the like.
  • the protocol structure of the user plane includes: PDCP, RLC, MAC, PHY.
  • the non-access stratum of the signaling plane sends the image data to the server, including: establishing a signaling radio bearer between the terminal and the core network, and generating a non-access stratum signaling message by using the image data, where The non-access stratum signaling message is sent to the server on the signaling radio bearer.
  • the foregoing steps may include: packing the image data, and filling the packed data packet in a data body field of the non-access stratum to generate a non-access stratum signaling message, and the non-access stratum message
  • the message is transmitted to the server on the network side through the non-access stratum.
  • the non-access stratum message is transmitted to the server after passing through the non-access stratum, the RRC layer, the PDCP layer, the RLC layer, and the MAC layer.
  • the data packet packed with the image data passes through the PDCP layer, the RLC layer, and the MAC layer, and the packed data is encapsulated by the physical layer, and then transmitted to the server on the network side in the form of a transport block.
  • Figure 3 shows the transmission of image data on the signaling plane, as shown in Figure 3.
  • the transmission of image data between the first terminal and the server on the signaling plane comprises two parts, the first part is data transmission between the first terminal and the base station, and the second part is data transmission between the base station and the core network.
  • the first part that is, the data transmission between the first terminal and the base station, is specifically: the first terminal encapsulates the acquired image data of the second terminal and fills the data body field of the non-access layer to generate a non-connection. Incoming layer signaling message.
  • the PHY layer transmits the non-access stratum signaling message to the base station by using a radio frequency signal. Side of the NAS layer.
  • the non-access stratum signaling message transmitted by the NAS layer on the first terminal can be filled with data. Therefore, when the radio access bearer does not exist, that is, when the radio access bearer is in the released state, the radio bearer does not need to be established.
  • the data radio bearer also avoids the delay problem caused by establishing a radio bearer.
  • the second part that is, the data transmission between the base station and the core network, specifically: the base station sequentially receives the non-access stratum signaling message including the image data through the PHY layer, the MAC layer, the RLC layer, the PDCP layer, After being processed by the RRC layer and the NAS layer, the LAC layer and the NAS layer are transmitted to the MME.
  • the MME may send the non-access stratum signaling message including the image data to a service capa-bility exposure function (SCEF).
  • SCEF service capa-bility exposure function
  • the non-access stratum signaling message including the image data may also be sent to the SGW, and sent by the SGW to the packet data gateway. (PGW, Packet Data Network Gateway), and the PGW sends the non-access stratum signaling message including the image data to the server.
  • PGW Packet Data Network Gateway
  • the first terminal Based on the signaling radio bearer between the first terminal and the core network, when the radio access bearer is in a released state, that is, when there is no data transmission channel between the first terminal and the core network, the first terminal passes the Internet of Things protocol.
  • the image data of the second terminal is transmitted to the server using signaling for transmitting data, more specifically, through the NAS layer of the signaling plane. Because the radio access bearer does not need to be re-established, the delay problem caused by establishing the radio access bearer is avoided, and the image data of the second terminal can be quickly sent to the server on the network side, thereby implementing fast authentication.
  • step 102 further includes: when the radio access bearer is in an established state, transmitting image data to the server through the user plane.
  • the image data is used to request the server to send a key corresponding to the first terminal.
  • the transmission mode of the image data on the user plane is as shown in FIG. 4.
  • the transmission of image data between the first terminal and the server on the user plane comprises two parts, the first part is data transmission between the first terminal and the base station, and the second part is data transmission between the base station and the core network.
  • the first part that is, the data transmission between the first terminal and the base station, specifically: the first terminal packs the acquired image data of the second terminal, and sequentially passes the packaged data packet to the PDCP layer and the RLC layer.
  • the PHY layer After the MAC layer processing and the PHY layer encapsulation, the PHY layer transmits the data packet including the image data to the PDCP layer on the base station side in the form of a radio frequency signal.
  • the second part that is, the data transmission between the base station and the core network, specifically: the base station sequentially receives the received data packet containing the image data through the PHY layer, the MAC layer, the RLC layer, and the PDCP layer, and then sends the data packet to the SGW.
  • the SGW sends the PGW to the PGW, and the PGW transmits the data packet containing the image data to the server on the network side.
  • the first terminal When the radio access bearer is in an established state, the first terminal sends the image data of the second terminal to the server based on the data radio bearer on the user plane.
  • Step 103 Receive a key sent by the server, and send the key to the second terminal.
  • the key is used for the second terminal to authenticate the first terminal.
  • the step 103 further includes: generating, according to the acquired image data of the second terminal, that the identity of the first terminal user needs to be verified, generating second prompt information;
  • the second prompt information is used to prompt the first terminal user to input verification information; obtain verification information input by the first terminal user; and verify the input verification information, and verify the key after successful verification Send to the second terminal.
  • the second terminal may be a transfer machine, an access card, or another device.
  • the second terminal is a transfer machine, the identity of the first terminal user needs to be verified, and the second terminal authenticates the first terminal, and the purpose of the verification is to improve security; and when the second terminal is When the access card is used, the identity of the first terminal user does not need to be verified, and the second terminal can authenticate the first terminal.
  • the verification information input by the first terminal user may be fingerprint information, a piece of voice, a key, or the like.
  • the verifying the input verification information includes: when the input verification information is fingerprint information, performing fingerprint image format conversion, image segmentation and image enhancement, image filtering, image binarization, and image fineness on the fingerprint message. , feature point extraction and matching processing; when the input verification information is a piece of speech, pre-emphasizing, framing, windowing, and Meer filter group filtering of the speech to obtain a Mel frequency cepstrum parameter (MFCC, Mel) Frequency Cepstrum Coefficient), performing MFCC Principal Components Analysis (DOA) dimension reduction processing, and then using vector quantization (VQ, Vector Quantization) for pattern matching; when the input verification information is a key, the density is The key is compared to a preset keystore.
  • MFCC Mel frequency cepstrum parameter
  • DOA MFCC Principal Components Analysis
  • VQ Vector Quantization
  • the method further includes: sending the changed key or the entered new key to the server when the key corresponding to the first terminal is changed or entering a new key, the changed secret The key or the new key entered is used by the server to update the default database.
  • the user of the first terminal can change the key corresponding to the first terminal, and Send the changed key to the server for the server to update the default database.
  • the first terminal user may enter a new key and send it to the server; or when the second terminal is a new device, the preset database on the server When the key correspondence between the second terminal and the first terminal is not stored, the first terminal user enters a new key and sends it to the server.
  • the first terminal when the radio access bearer is in the released state, the first terminal sends the image data of the second terminal to the server by using the signaling for transmitting data through the Internet of Things protocol. Because the radio access bearer does not need to be re-established, the delay problem caused by establishing the radio access bearer is avoided, and the image data of the second terminal can be quickly sent to the server on the network side, thereby implementing fast authentication.
  • the server sends a key to the first terminal, and the first terminal sends the key to the second terminal, thereby avoiding the occurrence of the key being leaked, so that security authentication can be implemented.
  • this embodiment uses the server side as an example to describe the authentication method in detail.
  • the method includes the following steps:
  • Step 501 Receive image data of the second terminal that is sent by the first terminal by using the Internet of Things protocol for signaling transmission of data.
  • the step of receiving the image data of the second terminal that the first terminal uses the signaling for transmitting data through the Internet of Things protocol comprises: receiving the first terminal by using a signaling radio bearer between the terminal and the core network The non-access stratum signaling message sent by the non-access stratum of the signaling plane on the signaling radio bearer, where the non-access stratum signaling message includes the image data of the second terminal.
  • the signaling radio bearer between the terminal and the core network corresponds to the NAS layer of the MME on the core network side. That is, the image data transmitted on the signaling radio bearer is received by the NAS layer of the MME, and the image data is sent by the MME to the SCEF, and the server receives the image data sent by the SCEF; or the image data is sent by the MME to the MME.
  • the SGW is sent by the SGW to the PGW, and the server receives the image data transmitted by the PGW.
  • Step 502 Perform a search in the preset database by using the image data, obtain a key corresponding to the first terminal, and send the key to the first terminal.
  • the key is used to authenticate the first terminal after the first terminal sends the second terminal.
  • sending the key to the first terminal includes: transmitting, by using an IoT protocol, signaling for transmitting data, to the first terminal.
  • the key may be sent to the first terminal by using an NB-IoT or an eMTC protocol.
  • the non-access stratum of the signaling plane sends the key to the first terminal; when the radio access bearer is in the established state, the key is sent to the user plane. The first terminal.
  • the performing the searching in the preset database by using the image data comprises: extracting feature information from the image data based on the feature extraction strategy by using the image data, and according to the extracted feature information in a preset database Find it.
  • the information stored in the preset database may include: identifier information of the second terminal, and identifier information of the first terminal.
  • the correspondence between the identification information of the second terminal and the identification information of the first terminal is one-to-many.
  • the feature extraction strategy first preprocesses the image data, including grayscale, binarization, and noise suppression (filtering) processing.
  • Feature point extraction is performed based on the pre-processed image to construct a graphical feature, where the feature point may be an imaging point of any portion on the second terminal, such as a point at the edge of the second terminal.
  • Graphic features such as contour features, texture features within the contours, etc., can be formed by feature points.
  • the feature information of the second terminal such as identification information, is determined based on the graphical feature, and the identification information may be a number.
  • the method further includes: receiving a changed key sent by the first terminal or a new key entered; the changed key and the entered new key correspond to the second terminal; The preset database is updated according to the changed key or the entered new key.
  • the first terminal is provided by the first terminal.
  • the first terminal includes: an obtaining module 61, a first sending module 62, and a first receiving module 63, where:
  • the acquisition module 61 is configured to acquire image data of the second terminal.
  • the first sending module 62 is configured to: when the wireless access bearer is in a released state, send image data to the server by using an IoT protocol for transmitting data, wherein the image data is used to request the server to send a corresponding a key of the first terminal; and transmitting the key to the second terminal, wherein the key is used by the second terminal to authenticate the first terminal.
  • the first receiving module 63 is configured to receive a key transmitted by the server.
  • the obtaining module 61 is further configured to: search for at least one terminal; determine the second terminal from the at least one terminal; collect an image of the second terminal, to obtain the image data .
  • the first terminal may search at least one terminal through Bluetooth, and may also search for at least one terminal by using other local area network protocols, such as WiFi, ZigBee, and the like.
  • the terminal may specifically be an ATM machine, an access security gate, a smart bus or a credit card machine on a subway, and the like.
  • the first sending module 62 is further configured to establish a signaling radio bearer between the terminal and the core network, generate non-access stratum signaling messages by using image data, and use the non-access stratum signal The message is sent to the server on the signaling radio bearer.
  • the first sending module 62 establishes a signaling radio bearer between the first terminal and the core network, and generates non-image data by using the image data of the second terminal. And accessing the layer signaling message, and sending the non-access stratum signaling message to the server on the signaling radio bearer.
  • the radio access bearer when the radio access bearer is in the released state, only the signaling plane protocol architecture of the network supports transmitting data through the signaling plane, and the image data can be sent to the server through the non-access stratum of the signaling plane, and the network satisfying such conditions
  • the protocol specifically includes NB-IoT, eMTC, and the like.
  • the first sending module 62 is further configured to: when the radio access bearer is in an established state, send image data to the server based on the data radio bearer on the user plane.
  • the first terminal further includes an unlocking module, where the unlocking module is configured to generate a first prompt message when the state of the first terminal is in a locked state, where the first prompt message is used for prompting
  • the first terminal user unlocks the first terminal; the operation is performed in response to the first prompt message; in response to the operation, the first terminal is unlocked; and after the unlocking is successful, the first A terminal enters a working state.
  • the first terminal in order to reduce power consumption and ensure security, the first terminal cannot always be in a working state and search for the state of at least one terminal, and the working time of the first terminal can be set according to user requirements, for example, the first terminal works for 1 minute or After 10 minutes, it enters the locked state.
  • the first terminal further includes a determining module configured to read a state of a radio access bearer between the first terminal and the core network saved in the protocol stack, when the first terminal and the core When there is no data transmission channel between the networks, the determining module determines that the radio access bearer is in a released state.
  • the first terminal further includes a verification module configured to generate a second prompt information when it is determined that the identity of the first terminal user needs to be verified according to the acquired image data of the second terminal.
  • the second prompt information is used to prompt the first terminal user to input the verification information, and is further configured to obtain the verification information input by the first terminal user, and is further configured to verify the input verification information.
  • the first sending module 62 is further configured to send the key to the second terminal after the verification succeeds.
  • the second terminal may be a transfer machine or an access card
  • the identity of the first terminal user needs to be verified, and the second terminal only contacts the first terminal.
  • the authentication is performed, and the purpose of the verification is to improve security.
  • the second terminal is an access card
  • the identity of the first terminal user does not need to be verified, and the second terminal can authenticate the first terminal.
  • the first terminal further includes an entry module configured to: when the key corresponding to the first terminal is changed or the new key is entered, the changed key or the entered new key Sent to the server, the changed key or the entered new key is used by the server to update the preset database.
  • the first receiving module 63 is implemented by a communication interface on the first terminal; the obtaining module 61, the unlocking module, and the determining module may be a processor located on the first terminal, such as a central processing unit (CPU).
  • the implementation is performed by a microprocessor (MPU, Micro Processor Unit), a DSP, or a Field Programmable Gate Array (FPGA).
  • the first sending module 62, the verification module, and the input module are processed by the first terminal.
  • the device is implemented by a communication interface such as a CPU, an MPU, a DSP, or an FPGA.
  • the embodiment provides a server.
  • the server includes a second receiving module 71 and a second sending module 72. among them:
  • the second receiving module 71 is configured to receive image data of the second terminal that the first terminal transmits using signaling for transmitting data through the Internet of Things protocol.
  • the second sending module 72 is configured to perform a lookup in the preset database by using the image data, obtain a key corresponding to the first terminal, and send the key to the first terminal, where the key is used
  • the first terminal is authenticated after being sent by the first terminal to the second terminal.
  • the second receiving module 71 is further configured to receive the changed key or the entered new key sent by the first terminal, the changed key and the entered new key and the second The terminal corresponds.
  • the second receiving module 71 is further configured to receive, by the signaling radio bearer between the first terminal and the core network, the first terminal by using a non-access stratum of the signaling plane.
  • the signaling radio bearer between the terminal and the core network corresponds to the NAS layer of the MME on the core network side, that is, the image data transmitted on the signaling radio bearer is received by the NAS layer of the MME.
  • the MME sends the image data to the SCEF, and the server receives the image data sent by the SCEF.
  • the MME may send the image data to the SGW, and the SGW sends the image data to the PGW, and the server receives the image data sent by the PGW.
  • the second sending mode 72 is further configured to use the image data to extract feature information from the image data based on a feature extraction strategy, and perform a search in a preset database according to the extracted feature information. .
  • the second sending module 72 sends the password to the first terminal by using the signaling for transmitting data through the Internet of Things protocol.
  • the key may be sent to the first terminal by using an NB-IoT or an eMTC protocol. That is, when the radio access bearer is in the released state, the second sending module 72 sends the key to the first terminal through the NAS layer of the signaling plane; when the radio access bearer is in the established state, the second sending module 72 The key is sent to the first terminal through the user plane.
  • the server further includes an update module configured to update the preset database based on the changed key or a new key entered.
  • the update module is implemented by a processor located on the second terminal, such as a CPU, an MPU, a DSP, an FPGA, or the like; the second receiving module 71 and the second sending module 72 may be a processor, such as a CPU, located on the second terminal.
  • MPU, DSP, FPGA, etc. are implemented in combination with a communication interface.
  • FIG. 8 is a schematic diagram of the internal module structure of the first terminal, as shown in FIG. 8.
  • the first terminal internal module includes a user interaction module 801, an NB-IoT/eMTC communication module 802, a Bluetooth/WiFi communication module 803, an information collection module 804, and an image acquisition module 805.
  • User interaction module 801 used to complete the interaction between the first terminal and the user.
  • the interaction mode can be a user interface (UI, User Interface) display, button confirmation, voice prompts and the like.
  • the image data of the second terminal is sent uplink, and the downlink includes authentication information such as a key and personal information to be requested by the first terminal.
  • the user plane is used to transmit the image data, and in the case where the radio access bearer is released, the image data is transmitted using the signaling plane.
  • Bluetooth/WiFi communication module 803 used to search for and connect surrounding hosts (second terminals), such as ATM machines, access control security gates, smart bus/metro credit card machines, and the like. After the server sends the authentication data, such as the key, to the first terminal for authentication, the key is sent to the host through the Bluetooth/WiFi communication module 803, and the host completes the authentication of the first terminal.
  • the search and connection technology can use Bluetooth, and can also be completed by other LAN protocols such as WiFi, ZigBee, and the like.
  • Information collection module 804 for input and output.
  • the first terminal cannot always be in the working state and search for the state of the surrounding host. In most of the time, it is the standby state, that is, the locked state. In the locked state, the first terminal is not available, nor is it used. Will search for nearby hosts.
  • the working time of the first terminal can be set by the first terminal user, and the working time can be set to 1 minute or 10 minutes, and the like.
  • the information collecting module 804 is required to unlock the first terminal. During the period after unlocking, the first terminal is in the available and search state.
  • the information collection module 804 is also used in the process of adding a key and modifying a key.
  • Image acquisition module 805 In an open situation, the first terminal may continuously search for various hosts. For example, there may be an ATM machine at the door of the cell, and the first terminal searches for multiple hosts. In this case, the first terminal user needs to confirm which host is specifically connected as the second terminal. After determining the second terminal, the method of taking a live view is taken. The user can use the camera of the first terminal (belonging to the image acquisition module) to collect the image, and then send the image to the server through the NB-IoT/eMTC protocol, and the server determines that the host is the second terminal, and then the key corresponding to the first terminal is Send to the first terminal.
  • the camera of the first terminal belonging to the image acquisition module
  • the server determines that the host is the second terminal, and then the key corresponding to the first terminal is Send to the first terminal.
  • the first terminal can also be equipped with smart glasses or similar wearable products, so that the first terminal user can automatically work and upload the second terminal, for example, as long as the vehicle is running straight or observing the host to be operated.
  • the image data is given to the server, saving time and manpower.
  • FIG. 9 is a schematic diagram of a specific implementation process of an authentication method according to an embodiment of the present invention. As shown in FIG. 9, the process includes the following steps:
  • Step 901 Determine whether the first terminal is in an active state. If it is determined that the first terminal is in an active state, step 902 is performed. If the first terminal is in the locked state (for example, after the first terminal exceeds the preset working time, the first terminal is in the locked state), step 917 is performed.
  • Step 917 The user is prompted to unlock the first terminal, and wait for the user to unlock the first terminal by using a fingerprint or an eye pattern. After the unlocking is successful, step 902 is performed.
  • Step 902 In the case that it is determined that the first terminal is in the working state, the first terminal enters a state of searching for the host. When the first terminal searches for at least one host (the second terminal), step 903 is performed. If the first terminal does not find the host, then return to step 901.
  • Step 903 Prompt the first terminal user to open the live view authentication by, for example, the user interaction module 801, and wait for the user to open the live view authentication.
  • Step 904 The user performs the live view entry. If the live view entry is successful, step 9041 is performed; if the live view entry is unsuccessful, the process returns to step 903.
  • Step 9041 The device (the first terminal) is connected to the target host by using a method such as Bluetooth or other local area network, and then step 905 is performed.
  • a method such as Bluetooth or other local area network
  • the user can take a picture of the host device using the first terminal.
  • the photo can be the gate of the community that the user is about to enter, or it can be a house smart door lock, a bank ATM machine, a bus, a private club key cabinet, and so on.
  • Step 905 The first terminal determines whether the radio access bearer exists, and if yes, that is, the radio access bearer is in an established state, step 906 is performed, if not, that is, the radio access bearer is in a released state, then executing Step 912.
  • a series of variables corresponding to the radio access bearer are stored, and the read variables can be used to query whether the first terminal saves the valid state related to the radio access bearer.
  • the variable information if the variables are empty or the memory is released, the first terminal does not save the valid state variable information related to the radio access bearer between the first terminal and the core network, and the state variable information is invalid information, and further
  • the wireless access bearer may be determined to be in a released state.
  • the bearer and signaling connection established between the terminal and the core network will be released, and when the user requests data again, the core network will be first Perform service request (SR, Service Request) signaling interaction, establish an RRC bearer, and establish a radio bearer and a radio access bearer, and then perform data interaction between the terminal and the core network.
  • SR service request
  • RRC bearer an RRC bearer
  • radio bearer and a radio access bearer an RRC bearer
  • Step 906 Send the picture data of the host to the server by using the IoT protocol to use signaling for transmitting data.
  • the picture data of the host may be sent to the server through the user plane based on the NB-IoT (or eMTC) protocol.
  • the server searches for a preset database. If the key corresponding to the first terminal is found, the key is sent to the first terminal by using the NB-IoT/eMTC protocol.
  • Step 907 It is determined whether the key sent by the server to the first terminal is received. If the key is received, step 908 is performed, otherwise step 913 is performed.
  • Step 908 Generate a prompt message, for example, "Receive the key of the host "xxx", whether to send?"
  • the prompt message is used by the terminal to determine whether to verify the identity of the user, and when it is determined that the identity of the first terminal user needs to be performed When verifying, step 909 is performed.
  • whether the identity of the user is verified can be determined according to the security level preset by the user.
  • the key authentication of the ATM machine and the identity authentication on the bus can be set to the high security level. Only when the user identity is verified and the user presses the confirmation key, the key completion authentication process is sent.
  • the host is a transfer machine
  • the first terminal needs to verify the identity of the user, and then sends the key to the host after verifying the identity of the user.
  • the cell access control, company gates, etc. can be set to a low security level, without first verifying the user identity and the user's confirmation, the first terminal will send the key directly to the host (in this case, skip steps 908-909).
  • Step 909 Determine whether the verification information input by the user is received (the confirmation of the user is received). If yes, go to step 910, otherwise go back to step 908.
  • Step 910 After verifying that the identity of the user is successful, the key is sent to the host by using Bluetooth or the like.
  • Step 911 Determine whether the host authentication is passed. If the host authentication succeeds, step 916 is performed; if the authentication fails, step 915 is performed.
  • Step 912 Send the picture data of the host to the server by using the IoT protocol to use signaling for transmitting data.
  • the picture of the host may be sent to the server through the NAS layer of the signaling plane based on the NB-IoT or eMTC protocol.
  • the picture data of the host is packaged, and the packed data packet is filled in the data body field of the NAS layer to generate a non-access stratum signaling message, and the non-access stratum signaling message is transmitted to the network side through the NAS layer.
  • server Specifically, the non-access stratum message including the host picture data is encapsulated by the NAS layer, the RRC layer, the PDCP layer, the RLC layer, the MAC layer, and the PHY layer, and then transmitted to the server by using a radio signal.
  • the radio access bearer does not need to be re-established, the service request, the radio bearer, and the establishment of the radio access bearer are omitted, and the data can be quickly sent to the server.
  • Step 913 Prompt the user to take a photo again, return to step 903; or prompt the user that this is a new host device, need to enter a new key, and then perform step 914.
  • Step 914 Enter the new device process.
  • Step 915 The host prompts the first terminal user to perform key modification.
  • Step 915 can also be: the host directly sleeps on standby.
  • Step 916 The first terminal selects to continue searching or enters the standby mode according to the working time situation. If the working time exceeds the preset time of the user, the device is locked, and the first terminal is in a low power state after being locked.
  • FIG. 10 is a schematic diagram of a specific implementation process of a new device according to an embodiment of the present invention, that is, a specific implementation process of entering a new key. As shown in FIG. 10, the process includes the following steps:
  • Step 1001 Enter the process of entering a new key.
  • Step 1002 Confirm the user information by the information collecting module 804, confirm that the first terminal is used by a legitimate user, and make the first terminal enter the working mode.
  • Step 1003 Enter user information and a new key through the information collection module 804.
  • Step 1004 Send the entered key to the server.
  • the NAS layer of the signaling plane may be used to send the entered new key of the corresponding first terminal to the server; otherwise (The radio bearer is established, and the new key corresponding to the first terminal that is entered is sent to the server through the user plane.
  • the radio access bearer may be established first, and then the packetized data packet is packaged through the PDCP layer, the RLC layer, the MAC layer processing, and the PHY layer, and then sent to the network through the transport block. Side server.
  • Step 1005 The server updates the preset database, creates new key information, and the correspondence between the new key and the first terminal, and the correspondence between the host (second terminal) and the first terminal.
  • Step 1006 prompt the user to enter the new key successfully.
  • FIG. 11 is a schematic diagram of a specific implementation process of changing a key according to an embodiment of the present invention. As shown in FIG. 11, the process includes the following steps:
  • Step 1101 Enter the change key process.
  • Step 1102 Confirm the user information by the information collecting module 804, confirm that the first terminal is used by a legitimate user, and make the first terminal enter the working mode.
  • Step 1103 Enter the changed key through the information collection module 804.
  • Step 1104 Send the changed key to the server.
  • the changed key can be sent to the server based on the NB-IoT/eMTC protocol.
  • the radio access bearer when the radio access bearer does not exist (in the released state), the NAS layer of the signaling plane may be used to send the entered key of the corresponding first terminal to the server; otherwise (the radio bearer has been established), through the user plane
  • the entered key corresponding to the first terminal is sent to the server.
  • the radio access bearer may be established first, and then the packetized data packet is packaged by the PDCP layer, the RLC layer, the MAC layer, and the physical layer, and then sent to the physical layer through the transport block. Server on the network side.
  • Step 1105 The server updates the preset database, creates the changed key information, and the correspondence between the changed key and the first terminal, and the correspondence between the host and the first terminal.
  • Step 1106 The server prompts the user to change the key successfully.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • an embodiment of the present invention further provides a computer storage medium, where the computer storage medium includes a set of instructions, when executing the instruction, causing at least one processor to execute the server side authentication method, or perform the above Authentication method on the terminal side.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are an authentication method, a terminal and a server. The method is applied to a first terminal, and comprises: acquiring image data of a second terminal; when a radio access bearer is in a released state, by means of an Internet of Things protocol, using signalling for transmitting data to send the image data to a server, wherein the image data is used for requesting that the server sends a key corresponding to a first terminal; and receiving the key sent by the server, and sending the key to the second terminal, wherein the key is used for the authentication of the first terminal by the second terminal.

Description

鉴权方法、终端及服务器Authentication method, terminal and server 技术领域Technical field

本发明涉及物联网技术领域,尤其涉及一种鉴权方法、终端及服务器。The present invention relates to the field of Internet of Things technologies, and in particular, to an authentication method, a terminal, and a server.

背景技术Background technique

目前,智能设备在人们生活中随处可见,人机交互的场合非常频繁。在每次的人机交互过程中通常存在鉴权认证。例如,在住宅小区的门禁前,通过使用门禁卡刷卡,或者刷指纹,再或者是输入密钥来进行鉴权认证;在公交车上,通过使用公交卡或者手机内部的芯片进行刷卡来进行鉴权认证;在银行的自动取款机(ATM,Automatic Teller Machine)前,通过ATM读取银行卡的信息、使用者输入密码来进行鉴权认证。At present, smart devices are everywhere in people's lives, and human-computer interaction is very frequent. Authentication authentication usually exists during each human-computer interaction process. For example, before the access control of the residential community, the card is swiped by using the access card, or the fingerprint is swiped, or the key is used to authenticate the authentication; on the bus, the card is used by using the bus card or the chip inside the mobile phone. Right authentication; before the bank's automatic teller machine (ATM), the information of the bank card is read by the ATM, and the user inputs the password to perform authentication.

然而,在一些需要大量输入密钥(或密码)和频繁认证的人机交互场合,会因为等待时间过长或者刷卡出现故障等带来效率低的问题;输入密钥的方式可能会被其他人偷窥,导致密钥泄露,会带来不安全的问题;此外,输入密钥和按指纹的设备是很多人共用的,因而存在卫生问题。However, in some human-computer interaction situations where a large number of input keys (or passwords) and frequent authentication are required, the problem of low efficiency may be caused by too long waiting time or malfunction of the card; the way of entering the key may be by others. Peeping, leading to a key leak, can lead to insecure problems; in addition, the input key and the fingerprint-based device are shared by many people, and thus there is a health problem.

因此,亟需找到一种可以实现快速安全鉴权的解决方案。Therefore, there is an urgent need to find a solution that can achieve fast and secure authentication.

发明内容Summary of the invention

本发明实施例提供一种鉴权方法,应用于第一终端,所述方法包括:获取第二终端的图像数据;当无线接入承载为释放状态时,通过物联网协议使用用于传输数据的信令将所述图像数据发送给服务器,其中,所述图像数据用于请求所述服务器发送对应所述第一终端的密钥;接收服务器发送的密钥,并将所述密钥发送给第二终端;所述密钥用于供第二终端对第一终端鉴权。An embodiment of the present invention provides an authentication method, which is applied to a first terminal, where the method includes: acquiring image data of a second terminal; and when the wireless access bearer is in a released state, using an Internet of Things protocol to transmit data. Transmitting the image data to the server, wherein the image data is used to request the server to send a key corresponding to the first terminal; receiving a key sent by the server, and sending the key to the first The second terminal; the key is used by the second terminal to authenticate the first terminal.

本发明实施例还提供一种鉴权方法,应用于服务器,所述方法包括:接收第一终端通过物联网协议使用用于传输数据的信令发送的第二终端的图像数据;以及利用所述图像数据,在预设数据库中进行查找,得到对应所述第一终端的密钥,并将所述密钥发送给所述第一终端,所述密钥用于在被所述第一终端发送给所述第二终端后对所述第一终端鉴权。An embodiment of the present invention further provides an authentication method, which is applied to a server, where the method includes: receiving image data of a second terminal that is used by a first terminal to transmit signaling by using an Internet of Things protocol; and using the The image data is searched in a preset database to obtain a key corresponding to the first terminal, and the key is sent to the first terminal, where the key is used to be sent by the first terminal. And authenticating the first terminal after the second terminal is authenticated.

本发明实施例还提供一种第一终端,所述第一终端包括:获取模块,被配置为获取第二终端的图像数据;第一发送模块,被配置为当无线接入承载为释放状态时,通过物联网协议使用用于传输数据的信令将所述图像数据发送给服务器,所述图像数据用于请求所述服务器发送对应所述第一终端的密钥,并被配置为将所述密钥发送给所述第二终端,所述密钥用于供所述第二终端对所述第一终端鉴权;以及第一接收模块,被配置为接收所述服务器发送的所述密钥。The embodiment of the present invention further provides a first terminal, where the first terminal includes: an acquiring module, configured to acquire image data of the second terminal; and a first sending module configured to: when the radio access bearer is in a released state Transmitting, by the Internet of Things protocol, the image data to a server by using signaling for transmitting data, the image data being used to request the server to send a key corresponding to the first terminal, and configured to Sending a key to the second terminal, the key is used by the second terminal to authenticate the first terminal; and the first receiving module is configured to receive the key sent by the server .

本发明实施例还提供一种计算机存储介质,所述计算机存储介质包括一组指令,当执行所述指令时,引起至少一个处理器执行上述应用于第一终端的鉴权方法。The embodiment of the present invention further provides a computer storage medium, the computer storage medium comprising a set of instructions, when executed, causing at least one processor to perform the above-mentioned authentication method applied to the first terminal.

本发明实施例还提供一种计算机存储介质,所述计算机存储介质包括一组指令,当执行所述指令时,引起至少一个处理器执行上述应用于服务器的鉴权方法。The embodiment of the invention further provides a computer storage medium, the computer storage medium comprising a set of instructions, when executed, causing at least one processor to perform the above-mentioned authentication method applied to the server.

附图说明DRAWINGS

图1为根据本发明实施例一的鉴权方法的实现流程的示意图;1 is a schematic diagram of an implementation process of an authentication method according to Embodiment 1 of the present invention;

图2为根据本发明实施例的NB-IoT网络的协议结构的示意图;2 is a schematic diagram of a protocol structure of an NB-IoT network according to an embodiment of the present invention;

图3为根据本发明实施例的图像数据在信令面的传输方式的示意图;3 is a schematic diagram of a manner of transmitting image data on a signaling plane according to an embodiment of the present invention;

图4为根据本发明实施例的图像数据在用户面的传输方式的示意图;4 is a schematic diagram of a manner of transmission of image data on a user plane according to an embodiment of the present invention;

图5为根据本发明实施例二的鉴权方法的实现流程的示意图;FIG. 5 is a schematic diagram of an implementation process of an authentication method according to Embodiment 2 of the present invention; FIG.

图6为根据本发明实施例三的第一终端的组成结构的示意图;FIG. 6 is a schematic diagram showing the structure of a first terminal according to Embodiment 3 of the present invention; FIG.

图7为根据本发明实施例四的服务器的组成结构的示意图;7 is a schematic diagram showing the composition of a server according to Embodiment 4 of the present invention;

图8为根据本发明实施例的第一终端内部模块组成结构的示意图;FIG. 8 is a schematic diagram showing the structure of an internal module of a first terminal according to an embodiment of the present invention; FIG.

图9为根据本发明实施例的鉴权方法的具体实现流程的示意图;FIG. 9 is a schematic diagram of a specific implementation process of an authentication method according to an embodiment of the present invention; FIG.

图10为根据本发明实施例的录入新密钥的具体实现流程的示意图;FIG. 10 is a schematic diagram of a specific implementation process of entering a new key according to an embodiment of the present invention; FIG.

图11为根据本发明实施例的更改密钥的具体实现流程的示意图。FIG. 11 is a schematic diagram of a specific implementation process of changing a key according to an embodiment of the present invention.

具体实施方式detailed description

为了能够更加详尽地了解本发明实施例的特点与技术内容,下面结合附图 对本发明实施例的实现进行详细阐述。In order to understand the features and technical contents of the embodiments of the present invention, the implementation of the embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

物联网是当前通信技术发展的重大趋势。在物联网技术和标准中,基于蜂窝的窄带物联网(NB-IoT,Narrow Band Internet ofThings)和增强机器类型通信(eMTC,enhanced Machine Type Counterparts)技术异军突起,无论在本身技术优势还是应用场景上,都在物联网市场上被一致看好。多个设备厂商都在制定完善并设计支持这两种协议的产品。物联网的NB-IoT和eMTC协议,均支持在信令面传输少量用户数据。而人机交互场合中的鉴权场景一种是物联网应用场景,其具有数据量小、不连续传输的特点。The Internet of Things is a major trend in the development of current communication technologies. In the Internet of Things technology and standards, cellular-based Narrow Band Internet of Things (NB-IoT, Narrow Band Internet of Things) and Enhanced Machine Type Counterparts (eMTC) technology are emerging, regardless of their technical advantages or application scenarios. Both are consistently optimistic in the IoT market. Several device vendors are developing and designing products that support these two protocols. The NB-IoT and eMTC protocols of the Internet of Things support the transmission of a small amount of user data on the signaling plane. The authentication scenario in the human-computer interaction scenario is an IoT application scenario, which has the characteristics of small data volume and discontinuous transmission.

另一方面,如背景技术中所述,当前的刷卡、输密钥、按指纹等鉴权方法在效率、安全和卫生等方面存在问题。本发明提出的各个实施例旨在借鉴上述信令面传输技术以解决这些问题。On the other hand, as described in the background art, current authentication methods such as swiping, keying, and fingerprinting have problems in terms of efficiency, safety, and hygiene. The various embodiments proposed by the present invention are directed to the above-described signaling plane transmission techniques to solve these problems.

实施例一Embodiment 1

如图1所示,本实施例以第一终端侧为例详细说明鉴权方法。该方法包括以下步骤:As shown in FIG. 1 , the first terminal side is taken as an example to describe the authentication method in detail. The method includes the following steps:

步骤101:获取第二终端的图像数据。Step 101: Acquire image data of the second terminal.

步骤101可具体包括:搜索得到至少一个终端;从所述至少一个终端中确定所述第二终端;以及采集所述第二终端的图像,得到所述图像数据。Step 101 may specifically include: searching for at least one terminal; determining the second terminal from the at least one terminal; and collecting an image of the second terminal to obtain the image data.

这里,实际应用时,第一终端可以通过蓝牙对至少一个终端进行搜索,还可以采用其他局域网协议,如无线保真(WiFi,Wireless Fidelity)、ZigBee等对至少一个终端进行搜索。其中,终端具体可以为ATM机、门禁安防闸机、智能公交车或者地铁上的刷卡机,等等。Here, in actual application, the first terminal may search for at least one terminal through Bluetooth, and may also search for at least one terminal by using other local area network protocols, such as Wireless Fidelity (WiFi), ZigBee, and the like. The terminal may specifically be an ATM machine, an access security gate, a smart bus or a credit card machine on a subway, and the like.

在搜索之前,可以对至少一个终端进行标识,例如,ATM机用001编号,门禁安防闸机用002编号,智能公交车或者地铁上的刷卡机用003编号。Before searching, at least one terminal can be identified. For example, the ATM machine uses the 001 number, the access security gate uses the 002 number, and the smart bus or the credit card on the subway uses the 003 number.

第一终端从所述搜索得到的至少一个终端中确定第二终端的方式,可以是:第一终端搜索得到至少一个终端,通过用户界面显示或者按键确认或者语音提示的形式,由第一终端用户在所述至少一个终端中确定一个终端作为第二终端。所述方式还可以是:第一终端预先设置规则,并按所述规则来确定第二规则,例如,所述规则可以是第一终端分别测量搜索得到的每个终端与第一终端的距离,并选取离第一终端距离最近的终端确定为第二终端。进一步地,所 述方式还可以是:第一终端将根据预设规则测量得到的每个终端与第一终端的距离,通过用户界面显示出来,由第一终端用户根据实际需求确定第二终端。The manner in which the first terminal determines the second terminal from the at least one terminal obtained by the searching may be: the first terminal searches for at least one terminal, and is displayed by the user interface or the form of a button confirmation or a voice prompt, by the first terminal user. A terminal is determined as the second terminal in the at least one terminal. The method may further be: the first terminal pre-sets the rule, and determines the second rule according to the rule. For example, the rule may be that the first terminal separately measures the distance between each terminal and the first terminal obtained by the search. And selecting the terminal closest to the first terminal to determine the second terminal. Further, the method may be: the first terminal compares the distance between each terminal and the first terminal measured according to the preset rule, and displays the second terminal by the first terminal user according to actual needs.

这里,在搜索得到所述至少一个终端之前,所述方法还可以包括:当第一终端的状态为锁定状态时,生成第一提示消息,所述第一提示消息用于提示第一终端用户解锁第一终端;获取操作,所述操作是对所述第一提示消息的响应操作;以及响应所述操作,对所述第一终端进行解锁操作;并在解锁成功后,进入工作状态。Here, the method may further include: when the state of the first terminal is in a locked state, generating a first prompt message, where the first prompt message is used to prompt the first terminal user to unlock a first terminal; an obtaining operation, wherein the operation is a response operation to the first prompt message; and in response to the operation, performing an unlocking operation on the first terminal; and after the unlocking is successful, entering a working state.

实际应用时,为了降低功耗和保证安全,第一终端不能始终处于工作状态或搜寻至少一个终端的状态。第一终端的工作时间可根据用户需求进行设置,例如,第一终端在工作1分钟或者10分钟后进入锁定状态。In practical applications, in order to reduce power consumption and ensure security, the first terminal cannot always be in a working state or search for the state of at least one terminal. The working time of the first terminal can be set according to user requirements. For example, the first terminal enters a locked state after working for 1 minute or 10 minutes.

步骤102:当无线接入承载为释放状态时,通过物联网协议使用用于传输数据的信令将图像数据发送给服务器。这里,所述图像数据用于请求服务器发送对应第一终端的密钥。Step 102: When the radio access bearer is in a release state, the image data is sent to the server by using the signaling for transmitting data through the Internet of Things protocol. Here, the image data is used to request the server to send a key corresponding to the first terminal.

其中,无线接入承载(RAB,RadioAccess Bearer)包括用户设备(UE,UserEquipment)和陆地无线接入网(UTRAN,UMTS Terrestrial Radio Access Network)之间的无线承载(RB,Radio Bearer),以及核心网络(CN,Core Network)和UTRAN之间的Iu承载。The radio access bearer (RAB) includes a radio bearer (RB, Radio Bearer) between the user equipment (UE, UserEquipment) and the UTTS (UMTS Terrestrial Radio Access Network), and a core network. Iu bearer between (CN, Core Network) and UTRAN.

这里,所述通过物联网协议使用用于传输数据的信令将图像数据发送给服务器的步骤可以包括:通过信令面的非接入层将图像数据发送给所述服务器,其中,基于所述非接入层能够在终端和核心网之间传输数据。Here, the step of transmitting image data to a server by using an IoT protocol using signaling for transmitting data may include: transmitting image data to the server through a non-access stratum of a signaling plane, wherein The non-access stratum is capable of transmitting data between the terminal and the core network.

实际应用时,所述物联网协议可以为NB-IoT协议或eMTC协议。In practical applications, the Internet of Things protocol may be an NB-IoT protocol or an eMTC protocol.

在一实施例中,步骤102还包括:读取所述无线接入承载的状态变量信息;以及,当所述状态变量信息为无效信息时,确定所述无线接入承载为释放状态。In an embodiment, step 102 further includes: reading state variable information of the radio access bearer; and determining that the radio access bearer is in a released state when the state variable information is invalid information.

实际应用时,在第一终端本地的协议栈内存中,存储有与无线接入承载对应的一系列的变量,利用读取的这些变量可以查询第一终端是否保存有所述无线接入承载相关的有效的状态变量信息,如果这些变量为空或者内存被释放,说明第一终端没有保存第一终端和核心网之间的无线接入承载相关的有效的状态变量信息,所述状态变量信息为无效信息,进而可以确定所述无线接入承载为释放状态。In a practical application, a series of variables corresponding to the radio access bearer are stored in the protocol stack memory of the first terminal, and the read variables can be used to query whether the first terminal saves the radio access bearer. The valid state variable information, if the variables are empty or the memory is released, the first terminal does not save the valid state variable information related to the radio access bearer between the first terminal and the core network, and the state variable information is The invalid information can further determine that the radio access bearer is in a released state.

实际应用时,当无线接入承载为释放状态时,只有网络的信令面协议架构支持通过信令面传输数据才可以通过信令面的非接入层将图像数据发送给服务器,满足这样条件的网络协议具体包括NB-IoT、eMTC等。In actual application, when the radio access bearer is in the released state, only the signaling plane protocol architecture of the network supports transmitting data through the signaling plane, and the image data can be sent to the server through the non-access stratum of the signaling plane, and the condition is met. The network protocol specifically includes NB-IoT, eMTC, and the like.

以NB-IoT为例,图2为NB-IoT网络的协议结构,如图2所示,协议结构包括UE、基站(E-NodeB)、移动管理实体(MME,Mobility Management Entity)、服务网关(SGW,Serving GateWay)。其中,NB-IoT网络的协议架构包括控制面协议架构和用户面协议架构。所述控制面也称信令面。Taking NB-IoT as an example, Figure 2 shows the protocol structure of the NB-IoT network. As shown in Figure 2, the protocol structure includes the UE, the base station (E-NodeB), the mobility management entity (MME, Mobility Management Entity), and the service gateway. SGW, Serving GateWay). The protocol architecture of the NB-IoT network includes a control plane protocol architecture and a user plane protocol architecture. The control plane is also referred to as a signaling plane.

信令面的协议架构包括:非接入层(NAS,Non-Access Atratum)、无线资源控制层(RRC,Radio Resource Control)、分组数据汇聚层(PDCP,Packet DataConvergence Protoco)、无线链路控制层(RLC,Radio Link Control)、媒体访问控制层(MAC,MediumAccess Control)、物理层(PHY,Physical Layer)。信令面的协议架构在MME侧的层是NAS层。其中,NAS层支持在终端和核心网之间进行信令和数据的传输。RRC层处理终端和基站之间控制面的第三层信息,RRC具备的功能包括RB控制、广播、寻呼等。PDCP层负责将IP头压缩和解压、传输用户数据等。RLC层负责分段与连接、重传处理,以及对高层数据的顺序传送等。MAC层以逻辑信道的方式为RLC层提供服务。PHY层负责编译码、调制解调、多天线映射等。用户面的协议架构包括:PDCP、RLC、MAC、PHY。The protocol structure of the signaling plane includes: Non-Access Stratum (NAS), Radio Resource Control (RRC), Packet Data Convergence Protoco (PDCP), and Radio Link Control Layer. (RLC, Radio Link Control), Media Access Control Layer (MAC, Medium Access Control), Physical Layer (PHY, Physical Layer). The protocol architecture of the signaling plane is the NAS layer at the layer on the MME side. Among them, the NAS layer supports signaling and data transmission between the terminal and the core network. The RRC layer processes the third layer information of the control plane between the terminal and the base station, and the functions of the RRC include RB control, broadcast, paging, and the like. The PDCP layer is responsible for compressing and decompressing IP headers, transmitting user data, and the like. The RLC layer is responsible for segmentation and connection, retransmission processing, and sequential transmission of high-level data. The MAC layer serves the RLC layer in a logical channel manner. The PHY layer is responsible for coding, modulation, demodulation, multi-antenna mapping, and the like. The protocol structure of the user plane includes: PDCP, RLC, MAC, PHY.

这里,所述通过信令面的非接入层将图像数据发送给服务器,包括:在终端和核心网之间建立信令无线承载,利用图像数据生成非接入层信令消息,将所述非接入层信令消息在信令无线承载上发送给服务器。Here, the non-access stratum of the signaling plane sends the image data to the server, including: establishing a signaling radio bearer between the terminal and the core network, and generating a non-access stratum signaling message by using the image data, where The non-access stratum signaling message is sent to the server on the signaling radio bearer.

实际应用时,上述步骤可包括:打包所述图像数据,并将打包后的数据包填充在非接入层的数据体字段中,生成非接入层信令消息,将此非接入层信令消息通过非接入层传输到网络侧的服务器。具体地,将非接入层消息通过非接入层、RRC层、PDCP层、RLC层、MAC层之后传输到服务器。In actual application, the foregoing steps may include: packing the image data, and filling the packed data packet in a data body field of the non-access stratum to generate a non-access stratum signaling message, and the non-access stratum message The message is transmitted to the server on the network side through the non-access stratum. Specifically, the non-access stratum message is transmitted to the server after passing through the non-access stratum, the RRC layer, the PDCP layer, the RLC layer, and the MAC layer.

在现有技术中,将图像数据打包后的数据包通过PDCP层、RLC层、MAC层,且由物理层对打包后的数据进行封装后,通过传输块的形式发送给网络侧的服务器。In the prior art, the data packet packed with the image data passes through the PDCP layer, the RLC layer, and the MAC layer, and the packed data is encapsulated by the physical layer, and then transmitted to the server on the network side in the form of a transport block.

图3为图像数据在信令面的传输方式,如图3所示。第一终端和服务器之间的图像数据在信令面的传输包括两部分,第一部分是第一终端和基站之间的 数据传输,第二部分是基站和核心网之间的数据传输。Figure 3 shows the transmission of image data on the signaling plane, as shown in Figure 3. The transmission of image data between the first terminal and the server on the signaling plane comprises two parts, the first part is data transmission between the first terminal and the base station, and the second part is data transmission between the base station and the core network.

其中,第一部分,即第一终端和基站之间的数据传输,具体为:第一终端将获取的第二终端的图像数据进行打包并填充在非接入层的数据体字段中,生成非接入层信令消息。将所述非接入层信令消息依次经过NAS层、RRC层、PDCP层、RLC层、MAC层、PHY层处理后,PHY层通过射频信号将所述非接入层信令消息传输给基站侧的NAS层。由于第一终端上的NAS层传输的非接入层信令消息可以填充数据,因此,在无线接入承载不存在时,也就是说无线接入承载为释放状态时,不需要建立无线承载包括的数据无线承载,也避免了建立无线承载带来的延时问题。The first part, that is, the data transmission between the first terminal and the base station, is specifically: the first terminal encapsulates the acquired image data of the second terminal and fills the data body field of the non-access layer to generate a non-connection. Incoming layer signaling message. After the non-access stratum signaling message is processed by the NAS layer, the RRC layer, the PDCP layer, the RLC layer, the MAC layer, and the PHY layer, the PHY layer transmits the non-access stratum signaling message to the base station by using a radio frequency signal. Side of the NAS layer. The non-access stratum signaling message transmitted by the NAS layer on the first terminal can be filled with data. Therefore, when the radio access bearer does not exist, that is, when the radio access bearer is in the released state, the radio bearer does not need to be established. The data radio bearer also avoids the delay problem caused by establishing a radio bearer.

第二部分,即基站和核心网之间的数据传输,具体为:基站将接收到的所述包含图像数据的非接入层信令消息依次经过PHY层、MAC层、RLC层、PDCP层、RRC层、NAS层处理后,由NAS层发送给MME。MME接收所述包含图像数据的非接入层信令消息后,可以将所述包含图像数据的非接入层信令消息发送给业务能力开放实体(SCEF,Service capa-bility exposure function),由SCEF再将所述包含图像数据的非接入层信令消息发送给服务器(Services);也可以将所述包含图像数据的非接入层信令消息发送给SGW,由SGW发送给分组数据网关(PGW,Packet Data Network Gateway),再由PGW将所述包含图像数据的非接入层信令消息发送给服务器。The second part, that is, the data transmission between the base station and the core network, specifically: the base station sequentially receives the non-access stratum signaling message including the image data through the PHY layer, the MAC layer, the RLC layer, the PDCP layer, After being processed by the RRC layer and the NAS layer, the LAC layer and the NAS layer are transmitted to the MME. After receiving the non-access stratum signaling message including the image data, the MME may send the non-access stratum signaling message including the image data to a service capa-bility exposure function (SCEF). The SCEF sends the non-access stratum signaling message including the image data to the server. The non-access stratum signaling message including the image data may also be sent to the SGW, and sent by the SGW to the packet data gateway. (PGW, Packet Data Network Gateway), and the PGW sends the non-access stratum signaling message including the image data to the server.

基于第一终端和核心网之间的信令无线承载,当无线接入承载为释放状态时,也就是第一终端和核心网之间不存在数据传输通道时,第一终端通过物联网协议,使用用于传输数据的信令,更具体地,通过信令面的NAS层,将第二终端的图像数据发送给服务器。因为不需要重新建立无线接入承载,因而避免了建立无线接入承载带来的延时问题,可以快速将第二终端的图像数据发送给网络侧的服务器,从而实现了快速鉴权。Based on the signaling radio bearer between the first terminal and the core network, when the radio access bearer is in a released state, that is, when there is no data transmission channel between the first terminal and the core network, the first terminal passes the Internet of Things protocol. The image data of the second terminal is transmitted to the server using signaling for transmitting data, more specifically, through the NAS layer of the signaling plane. Because the radio access bearer does not need to be re-established, the delay problem caused by establishing the radio access bearer is avoided, and the image data of the second terminal can be quickly sent to the server on the network side, thereby implementing fast authentication.

在一实施例中,步骤102还包括:当无线接入承载为建立状态时,通过用户面将图像数据发送给服务器。这里,所述图像数据用于请求服务器发送对应第一终端的密钥。In an embodiment, step 102 further includes: when the radio access bearer is in an established state, transmitting image data to the server through the user plane. Here, the image data is used to request the server to send a key corresponding to the first terminal.

具体地,在无线接入承载为建立状态时,通过用户面将图像数据发送给服务器。在这种情况下,需要建立数据无线承载。所述图像数据在用户面的传输方式如图4所示。第一终端和服务器之间的图像数据在用户面的传输包括两部 分,第一部分是第一终端和基站之间的数据传输,第二部分是基站和核心网之间的数据传输。Specifically, when the radio access bearer is in an established state, the image data is sent to the server through the user plane. In this case, a data radio bearer needs to be established. The transmission mode of the image data on the user plane is as shown in FIG. 4. The transmission of image data between the first terminal and the server on the user plane comprises two parts, the first part is data transmission between the first terminal and the base station, and the second part is data transmission between the base station and the core network.

其中,第一部分,即第一终端和基站之间的数据传输,具体为:第一终端将获取的第二终端的图像数据进行打包,并将打包后的数据包依次经过PDCP层、RLC层、MAC层处理、PHY层封装后,由PHY层通过射频信号的形式将包含图像数据的数据包传输给基站侧的PDCP层。The first part, that is, the data transmission between the first terminal and the base station, specifically: the first terminal packs the acquired image data of the second terminal, and sequentially passes the packaged data packet to the PDCP layer and the RLC layer. After the MAC layer processing and the PHY layer encapsulation, the PHY layer transmits the data packet including the image data to the PDCP layer on the base station side in the form of a radio frequency signal.

第二部分,即基站和核心网之间的数据传输,具体为:基站将接收到的包含图像数据的数据包依次经过PHY层、MAC层、RLC层、PDCP层处理后,发送给SGW,由SGW发送给PGW,再由PGW将包含图像数据的数据包发送给网络侧的服务器。The second part, that is, the data transmission between the base station and the core network, specifically: the base station sequentially receives the received data packet containing the image data through the PHY layer, the MAC layer, the RLC layer, and the PDCP layer, and then sends the data packet to the SGW. The SGW sends the PGW to the PGW, and the PGW transmits the data packet containing the image data to the server on the network side.

当无线接入承载为建立状态时,第一终端基于用户面上的数据无线承载,将第二终端的图像数据发送给服务器。When the radio access bearer is in an established state, the first terminal sends the image data of the second terminal to the server based on the data radio bearer on the user plane.

步骤103:接收服务器发送的密钥,并将所述密钥发送给第二终端。这里,所述密钥用于供第二终端对第一终端鉴权。Step 103: Receive a key sent by the server, and send the key to the second terminal. Here, the key is used for the second terminal to authenticate the first terminal.

这里,在将所述密钥发送给第二终端之前,步骤103还包括:在根据获取的第二终端的图像数据,确定需要验证所述第一终端用户的身份时,生成第二提示信息;所述第二提示信息用于提示所述第一终端用户输入验证信息;获取所述第一终端用户输入的验证信息;以及对输入的验证信息进行校验,校验成功后将所述密钥发送给第二终端。Here, before the sending of the key to the second terminal, the step 103 further includes: generating, according to the acquired image data of the second terminal, that the identity of the first terminal user needs to be verified, generating second prompt information; The second prompt information is used to prompt the first terminal user to input verification information; obtain verification information input by the first terminal user; and verify the input verification information, and verify the key after successful verification Send to the second terminal.

实际应用时,第二终端可能是转账机,也可能是门禁卡,还可以是其他设备。当第二终端是转账机时,就需要对第一终端用户的身份进行校验后,第二终端才对第一终端进行鉴权,校验的目的是提高安全性;而当第二终端是门禁卡时,不需要对第一终端用户的身份进行校验,第二终端就可以对第一终端鉴权。In actual application, the second terminal may be a transfer machine, an access card, or another device. When the second terminal is a transfer machine, the identity of the first terminal user needs to be verified, and the second terminal authenticates the first terminal, and the purpose of the verification is to improve security; and when the second terminal is When the access card is used, the identity of the first terminal user does not need to be verified, and the second terminal can authenticate the first terminal.

其中,所述第一终端用户输入的验证信息,可以是指纹信息,也可以是一段语音,还可以是密钥等等。The verification information input by the first terminal user may be fingerprint information, a piece of voice, a key, or the like.

所述对输入的验证信息进行校验,包括:当输入的验证信息是指纹信息时,对所述指纹消息进行指纹图像格式转换、图像分割和图像增强、图像滤波、图像二值化、图像细化、特征点提取和匹配处理;当输入的验证信息是一段语音时,对所述语音进行预加重、分帧、加窗、梅尔滤波器组滤波得到梅尔频率倒 谱参数(MFCC,Mel Frequency Cepstrum Coefficient),对MFCC进行主成分分析(PCA,Principal Components Analysis)降维处理,然后利用矢量量化(VQ,Vector Quantization)进行模式匹配;当输入的验证信息是密钥时,将所述密钥与预设密钥库进行比对。The verifying the input verification information includes: when the input verification information is fingerprint information, performing fingerprint image format conversion, image segmentation and image enhancement, image filtering, image binarization, and image fineness on the fingerprint message. , feature point extraction and matching processing; when the input verification information is a piece of speech, pre-emphasizing, framing, windowing, and Meer filter group filtering of the speech to obtain a Mel frequency cepstrum parameter (MFCC, Mel) Frequency Cepstrum Coefficient), performing MFCC Principal Components Analysis (DOA) dimension reduction processing, and then using vector quantization (VQ, Vector Quantization) for pattern matching; when the input verification information is a key, the density is The key is compared to a preset keystore.

在一实施例中,所述方法还包括:在对应第一终端的密钥更改或者录入新密钥时,将更改后的密钥或者录入的新密钥发送给服务器,所述更改后的密钥或者录入的新密钥用于服务器更新预设数据库。In an embodiment, the method further includes: sending the changed key or the entered new key to the server when the key corresponding to the first terminal is changed or entering a new key, the changed secret The key or the new key entered is used by the server to update the default database.

实际应用时,例如当第二终端对第一终端鉴权失败时,第一终端接收到第二终端发送的鉴权失败消息后,第一终端的用户可以更改对应第一终端的密钥,并将更改后的密钥发送给服务器,用于服务器更新预设数据库。In actual application, for example, when the second terminal fails to authenticate the first terminal, after the first terminal receives the authentication failure message sent by the second terminal, the user of the first terminal can change the key corresponding to the first terminal, and Send the changed key to the server for the server to update the default database.

当对应第一终端的密钥在服务器预设数据库中查找不到时,第一终端用户可以录入新的密钥并发送给服务器;或者当第二终端是新设备时,服务器上的预设数据库中并没有存储所述第二终端与第一终端的密钥对应关系时,第一终端用户录入新的密钥并发送给服务器。When the key corresponding to the first terminal is not found in the server preset database, the first terminal user may enter a new key and send it to the server; or when the second terminal is a new device, the preset database on the server When the key correspondence between the second terminal and the first terminal is not stored, the first terminal user enters a new key and sends it to the server.

如上所述,在本实施例一中,当无线接入承载为释放状态时,第一终端通过物联网协议使用用于传输数据的信令将第二终端的图像数据发送给服务器。因为不需要重新建立无线接入承载,因而避免了建立无线接入承载带来的延时问题,可以快速将第二终端的图像数据发送给网络侧的服务器,从而实现了快速鉴权。此外,在本实施例一种,由服务器发送密钥给第一终端,第一终端再将密钥发送给第二终端,避免了密钥被泄漏情况的发生,所以能够实现安全鉴权。As described above, in the first embodiment, when the radio access bearer is in the released state, the first terminal sends the image data of the second terminal to the server by using the signaling for transmitting data through the Internet of Things protocol. Because the radio access bearer does not need to be re-established, the delay problem caused by establishing the radio access bearer is avoided, and the image data of the second terminal can be quickly sent to the server on the network side, thereby implementing fast authentication. In addition, in the embodiment, the server sends a key to the first terminal, and the first terminal sends the key to the second terminal, thereby avoiding the occurrence of the key being leaked, so that security authentication can be implemented.

实施例二Embodiment 2

如图5所示,本实施例以服务器侧为例详细说明鉴权方法,该方法包括以下步骤:As shown in FIG. 5, this embodiment uses the server side as an example to describe the authentication method in detail. The method includes the following steps:

步骤501:接收第一终端通过物联网协议使用用于传输数据的信令发送的第二终端的图像数据。Step 501: Receive image data of the second terminal that is sent by the first terminal by using the Internet of Things protocol for signaling transmission of data.

这里,所述接收第一终端通过物联网协议使用用于传输数据的信令发送的第二终端的图像数据的步骤包括:通过在终端和核心网之间的信令无线承载, 接收第一终端通过信令面的非接入层在信令无线承载上发送的非接入层信令消息,所述非接入层信令消息包含第二终端的图像数据。Here, the step of receiving the image data of the second terminal that the first terminal uses the signaling for transmitting data through the Internet of Things protocol comprises: receiving the first terminal by using a signaling radio bearer between the terminal and the core network The non-access stratum signaling message sent by the non-access stratum of the signaling plane on the signaling radio bearer, where the non-access stratum signaling message includes the image data of the second terminal.

实际应用时,通过在终端和核心网之间的信令无线承载,在核心网侧对应的是MME的NAS层。也就是说,由MME的NAS层接收在信令无线承载上传输的图像数据,再由MME将图像数据发送给SCEF,服务器接收由SCEF发送的图像数据;还可以是由MME将图像数据发送给SGW,由SGW发送给PGW,服务器接收由PGW发送的图像数据。In actual application, the signaling radio bearer between the terminal and the core network corresponds to the NAS layer of the MME on the core network side. That is, the image data transmitted on the signaling radio bearer is received by the NAS layer of the MME, and the image data is sent by the MME to the SCEF, and the server receives the image data sent by the SCEF; or the image data is sent by the MME to the MME. The SGW is sent by the SGW to the PGW, and the server receives the image data transmitted by the PGW.

步骤502:利用所述图像数据,在预设数据库中进行查找,得到对应第一终端的密钥,并将所述密钥发送给第一终端。Step 502: Perform a search in the preset database by using the image data, obtain a key corresponding to the first terminal, and send the key to the first terminal.

其中,所述密钥用于第一终端发送给第二终端后对第一终端鉴权。The key is used to authenticate the first terminal after the first terminal sends the second terminal.

这里,实际应用时,将所述密钥发送给第一终端,包括:通过物联网协议使用用于传输数据的信令,将所述密码发送给第一终端。具体地,可以通过NB-IoT或者eMTC协议将所述密钥发送给第一终端。具体来说,当无线接入承载为释放状态时,通过信令面的非接入层将密钥发送给第一终端;当无线接入承载为建立状态时,通过用户面将密钥发送给第一终端。Here, in actual application, sending the key to the first terminal includes: transmitting, by using an IoT protocol, signaling for transmitting data, to the first terminal. Specifically, the key may be sent to the first terminal by using an NB-IoT or an eMTC protocol. Specifically, when the radio access bearer is in the released state, the non-access stratum of the signaling plane sends the key to the first terminal; when the radio access bearer is in the established state, the key is sent to the user plane. The first terminal.

这里,所述利用所述图像数据,在预设数据库中进行查找,包括:利用所述图像数据,基于特征提取策略从所述图像数据中提取特征信息,根据提取的特征信息在预设数据库中进行查找。Here, the performing the searching in the preset database by using the image data comprises: extracting feature information from the image data based on the feature extraction strategy by using the image data, and according to the extracted feature information in a preset database Find it.

其中,所述预设数据库中存储的信息可以包括:第二终端的标识信息、第一终端的标识信息。第二终端的标识信息与第一终端的标识信息的对应关系为一对多。The information stored in the preset database may include: identifier information of the second terminal, and identifier information of the first terminal. The correspondence between the identification information of the second terminal and the identification information of the first terminal is one-to-many.

实际应用时,特征提取策略首先对图像数据进行预处理,包括灰度化、二值化、抑噪(滤波)处理。基于预处理图像进行特征点提取以构造图形特征,这里的特征点可以为第二终端上的任何部位的成像点,如第二终端的边缘处的点。通过特征点可以形成图形特征,如轮廓特征、轮廓内的纹理特征等。基于图形特征确定第二终端的特征信息如标识信息,所述标识信息可以是编号。In practical applications, the feature extraction strategy first preprocesses the image data, including grayscale, binarization, and noise suppression (filtering) processing. Feature point extraction is performed based on the pre-processed image to construct a graphical feature, where the feature point may be an imaging point of any portion on the second terminal, such as a point at the edge of the second terminal. Graphic features, such as contour features, texture features within the contours, etc., can be formed by feature points. The feature information of the second terminal, such as identification information, is determined based on the graphical feature, and the identification information may be a number.

根据提取的第二终端的标识信息以及第二终端的标识信息与第一终端的标识信息的对应关系,在预设数据中进行查找,得到对应第一终端的密钥。And performing a search in the preset data according to the extracted identifier information of the second terminal and the correspondence between the identifier information of the second terminal and the identifier information of the first terminal, to obtain a key corresponding to the first terminal.

在一实施例中,所述方法还包括:接收第一终端发送的更改后的密钥或者 录入的新密钥;所述更改后的密钥和录入的新密钥与第二终端相对应;根据所述更改后的密钥或者录入的新密钥,更新所述预设数据库。In an embodiment, the method further includes: receiving a changed key sent by the first terminal or a new key entered; the changed key and the entered new key correspond to the second terminal; The preset database is updated according to the changed key or the entered new key.

实施例三Embodiment 3

为实现实施例一的方法,本实施例提供了一种第一终端,如图6所示,所述第一终端包括:获取模块61、第一发送模块62、第一接收模块63,其中:获取模块61被配置为获取第二终端的图像数据。To implement the method of the first embodiment, the first terminal is provided by the first terminal. As shown in FIG. 6, the first terminal includes: an obtaining module 61, a first sending module 62, and a first receiving module 63, where: The acquisition module 61 is configured to acquire image data of the second terminal.

第一发送模块62被配置为:当无线接入承载为释放状态时,通过物联网协议使用用于传输数据的信令将图像数据发送给服务器,其中,所述图像数据用于请求服务器发送对应第一终端的密钥;以及将所述密钥发送给第二终端,其中,所述密钥用于供第二终端对第一终端鉴权。The first sending module 62 is configured to: when the wireless access bearer is in a released state, send image data to the server by using an IoT protocol for transmitting data, wherein the image data is used to request the server to send a corresponding a key of the first terminal; and transmitting the key to the second terminal, wherein the key is used by the second terminal to authenticate the first terminal.

第一接收模块63被配置为接收服务器发送的密钥。The first receiving module 63 is configured to receive a key transmitted by the server.

在一实施例中,所述获取模块61还被配置为:搜索得到至少一个终端;从所述至少一个终端中确定所述第二终端;采集所述第二终端的图像,得到所述图像数据。In an embodiment, the obtaining module 61 is further configured to: search for at least one terminal; determine the second terminal from the at least one terminal; collect an image of the second terminal, to obtain the image data .

这里,实际应用时,第一终端可以通过蓝牙对至少一个终端进行搜索,还可以采用其他局域网协议,如WiFi、ZigBee等对至少一个终端进行搜索。其中,终端具体可以为ATM机、门禁安防闸机、智能公交车或者地铁上的刷卡机,等等。Here, in actual application, the first terminal may search at least one terminal through Bluetooth, and may also search for at least one terminal by using other local area network protocols, such as WiFi, ZigBee, and the like. The terminal may specifically be an ATM machine, an access security gate, a smart bus or a credit card machine on a subway, and the like.

在一实施例中,所述第一发送模块62还被配置为在终端和核心网之间建立信令无线承载,利用图像数据生成非接入层信令消息,将所述非接入层信令消息在信令无线承载上发送给服务器。具体地,当终端是第一终端,图像数据是第二终端的图像数据时,第一发送模块62在第一终端和核心网之间建立信令无线承载,利用第二终端的图像数据生成非接入层信令消息,将所述非接入层信令消息在信令无线承载上发送给服务器。In an embodiment, the first sending module 62 is further configured to establish a signaling radio bearer between the terminal and the core network, generate non-access stratum signaling messages by using image data, and use the non-access stratum signal The message is sent to the server on the signaling radio bearer. Specifically, when the terminal is the first terminal and the image data is the image data of the second terminal, the first sending module 62 establishes a signaling radio bearer between the first terminal and the core network, and generates non-image data by using the image data of the second terminal. And accessing the layer signaling message, and sending the non-access stratum signaling message to the server on the signaling radio bearer.

这里,当无线接入承载为释放状态时,只有网络的信令面协议架构支持通过信令面传输数据才可以通过信令面的非接入层将图像数据发送给服务器,满足这样条件的网络协议具体包括NB-IoT、eMTC等。Here, when the radio access bearer is in the released state, only the signaling plane protocol architecture of the network supports transmitting data through the signaling plane, and the image data can be sent to the server through the non-access stratum of the signaling plane, and the network satisfying such conditions The protocol specifically includes NB-IoT, eMTC, and the like.

在一实施例中,所述第一发送模块62还被配置为:当无线接入承载为建 立状态时,基于用户面上的数据无线承载将图像数据发送给服务器。In an embodiment, the first sending module 62 is further configured to: when the radio access bearer is in an established state, send image data to the server based on the data radio bearer on the user plane.

在一实施例中,所述第一终端还包括解锁模块,该解锁模块被被配置为:当第一终端的状态为锁定状态时,生成第一提示消息,所述第一提示消息用于提示第一终端用户解锁第一终端;获取操作,所述操作是对所述第一提示消息的响应操作;响应所述操作,对所述第一终端进行解锁操作;并在解锁成功后,使第一终端进入工作状态。In an embodiment, the first terminal further includes an unlocking module, where the unlocking module is configured to generate a first prompt message when the state of the first terminal is in a locked state, where the first prompt message is used for prompting The first terminal user unlocks the first terminal; the operation is performed in response to the first prompt message; in response to the operation, the first terminal is unlocked; and after the unlocking is successful, the first A terminal enters a working state.

实际应用时,为了降低功耗和保证安全,第一终端不能始终处于工作状态和搜寻至少一个终端的状态,第一终端的工作时间可根据用户需求进行设置,例如,第一终端工作1分钟或者10分钟后进入锁定状态。In actual application, in order to reduce power consumption and ensure security, the first terminal cannot always be in a working state and search for the state of at least one terminal, and the working time of the first terminal can be set according to user requirements, for example, the first terminal works for 1 minute or After 10 minutes, it enters the locked state.

在一实施例中,所述第一终端还包括确定模块,其被被配置为读取协议栈中保存的第一终端和核心网之间的无线接入承载的状态,当第一终端和核心网之间不存在数据传输通道时,确定模块确定无线接入承载为释放状态。In an embodiment, the first terminal further includes a determining module configured to read a state of a radio access bearer between the first terminal and the core network saved in the protocol stack, when the first terminal and the core When there is no data transmission channel between the networks, the determining module determines that the radio access bearer is in a released state.

在一实施例中,所述第一终端还包括校验模块,其被被配置为根据获取的第二终端的图像数据,确定需要验证所述第一终端用户的身份时,生成第二提示信息。其中,所述第二提示信息用于提示所述第一终端用户输入验证信息;还用于获取所述第一终端用户输入的验证信息;还用于对输入的验证信息进行校验;In an embodiment, the first terminal further includes a verification module configured to generate a second prompt information when it is determined that the identity of the first terminal user needs to be verified according to the acquired image data of the second terminal. . The second prompt information is used to prompt the first terminal user to input the verification information, and is further configured to obtain the verification information input by the first terminal user, and is further configured to verify the input verification information.

相应的,所述第一发送模块62还被被配置为在校验成功后发送所述密钥给第二终端。Correspondingly, the first sending module 62 is further configured to send the key to the second terminal after the verification succeeds.

实际应用时,由于第二终端可能是转账机,也可能是门禁卡,当第二终端是转账机时,就需要对第一终端用户的身份进行校验后,第二终端才对第一终端进行鉴权,校验的目的是提高安全性;而当第二终端是门禁卡时,不需要对第一终端用户的身份进行校验,第二终端就可以对第一终端鉴权。In actual application, since the second terminal may be a transfer machine or an access card, when the second terminal is a transfer machine, the identity of the first terminal user needs to be verified, and the second terminal only contacts the first terminal. The authentication is performed, and the purpose of the verification is to improve security. When the second terminal is an access card, the identity of the first terminal user does not need to be verified, and the second terminal can authenticate the first terminal.

在一实施例中,所述第一终端还包括录入模块,其被被配置为:在对应第一终端的密钥更改或者录入新密钥时,将更改后的密钥或者录入的新密钥发送给服务器,所述更改后的密钥或者录入的新密钥用于服务器更新预设数据库。In an embodiment, the first terminal further includes an entry module configured to: when the key corresponding to the first terminal is changed or the new key is entered, the changed key or the entered new key Sent to the server, the changed key or the entered new key is used by the server to update the preset database.

在实际应用中,第一接收模块63由第一终端上的通信接口实现;获取模块61、解锁模块、确定模块可由位于第一终端上的处理器如中央处理器(CPU,Central Processing Unit)、微处理器(MPU,Micro Processor Unit)、DSP、或现场可编程门阵列(FPGA,Field Programmable Gate Array)等实现;第一发送模 块62、校验模块、录入模块由位于第一终端上的处理器如CPU、MPU、DSP、FPGA等结合通信接口实现。In a practical application, the first receiving module 63 is implemented by a communication interface on the first terminal; the obtaining module 61, the unlocking module, and the determining module may be a processor located on the first terminal, such as a central processing unit (CPU). The implementation is performed by a microprocessor (MPU, Micro Processor Unit), a DSP, or a Field Programmable Gate Array (FPGA). The first sending module 62, the verification module, and the input module are processed by the first terminal. The device is implemented by a communication interface such as a CPU, an MPU, a DSP, or an FPGA.

实施例四Embodiment 4

为实现实施例二的方法,本实施例提供了一种服务器。如图7所示,所述服务器包括第二接收模块71、第二发送模块72。其中:To implement the method of the second embodiment, the embodiment provides a server. As shown in FIG. 7, the server includes a second receiving module 71 and a second sending module 72. among them:

第二接收模块71被被配置为接收第一终端通过物联网协议使用用于传输数据的信令发送的第二终端的图像数据。The second receiving module 71 is configured to receive image data of the second terminal that the first terminal transmits using signaling for transmitting data through the Internet of Things protocol.

第二发送模块72被被配置为利用所述图像数据,在预设数据库中进行查找,得到对应第一终端的密钥,并将所述密钥发送给第一终端,所述密钥用于在被第一终端发送给第二终端后对第一终端鉴权。The second sending module 72 is configured to perform a lookup in the preset database by using the image data, obtain a key corresponding to the first terminal, and send the key to the first terminal, where the key is used The first terminal is authenticated after being sent by the first terminal to the second terminal.

在一实施例中,第二接收模块71还被被配置为接收第一终端发送的更改后的密钥或者录入的新密钥,所述更改后的密钥和录入的新密钥与第二终端相对应。In an embodiment, the second receiving module 71 is further configured to receive the changed key or the entered new key sent by the first terminal, the changed key and the entered new key and the second The terminal corresponds.

在一实施例中,所述第二接收模块71还被被配置为通过在第一终端和核心网之间的信令无线承载,接收第一终端通过信令面的非接入层在信令无线承载上发送的非接入层信令消息,所述非接入层信令消息包含第二终端的图像数据。In an embodiment, the second receiving module 71 is further configured to receive, by the signaling radio bearer between the first terminal and the core network, the first terminal by using a non-access stratum of the signaling plane. A non-access stratum signaling message sent on the radio bearer, where the non-access stratum signaling message includes image data of the second terminal.

实际应用时,通过在终端和核心网之间的信令无线承载,在核心网侧对应的是MME的NAS层,也就是说,由MME的NAS层接收在信令无线承载上传输的图像数据,再由MME将图像数据发送给SCEF,服务器接收由SCEF发送的图像数据;还可以是由MME将图像数据发送给SGW,由SGW发送给PGW,服务器接收由PGW发送的图像数据。In actual application, the signaling radio bearer between the terminal and the core network corresponds to the NAS layer of the MME on the core network side, that is, the image data transmitted on the signaling radio bearer is received by the NAS layer of the MME. Then, the MME sends the image data to the SCEF, and the server receives the image data sent by the SCEF. The MME may send the image data to the SGW, and the SGW sends the image data to the PGW, and the server receives the image data sent by the PGW.

在一实施例中,所述第二发送模72还被被配置为利用所述图像数据,基于特征提取策略从所述图像数据中提取特征信息,根据提取的特征信息在预设数据库中进行查找。In an embodiment, the second sending mode 72 is further configured to use the image data to extract feature information from the image data based on a feature extraction strategy, and perform a search in a preset database according to the extracted feature information. .

这里,实际应用时,所述第二发送模块72通过物联网协议使用用于传输数据的信令,将所述密码发送给第一终端。具体地,可以通过NB-IoT或者eMTC协议将所述密钥发送给第一终端。也就是说,当无线接入承载为释放状态时, 第二发送模块72通过信令面的NAS层将密钥发送给第一终端;当无线接入承载为建立状态时,第二发送模块72通过用户面将密钥发送给第一终端。Here, in actual application, the second sending module 72 sends the password to the first terminal by using the signaling for transmitting data through the Internet of Things protocol. Specifically, the key may be sent to the first terminal by using an NB-IoT or an eMTC protocol. That is, when the radio access bearer is in the released state, the second sending module 72 sends the key to the first terminal through the NAS layer of the signaling plane; when the radio access bearer is in the established state, the second sending module 72 The key is sent to the first terminal through the user plane.

在一实施例中,所述服务器还包括更新模块,其被被配置为根据所述更改后的密钥或者录入的新密钥,更新所述预设数据库。In an embodiment, the server further includes an update module configured to update the preset database based on the changed key or a new key entered.

在实际应用中,更新模块由位于第二终端上的处理器如CPU、MPU、DSP、FPGA等实现;第二接收模块71、第二发送模块72可由位于第二终端上的处理器如CPU、MPU、DSP、FPGA等结合通信接口实现。In an actual application, the update module is implemented by a processor located on the second terminal, such as a CPU, an MPU, a DSP, an FPGA, or the like; the second receiving module 71 and the second sending module 72 may be a processor, such as a CPU, located on the second terminal. MPU, DSP, FPGA, etc. are implemented in combination with a communication interface.

下面以具体实例说明鉴权方法的具体实施过程。The specific implementation process of the authentication method will be described below with specific examples.

图8为第一终端内部模块组成示意图,如图8所示。第一终端内部模块包括用户交互模块801、NB-IoT/eMTC通信模块802、蓝牙/WiFi通信模块803、信息采集模块804、图像采集模块805。FIG. 8 is a schematic diagram of the internal module structure of the first terminal, as shown in FIG. 8. The first terminal internal module includes a user interaction module 801, an NB-IoT/eMTC communication module 802, a Bluetooth/WiFi communication module 803, an information collection module 804, and an image acquisition module 805.

下面对每个组成部分进行详细说明,具体如下:Each component is described in detail below, as follows:

(1)用户交互模块801:用于完成第一终端和用户之间的交互。交互的方式可以是用户界面(UI,User Interface)显示,按键确认,语音提示等多种方式。(1) User interaction module 801: used to complete the interaction between the first terminal and the user. The interaction mode can be a user interface (UI, User Interface) display, button confirmation, voice prompts and the like.

(2)NB-IoT/eMTC通信模块802:用于第一终端通过无线网络和服务器进行交互。上行发送第二终端的图像数据,下行包含第一终端要请求的密钥、个人信息等认证信息。在无线接入承载建立的情况下,使用用户面传送图像数据,在无线接入承载被释放的情况下,使用信令面传送图像数据。(2) NB-IoT/eMTC communication module 802: used by the first terminal to interact with the server through the wireless network. The image data of the second terminal is sent uplink, and the downlink includes authentication information such as a key and personal information to be requested by the first terminal. In the case where the radio access bearer is established, the user plane is used to transmit the image data, and in the case where the radio access bearer is released, the image data is transmitted using the signaling plane.

(3)蓝牙/WiFi通信模块803:用于搜寻并连接周围的主机(第二终端),例如ATM机、门禁安防闸机、智能公交车/地铁刷卡机等。在服务器发给第一终端用于鉴权的认证数据如密钥后,通过蓝牙/WiFi通信模块803将密钥发送给主机,由主机完成对第一终端的鉴权。其中,搜索以及连接技术可以采用蓝牙,也可以采用其他局域网协议如WiFi、ZigBee等完成。(3) Bluetooth/WiFi communication module 803: used to search for and connect surrounding hosts (second terminals), such as ATM machines, access control security gates, smart bus/metro credit card machines, and the like. After the server sends the authentication data, such as the key, to the first terminal for authentication, the key is sent to the host through the Bluetooth/WiFi communication module 803, and the host completes the authentication of the first terminal. Among them, the search and connection technology can use Bluetooth, and can also be completed by other LAN protocols such as WiFi, ZigBee, and the like.

(4)信息采集模块804:用于输入输出。为了省电和保证安全,第一终端不可能一直处于工作状态和搜寻周边主机的状态,在大部分的时间里都是待机状态,即锁定状态,在锁定状态,第一终端不可使用,也不会搜寻周边主机。第一终端的工作时间可以由第一终端用户设置,工作时间可以设置为1分钟或者10分钟等等。当第一终端用户使用第一终端之前,需要使用信息采集模块 804来解锁第一终端。在解锁后的一段时间里,第一终端均处于可用和搜寻状态。另外,在新增密钥、修改密钥的过程中,也会用到信息采集模块804。(4) Information collection module 804: for input and output. In order to save power and ensure security, the first terminal cannot always be in the working state and search for the state of the surrounding host. In most of the time, it is the standby state, that is, the locked state. In the locked state, the first terminal is not available, nor is it used. Will search for nearby hosts. The working time of the first terminal can be set by the first terminal user, and the working time can be set to 1 minute or 10 minutes, and the like. Before the first terminal user uses the first terminal, the information collecting module 804 is required to unlock the first terminal. During the period after unlocking, the first terminal is in the available and search state. In addition, the information collection module 804 is also used in the process of adding a key and modifying a key.

(5)图像采集模块805:在一个开放场合,第一终端可能会不断地搜寻到各种主机。例如,在小区门口可能有ATM机,公交车,第一终端会搜索到多个主机,此时需要第一终端用户确认具体接入哪一个主机作为第二终端。确定第二终端之后,采取实景拍摄的方法。用户可使用第一终端的摄像头(属于图像采集模块)采集图片,然后通过NB-IoT/eMTC协议发送到服务器上,服务器判断主机为第二终端后,才会将对应第一终端的密钥下发给第一终端。第一终端还可以搭载上智能眼镜或类似穿戴产品,从而,第一终端用户例如只要径直走向或观察想要操作的主机,第一终端中的图像采集模块805就可自动工作并上传第二终端的图像数据给服务器,节约了时间和人力。(5) Image acquisition module 805: In an open situation, the first terminal may continuously search for various hosts. For example, there may be an ATM machine at the door of the cell, and the first terminal searches for multiple hosts. In this case, the first terminal user needs to confirm which host is specifically connected as the second terminal. After determining the second terminal, the method of taking a live view is taken. The user can use the camera of the first terminal (belonging to the image acquisition module) to collect the image, and then send the image to the server through the NB-IoT/eMTC protocol, and the server determines that the host is the second terminal, and then the key corresponding to the first terminal is Send to the first terminal. The first terminal can also be equipped with smart glasses or similar wearable products, so that the first terminal user can automatically work and upload the second terminal, for example, as long as the vehicle is running straight or observing the host to be operated. The image data is given to the server, saving time and manpower.

图9为本发明实施例鉴权方法的具体实现流程的示意图。如图9所示,该流程包括如下步骤:FIG. 9 is a schematic diagram of a specific implementation process of an authentication method according to an embodiment of the present invention. As shown in FIG. 9, the process includes the following steps:

步骤901:确定第一终端是否处于工作状态,如果确定第一终端处于工作状态,则执行步骤902。如果第一终端处于锁定状态(当例如第一终端超出预设的工作时间后,第一终端处于锁定状态),则执行步骤917。Step 901: Determine whether the first terminal is in an active state. If it is determined that the first terminal is in an active state, step 902 is performed. If the first terminal is in the locked state (for example, after the first terminal exceeds the preset working time, the first terminal is in the locked state), step 917 is performed.

步骤917:提示用户解锁第一终端,并等待用户通过指纹或眼纹解锁第一终端,解锁成功后执行步骤902。Step 917: The user is prompted to unlock the first terminal, and wait for the user to unlock the first terminal by using a fingerprint or an eye pattern. After the unlocking is successful, step 902 is performed.

步骤902:在确定第一终端处于工作状态的情况下,第一终端进入搜寻主机的状态。当第一终端搜索得到至少一个主机(第二终端)时,执行步骤903。如果第一终端未搜到主机,则返回步骤901。Step 902: In the case that it is determined that the first terminal is in the working state, the first terminal enters a state of searching for the host. When the first terminal searches for at least one host (the second terminal), step 903 is performed. If the first terminal does not find the host, then return to step 901.

步骤903:通过例如用户交互模块801提示第一终端用户开启实景认证,并等待用户开启实景认证。Step 903: Prompt the first terminal user to open the live view authentication by, for example, the user interaction module 801, and wait for the user to open the live view authentication.

步骤904:用户进行实景录入,如果实景录入成功,则执行步骤9041;如果实景录入不成功,则返回步骤903。Step 904: The user performs the live view entry. If the live view entry is successful, step 9041 is performed; if the live view entry is unsuccessful, the process returns to step 903.

步骤9041:设备(第一终端)通过蓝牙或者其他局域网等方法连接到目标主机,之后执行步骤905。作为实景录入的实例,用户可利用第一终端拍摄一张主机设备照片。照片可以是用户即将要进入的小区大门,也可以是房屋智能 门锁、某银行ATM机、公交车、私人会所钥匙柜等等。Step 9041: The device (the first terminal) is connected to the target host by using a method such as Bluetooth or other local area network, and then step 905 is performed. As an example of real-life entry, the user can take a picture of the host device using the first terminal. The photo can be the gate of the community that the user is about to enter, or it can be a house smart door lock, a bank ATM machine, a bus, a private club key cabinet, and so on.

步骤905:第一终端判断无线接入承载是否存在,如果存在(即,无线接入承载为建立状态),则执行步骤906,如果不存在(即,无线接入承载为释放状态),则执行步骤912。Step 905: The first terminal determines whether the radio access bearer exists, and if yes, that is, the radio access bearer is in an established state, step 906 is performed, if not, that is, the radio access bearer is in a released state, then executing Step 912.

在第一终端本地的协议栈内存中,存储有与无线接入承载对应的一系列的变量,利用读取的这些变量可以查询第一终端是否保存有所述无线接入承载相关的有效的状态变量信息,如果这些变量为空或者内存被释放,说明第一终端没有保存第一终端和核心网之间的无线接入承载相关的有效的状态变量信息,所述状态变量信息为无效信息,进而可以确定所述无线接入承载为释放状态。In the protocol stack memory of the first terminal, a series of variables corresponding to the radio access bearer are stored, and the read variables can be used to query whether the first terminal saves the valid state related to the radio access bearer. The variable information, if the variables are empty or the memory is released, the first terminal does not save the valid state variable information related to the radio access bearer between the first terminal and the core network, and the state variable information is invalid information, and further The wireless access bearer may be determined to be in a released state.

根据无线网络标准,对于无线网络设备,如果一段时间内没有数据流量,那么终端和核心网络之间建立的承载和信令连接将会被释放掉,当用户再次请求数据时,会先和核心网络进行服务请求(SR,Service Request)信令交互,建立RRC承载,并建立无线承载和无线接入承载,然后才能在终端和核心网络之间进行数据交互。According to the wireless network standard, for wireless network devices, if there is no data traffic for a period of time, the bearer and signaling connection established between the terminal and the core network will be released, and when the user requests data again, the core network will be first Perform service request (SR, Service Request) signaling interaction, establish an RRC bearer, and establish a radio bearer and a radio access bearer, and then perform data interaction between the terminal and the core network.

步骤906:通过物联网协议使用用于传输数据的信令将主机的图片数据发送给服务器。Step 906: Send the picture data of the host to the server by using the IoT protocol to use signaling for transmitting data.

这里,实际应用时,可以基于NB-IoT(或者eMTC)协议,通过用户面将主机的图片数据发送给服务器。Here, in actual application, the picture data of the host may be sent to the server through the user plane based on the NB-IoT (or eMTC) protocol.

在服务器侧,服务器查找预设数据库,如发现对应第一终端的密钥时,通过NB-IoT/eMTC协议将密钥发送给第一终端。On the server side, the server searches for a preset database. If the key corresponding to the first terminal is found, the key is sent to the first terminal by using the NB-IoT/eMTC protocol.

步骤907:确定是否接收到服务器发送给第一终端的密钥,如果接收到密钥,执行步骤908,否则执行步骤913。Step 907: It is determined whether the key sent by the server to the first terminal is received. If the key is received, step 908 is performed, otherwise step 913 is performed.

步骤908:生成提示消息,例如“接收到主机“xxx”的密钥,是否发送?”所述提示消息用于终端判断是否对用户的身份进行验证,当确定需要对第一终端用户的身份进行验证时,执行步骤909。Step 908: Generate a prompt message, for example, "Receive the key of the host "xxx", whether to send?" The prompt message is used by the terminal to determine whether to verify the identity of the user, and when it is determined that the identity of the first terminal user needs to be performed When verifying, step 909 is performed.

这里,可根据用户预置的安保级别判断是否对用户的身份进行验证。例如:ATM机的密钥鉴权、公交车上的身份鉴权,可设为高安保级别,只有验证了用户身份并且用户按了确认键后才会发送密钥完成鉴权过程。当主机是转账机时,第一终端需要对用户身份进行验证,在验证用户身份后再发送密钥给主机。 小区门禁,公司闸机等可设为低安保级别,无需验证用户身份以及用户的确认,第一终端会直接发送密钥给主机(在这种情况下,跳过步骤908-909)。Here, whether the identity of the user is verified can be determined according to the security level preset by the user. For example, the key authentication of the ATM machine and the identity authentication on the bus can be set to the high security level. Only when the user identity is verified and the user presses the confirmation key, the key completion authentication process is sent. When the host is a transfer machine, the first terminal needs to verify the identity of the user, and then sends the key to the host after verifying the identity of the user. The cell access control, company gates, etc. can be set to a low security level, without first verifying the user identity and the user's confirmation, the first terminal will send the key directly to the host (in this case, skip steps 908-909).

步骤909:确定是否接收到用户输入的验证信息(接收到用户的确认)。如果接收到,执行步骤910,否则返回步骤908。Step 909: Determine whether the verification information input by the user is received (the confirmation of the user is received). If yes, go to step 910, otherwise go back to step 908.

步骤910:当验证用户的身份成功后,通过蓝牙等方式将密钥发送给主机。Step 910: After verifying that the identity of the user is successful, the key is sent to the host by using Bluetooth or the like.

步骤911:确定主机鉴权是否通过,如果主机鉴权成功,则执行步骤916;如果鉴权失败,则执行步骤915。Step 911: Determine whether the host authentication is passed. If the host authentication succeeds, step 916 is performed; if the authentication fails, step 915 is performed.

步骤912:通过物联网协议使用用于传输数据的信令将主机的图片数据发送给服务器。Step 912: Send the picture data of the host to the server by using the IoT protocol to use signaling for transmitting data.

这里,实际应用时,可以基于NB-IoT或者eMTC协议,通过信令面的NAS层将主机的图片发送给服务器。Here, in actual application, the picture of the host may be sent to the server through the NAS layer of the signaling plane based on the NB-IoT or eMTC protocol.

将主机的图片数据打包,并将打包后的数据包填充在NAS层的数据体字段中,生成非接入层信令消息,将此非接入层信令消息通过NAS层传输到网络侧的服务器。具体地,将所述包含主机图片数据的非接入层消息通过NAS层、RRC层、PDCP层、RLC层、MAC层处理、PHY层封装之后,通过无线电信号的形式传输到服务器。The picture data of the host is packaged, and the packed data packet is filled in the data body field of the NAS layer to generate a non-access stratum signaling message, and the non-access stratum signaling message is transmitted to the network side through the NAS layer. server. Specifically, the non-access stratum message including the host picture data is encapsulated by the NAS layer, the RRC layer, the PDCP layer, the RLC layer, the MAC layer, and the PHY layer, and then transmitted to the server by using a radio signal.

由于不需要重新建立无线接入承载,省掉了服务请求、无线承载、无线接入承载的建立,可以快速将数据发送给服务器。Since the radio access bearer does not need to be re-established, the service request, the radio bearer, and the establishment of the radio access bearer are omitted, and the data can be quickly sent to the server.

步骤913:提示用户重新拍照,返回步骤903;或者提示用户这是一台新主机设备,需要录入新密钥,之后执行步骤914。Step 913: Prompt the user to take a photo again, return to step 903; or prompt the user that this is a new host device, need to enter a new key, and then perform step 914.

步骤914:进入新增设备流程。Step 914: Enter the new device process.

步骤915:主机提示第一终端用户进行密钥修改。步骤915也可以为:主机直接待机休眠。Step 915: The host prompts the first terminal user to perform key modification. Step 915 can also be: the host directly sleeps on standby.

步骤916:第一终端根据工作时间情况选择继续搜索或进入待机模式。如果工作时间超过用户预设的时间,则锁定设备,锁定后第一终端处于低耗电状态。Step 916: The first terminal selects to continue searching or enters the standby mode according to the working time situation. If the working time exceeds the preset time of the user, the device is locked, and the first terminal is in a low power state after being locked.

图10为本发明实施例新增设备流程,即录入新密钥的具体实现流程的示意图。如图10所示,该流程包括如下步骤:FIG. 10 is a schematic diagram of a specific implementation process of a new device according to an embodiment of the present invention, that is, a specific implementation process of entering a new key. As shown in FIG. 10, the process includes the following steps:

步骤1001:进入录入新密钥流程。Step 1001: Enter the process of entering a new key.

步骤1002:通过信息采集模块804确认用户信息,确认第一终端是合法用户使用,并使第一终端进入工作模式。Step 1002: Confirm the user information by the information collecting module 804, confirm that the first terminal is used by a legitimate user, and make the first terminal enter the working mode.

步骤1003:通过信息采集模块804录入用户信息、新密钥。Step 1003: Enter user information and a new key through the information collection module 804.

步骤1004:将录入的密钥发送给服务器。Step 1004: Send the entered key to the server.

具体地,基于NB-IoT/eMTC协议,当无线接入承载不存在(为释放状态)时,可以使用信令面的NAS层将录入的对应第一终端的新密钥发送给服务器;否则(无线承载已建立),通过用户面将录入的对应第一终端的新密钥发送给服务器。当然,也可以先建立无线接入承载,然后通过打包录入的密钥数据,将打包后的数据包通过PDCP层、RLC层、MAC层处理、PHY层封装后,通过传输块的形式发送给网络侧的服务器。Specifically, based on the NB-IoT/eMTC protocol, when the radio access bearer does not exist (in a released state), the NAS layer of the signaling plane may be used to send the entered new key of the corresponding first terminal to the server; otherwise ( The radio bearer is established, and the new key corresponding to the first terminal that is entered is sent to the server through the user plane. Of course, the radio access bearer may be established first, and then the packetized data packet is packaged through the PDCP layer, the RLC layer, the MAC layer processing, and the PHY layer, and then sent to the network through the transport block. Side server.

步骤1005:服务器更新预设数据库,创建新密钥信息,以及新密钥与第一终端的对应关系、主机(第二终端)与第一终端的对应关系。Step 1005: The server updates the preset database, creates new key information, and the correspondence between the new key and the first terminal, and the correspondence between the host (second terminal) and the first terminal.

步骤1006:提示用户,录入新密钥成功。Step 1006: prompt the user to enter the new key successfully.

图11为本发明实施例更改密钥的具体实现流程的示意图。如图11所示,该流程包括如下步骤:FIG. 11 is a schematic diagram of a specific implementation process of changing a key according to an embodiment of the present invention. As shown in FIG. 11, the process includes the following steps:

步骤1101:进入更改密钥流程。Step 1101: Enter the change key process.

步骤1102:通过信息采集模块804确认用户信息,确认第一终端是合法用户使用,并使第一终端进入工作模式。Step 1102: Confirm the user information by the information collecting module 804, confirm that the first terminal is used by a legitimate user, and make the first terminal enter the working mode.

步骤1103:通过信息采集模块804输入更改后的密钥。Step 1103: Enter the changed key through the information collection module 804.

步骤1104:将更改后的密钥发送给服务器。Step 1104: Send the changed key to the server.

这里,实际应用时,可以基于NB-IoT/eMTC协议,将更改后的密钥发送给服务器。具体地,当无线接入承载不存在(为释放状态)时,可以使用信令面的NAS层将录入的对应第一终端的密钥发送给服务器;否则(无线承载已建立),通过用户面将录入的对应第一终端的密钥发送给服务器。当然,也可以先建立无线接入承载,然后通过打包更改后的密钥数据,将打包后的数据包通过PDCP层、RLC层、MAC层处理、物理层封装后,通过传输块的形式发送给网络侧的服务器。Here, in actual application, the changed key can be sent to the server based on the NB-IoT/eMTC protocol. Specifically, when the radio access bearer does not exist (in the released state), the NAS layer of the signaling plane may be used to send the entered key of the corresponding first terminal to the server; otherwise (the radio bearer has been established), through the user plane The entered key corresponding to the first terminal is sent to the server. Of course, the radio access bearer may be established first, and then the packetized data packet is packaged by the PDCP layer, the RLC layer, the MAC layer, and the physical layer, and then sent to the physical layer through the transport block. Server on the network side.

步骤1105:服务器更新预设数据库,创建更改后的密钥信息,以及更改后的密钥与第一终端的对应关系、主机与第一终端的对应关系。Step 1105: The server updates the preset database, creates the changed key information, and the correspondence between the changed key and the first terminal, and the correspondence between the host and the first terminal.

步骤1106:服务器提示用户,更改密钥成功。Step 1106: The server prompts the user to change the key successfully.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

基于此,本发明实施例还提供了一种计算机存储介质,所述计算机存储介质包括一组指令,当执行所述指令时,引起至少一个处理器执行上述服务器侧的鉴权方法,或者执行上述终端侧的鉴权方法。Based on this, an embodiment of the present invention further provides a computer storage medium, where the computer storage medium includes a set of instructions, when executing the instruction, causing at least one processor to execute the server side authentication method, or perform the above Authentication method on the terminal side.

以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims (16)

一种鉴权方法,应用于第一终端,所述方法包括:An authentication method is applied to a first terminal, where the method includes: 步骤101:获取第二终端的图像数据;Step 101: Acquire image data of the second terminal. 步骤102:当无线接入承载为释放状态时,通过物联网协议使用用于传输数据的信令将所述图像数据发送给服务器,其中,所述图像数据用于请求所述服务器发送对应所述第一终端的密钥;Step 102: When the radio access bearer is in a release state, send the image data to the server by using an identifier for transmitting data by using an Internet of Things protocol, where the image data is used to request the server to send the corresponding The key of the first terminal; 步骤103:接收所述服务器发送的密钥,并将所述密钥发送给所述第二终端,其中,所述密钥用于供所述第二终端对所述第一终端鉴权。Step 103: Receive a key sent by the server, and send the key to the second terminal, where the key is used by the second terminal to authenticate the first terminal. 根据权利要求1所述的方法,其中,所述步骤102包括:The method of claim 1 wherein said step 102 comprises: 通过信令面的非接入层将所述图像数据发送给所述服务器,其中,基于所述非接入层能够在所述第一终端和核心网之间传输数据。The image data is transmitted to the server via a non-access stratum of the signaling plane, wherein data is transferable between the first terminal and the core network based on the non-access stratum. 根据权利要求1所述的方法,其中,所述步骤101包括:The method of claim 1 wherein said step 101 comprises: 搜索得到至少一个终端;Searching for at least one terminal; 从所述至少一个终端中确定所述第二终端;以及Determining the second terminal from the at least one terminal; 采集所述第二终端的图像,得到所述图像数据。Acquiring an image of the second terminal to obtain the image data. 根据权利要求1所述的方法,还包括:The method of claim 1 further comprising: 读取所述无线接入承载的状态变量信息;以及Reading state variable information of the wireless access bearer; 当所述状态变量信息为无效信息时,确定所述无线接入承载为所述释放状态。When the state variable information is invalid information, determining that the radio access bearer is in the released state. 根据权利要求2所述的方法,其中,通过信令面的非接入层将所述图像数据发送给所述服务器的步骤包括:The method of claim 2, wherein the step of transmitting the image data to the server via a non-access stratum of the signaling plane comprises: 在所述第一终端和核心网之间建立信令无线承载,利用所述图像数据生成非接入层信令消息,将所述非接入层信令消息在所述信令无线承载上发送给所述服务器。Establishing a signaling radio bearer between the first terminal and the core network, generating a non-access stratum signaling message by using the image data, and sending the non-access stratum signaling message on the signaling radio bearer Give the server. 根据权利要求1所述的方法,其中,在将所述密钥发送给所述第二终端之前,步骤103还包括:The method of claim 1, wherein before the transmitting the key to the second terminal, step 103 further comprises: 在根据获取的所述第二终端的图像数据,确定需要验证所述第一终端用户的身份时,生成第二提示信息;所述第二提示信息用于提示所述第一终端用户 输入验证信息;And generating, according to the obtained image data of the second terminal, the second prompt information is generated when the identity of the first terminal user needs to be verified; the second prompt information is used to prompt the first terminal user to input the verification information. ; 获取所述第一终端用户输入的验证信息;以及Obtaining verification information input by the first terminal user; 对输入的验证信息进行校验,校验成功后将所述密钥发送给所述第二终端。The input verification information is verified, and after the verification is successful, the key is sent to the second terminal. 根据权利要求1所述的方法,还包括:The method of claim 1 further comprising: 在对应所述第一终端的密钥更改或者录入新密钥时,将更改后的密钥或者录入的新密钥发送给所述服务器,所述更改后的密钥或者所述录入的新密钥用于所述服务器更新预设数据库。Transmitting the changed key or the entered new key to the server when the key corresponding to the first terminal is changed or entering a new key, the changed key or the newly entered key The key is used by the server to update the preset database. 根据权利要求1至7中任一项所述的方法,其中,所述步骤102还包括:The method of any of claims 1 to 7, wherein the step 102 further comprises: 当所述无线接入承载为建立状态时,基于用户面上的数据无线承载将所述图像数据发送给所述服务器。When the radio access bearer is in an established state, the image data is sent to the server based on a data radio bearer on the user plane. 一种鉴权方法,应用于服务器,所述方法包括:An authentication method is applied to a server, and the method includes: 步骤501:接收第一终端通过物联网协议使用用于传输数据的信令发送的第二终端的图像数据;以及Step 501: Receive image data of a second terminal that is used by the first terminal to transmit signaling by using the Internet of Things protocol; and 步骤502:利用所述图像数据,在预设数据库中进行查找,得到对应所述第一终端的密钥,并将所述密钥发送给所述第一终端,所述密钥用于在被所述第一终端发送给所述第二终端后对所述第一终端鉴权。Step 502: Perform a search in a preset database by using the image data, obtain a key corresponding to the first terminal, and send the key to the first terminal, where the key is used to be After the first terminal sends the second terminal, the first terminal is authenticated. 根据权利要求9所述的方法,其中,所述接收第一终端通过物联网协议使用用于传输数据的信令发送的第二终端的图像数据的步骤包括:The method according to claim 9, wherein the step of receiving the image data of the second terminal that the first terminal uses the signaling for transmitting data through the Internet of Things protocol comprises: 通过在所述第一终端和核心网之间的信令无线承载,接收第一终端通过信令面的非接入层在所述信令无线承载上发送的非接入层信令消息,所述非接入层信令消息包含所述第二终端的图像数据。Receiving, by the signaling radio bearer between the first terminal and the core network, a non-access stratum signaling message sent by the first terminal on the signaling radio bearer by using a non-access stratum of the signaling plane, where The non-access stratum signaling message includes image data of the second terminal. 根据权利要求9所述的方法,其中,所述利用所述图像数据,在预设数据库中进行查找的步骤包括:The method according to claim 9, wherein said step of performing a search in a preset database using said image data comprises: 利用所述图像数据,基于特征提取策略从所述图像数据中提取特征信息,Using the image data, extracting feature information from the image data based on a feature extraction strategy, 根据提取的特征信息在所述预设数据库中进行查找。Searching is performed in the preset database according to the extracted feature information. 根据权利要求9所述的方法,还包括:The method of claim 9 further comprising: 接收所述第一终端发送的更改后的密钥或者录入的新密钥,所述更改后的密钥和所述录入的新密钥与所述第二终端相对应;Receiving the changed key or the entered new key sent by the first terminal, where the changed key and the entered new key correspond to the second terminal; 根据所述更改后的密钥或者所述录入的新密钥,更新所述预设数据库。Updating the preset database according to the changed key or the entered new key. 一种第一终端,包括:A first terminal includes: 获取模块,被被配置为获取第二终端的图像数据;An obtaining module configured to acquire image data of the second terminal; 第一发送模块,被被配置为当无线接入承载为释放状态时,通过物联网协议使用用于传输数据的信令将所述图像数据发送给服务器,所述图像数据用于请求所述服务器发送对应所述第一终端的密钥;以及将所述密钥发送给所述第二终端,所述密钥用于供所述第二终端对所述第一终端鉴权;以及a first sending module configured to: when the wireless access bearer is in a released state, send the image data to a server by using an IoT protocol for transmitting data, the image data being used to request the server Transmitting a key corresponding to the first terminal; and transmitting the key to the second terminal, the key being used by the second terminal to authenticate the first terminal; 第一接收模块,被被配置为接收所述服务器发送的所述密钥。The first receiving module is configured to receive the key sent by the server. 根据权利要求13所述的第一终端,其中,The first terminal according to claim 13, wherein 所述第一发送模块还被被配置为在所述第一终端和核心网之间建立信令无线承载,利用所述图像数据生成非接入层信令消息,将所述非接入层信令消息在所述信令无线承载上发送给所述服务器。The first sending module is further configured to establish a signaling radio bearer between the first terminal and the core network, generate a non-access stratum signaling message by using the image data, and use the non-access stratum signaling The message is sent to the server on the signaling radio bearer. 一种服务器,包括:A server that includes: 第二接收模块,被被配置为接收第一终端通过物联网协议使用用于传输数据的信令发送的第二终端的图像数据;以及a second receiving module, configured to receive image data of the second terminal that is used by the first terminal to transmit signaling for transmitting data through the Internet of Things protocol; 第二发送模块,被配置为利用所述图像数据,在预设数据库中进行查找,得到对应所述第一终端的密钥,并将所述密钥发送给所述第一终端,所述密钥用于在被所述第一终端发送给所述第二终端后对所述第一终端鉴权。a second sending module, configured to perform a search in a preset database by using the image data, obtain a key corresponding to the first terminal, and send the key to the first terminal, the secret The key is used to authenticate the first terminal after being sent by the first terminal to the second terminal. 根据权利要求15所述的服务器,其中,The server according to claim 15, wherein 所述第二接收模块还被配置为通过在所述第一终端和核心网之间的信令无线承载,接收所述第一终端通过信令面的非接入层在所述信令无线承载上发送的非接入层信令消息,所述非接入层信令消息包含所述第二终端的图像数据。The second receiving module is further configured to receive, by the signaling radio bearer between the first terminal and the core network, the first terminal by using a non-access stratum of the signaling plane on the signaling radio bearer The non-access stratum signaling message sent on the non-access stratum signaling message includes the image data of the second terminal.
PCT/CN2018/075088 2017-04-28 2018-02-02 Authentication method, terminal and server Ceased WO2018196465A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710296994.XA CN108809898B (en) 2017-04-28 2017-04-28 An authentication method, terminal and server
CN201710296994.X 2017-04-28

Publications (1)

Publication Number Publication Date
WO2018196465A1 true WO2018196465A1 (en) 2018-11-01

Family

ID=63919421

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/075088 Ceased WO2018196465A1 (en) 2017-04-28 2018-02-02 Authentication method, terminal and server

Country Status (2)

Country Link
CN (1) CN108809898B (en)
WO (1) WO2018196465A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112907791B (en) * 2021-02-24 2022-03-29 华录智达科技股份有限公司 A smart key cabinet system based on RFID precise identification and face recognition technology

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103155615A (en) * 2010-10-15 2013-06-12 瑞典爱立信有限公司 Lightweight data transmission mechanism
WO2016036661A1 (en) * 2014-09-05 2016-03-10 Utc Fire & Security Corporation System and method for access authentication
CN105874750A (en) * 2013-11-14 2016-08-17 高通股份有限公司 Method and apparatus for identifying a physical IoT device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2381293B1 (en) * 2009-04-20 2012-11-07 Alter Core, S.L. SYSTEM AND METHOD OF PERSONAL ACCREDITATION THROUGH MOBILE DEVICE.
CN103020818B (en) * 2013-01-09 2016-04-20 重庆钱阿宝电子科技有限公司 Dynamic Two-dimensional identifying code payment system
CN103489102A (en) * 2013-09-13 2014-01-01 惠州Tcl移动通信有限公司 Method and system for preventing unauthorized credit card swiping through mobile phone based on two-dimensional code
CN105871874A (en) * 2016-04-27 2016-08-17 武汉市国扬科技有限公司 Mobile Internet virtual key authorizing system and hardware door lock control method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103155615A (en) * 2010-10-15 2013-06-12 瑞典爱立信有限公司 Lightweight data transmission mechanism
CN105874750A (en) * 2013-11-14 2016-08-17 高通股份有限公司 Method and apparatus for identifying a physical IoT device
WO2016036661A1 (en) * 2014-09-05 2016-03-10 Utc Fire & Security Corporation System and method for access authentication

Also Published As

Publication number Publication date
CN108809898A (en) 2018-11-13
CN108809898B (en) 2020-10-20

Similar Documents

Publication Publication Date Title
CN110999356B (en) Network security management method and device
CN102869014A (en) Terminal and data communication method
CN110278084B (en) eID establishment method, related equipment and system
CN103297968B (en) A kind of method, equipment and the system of wireless terminal certification
WO2017054617A1 (en) Wifi network authentication method, device and system
CN109920100B (en) Unlocking method and system of intelligent lock
US20200228981A1 (en) Authentication method and device
CN110996322B (en) A method for realizing terminal secondary authentication
CN112995998B (en) Method, computer system and computer readable medium for providing secure authentication mechanism
CN107864475A (en) The quick authentication methods of WiFi based on Portal+ dynamic passwords
CN115915090A (en) Data service system
CN101163003A (en) System and method for terminal authentication network when SIM card uses UMTS terminal and UMTS system
CN103180861A (en) User authentication device and user authentication method
US20230009298A1 (en) Systems and methods for secure authentication based on machine learning techniques
WO2018196465A1 (en) Authentication method, terminal and server
CN113055342A (en) Information processing method and communication device
CN117812590A (en) Communication method and device, computer readable storage medium and communication system
CN114189864A (en) Non-cellular access device and access method for mobile communication system
CN112788598B (en) Method and device for protecting parameters in authentication process
CN107172185A (en) Network collocating method and device
WO2021089903A1 (en) Tethering service provision
CN117082504A (en) Key generation method and device and network equipment
CN117678255A (en) Edge enabler client identification authentication procedure
CN115700562A (en) Authentication method, readable medium, and electronic device
CN113079514A (en) Network access verification method and device and computer readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18791147

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18791147

Country of ref document: EP

Kind code of ref document: A1