CN112040485A

Movatterモバイル変換

Info

Publication number: CN112040485A
Application number: CN202011204508.5A
Authority: CN
Inventors: 徐程程
Original assignee: Hangzhou Tuya Information Technology Co Ltd
Current assignee: Hangzhou Tuya Information Technology Co Ltd
Priority date: 2020-11-02
Filing date: 2020-11-02
Publication date: 2020-12-04

Abstract

The application relates to a local area network key agreement method, a local area network key agreement system and a computer readable storage medium. After the mobile terminal activates the intelligent device, the local area network communication key of the intelligent device is obtained from the cloud according to the identification of the intelligent device, and key negotiation is performed by using the local area network communication key during local area network communication. Because the man-in-the-middle can not obtain the local area network communication key, the agent can not be forged, thereby preventing man-in-the-middle attack and improving the security of data transmission.

Description

Local area network key agreement method, system and computer readable storage medium

Technical Field

The present application relates to the field of smart home, and in particular, to a method, a system, and a computer-readable storage medium for local area network key agreement.

Background

Along with the continuous popularization of intelligent equipment, great convenience is brought to the life of people, but the safety problem is more and more serious. Encryption is the main means of secure communication in an open network environment, and key agreement is the basic technology for sharing keys among users in the encryption process, and enables a plurality of users to generate a shared session key through unsafe channel agreement. The generated session key can provide security services such as confidentiality, authentication or integrity check for subsequent communication processes.

There are many authenticated key agreement protocols, the most widely used local area network key agreement protocol being Elliptic Curve Diffie-Hellman key Exchange (ECDH). But since the ECDH key exchange protocol does not verify the identity of the public key sender, man-in-the-middle attacks cannot be prevented. If a man-in-the-middle intercepts the public key of the APP, the man-in-the-middle can replace the public key with the public key of the man-in-the-middle and send the public key to the intelligent device. The man-in-the-middle can also intercept the public key of the intelligent hardware, replace the public key with the public key of the man-in-the-middle, and send the public key to the mobile terminal APP. In this way, the man-in-the-middle can easily decrypt any messages sent between the APP and the smart device. The man-in-the-middle can then modify the content, encrypt the content with the new key, and send it to the smart device. Therefore, when the mobile terminal APP and the intelligent device perform local area network communication, the current local area network key agreement protocol is attacked and replayed by a man-in-the-middle, so that privacy security data is leaked, and a safer key agreement algorithm mechanism needs to be designed.

Disclosure of Invention

The application provides a local area network key agreement method, a system and a computer readable storage medium, which at least solve the problem that a key agreement protocol in the related technology is difficult to prevent man-in-the-middle attack, thereby causing information leakage.

In a first aspect, an embodiment of the present application provides a local area network key agreement method, which is applied to a mobile terminal, and the method includes:

acquiring a local area network communication key of the intelligent equipment from a cloud end according to the identification of the intelligent equipment, wherein the local area network communication key which is uniquely corresponding to the identification of the intelligent equipment and is transmitted by the cloud end is carried by the intelligent equipment;

generating a first random number, and encrypting the first random number by using the local area network communication key to obtain first data;

sending the first data to the intelligent equipment to trigger the intelligent equipment to decrypt the first data through a local area network communication key of the intelligent equipment to obtain a first decryption result, and triggering the intelligent equipment to encrypt the first decryption result and a second random number generated by the intelligent equipment through the local area network communication key to obtain second data;

receiving second data sent by the intelligent equipment, and decrypting the second data through the local area network communication key to obtain a second decryption result;

determining whether the intelligent equipment is trusted according to the second decryption result and the first random number;

and if the first random number is credible, negotiating a session key according to the first random number and the second random number.

In some embodiments, before the obtaining, by the cloud, the local area network communication key with the smart device, the method further includes:

and writing a local area network communication key distributed from a cloud terminal in the production stage of the intelligent equipment, wherein the local area network communication key is uniquely corresponding to the intelligent equipment identifier.

In some embodiments, the obtaining, according to the identifier of the smart device, the local area network communication key of the smart device from the cloud includes:

the mobile terminal sends a service set identifier, a password and user-defined information codes which need to be connected with the router to the intelligent equipment, so that the intelligent equipment can find the corresponding router after receiving the service set identifier, the password and the user-defined information codes and complete the distribution process;

after the mobile terminal activates the intelligent equipment, acquiring the identification of the intelligent equipment;

and acquiring a local area network communication key of the intelligent equipment from a cloud according to the identification of the intelligent equipment.

In some embodiments, the first random number is encrypted by an AES-256 encryption algorithm using the local area network communication key to obtain the first data.

In some embodiments, the determining whether the smart device is authentic according to the second decryption result and the first random number includes:

judging whether the second decryption result comprises data which is the same as the first random number or not;

and if the second decryption result comprises the first random number, determining that the intelligent equipment is credible.

In some embodiments, said negotiating a session key based on said first random number and said second random number comprises:

encrypting the first random number and the second random number through a second encryption algorithm to obtain the session key, and sending the session key to the intelligent device;

and receiving response information sent by the intelligent equipment to complete the key negotiation process.

In a second aspect, an embodiment of the present application provides a local area network key agreement method, which is applied to an intelligent device, and the method includes:

receiving first data sent by a mobile terminal, wherein the first data is obtained by encrypting a first random number generated by the mobile terminal through a local area network communication key; the local area network communication key is obtained by the mobile terminal from a cloud according to the identification of the intelligent equipment;

decrypting the first data by using the local area network communication key carried by the local area network communication key to obtain a first decryption result and generating a second random number; encrypting the first decryption result and the second random number through the local area network communication key carried by the mobile terminal to obtain second data, and sending the second data to the mobile terminal;

receiving a session key sent by the mobile terminal, wherein the session key is obtained by the mobile terminal through the operation of the first random number and the second random number after the mobile terminal verifies that the intelligent device is credible;

and sending response data to the mobile terminal to respond to the negotiation request of the mobile terminal, and finishing key negotiation.

In a third aspect, an embodiment of the present application provides a local area network key agreement method, where the method includes:

the intelligent equipment and the mobile terminal complete a network distribution;

the mobile terminal activates the intelligent equipment and acquires a local area network communication key of the intelligent equipment from a cloud according to the identification of the intelligent equipment; the local area network communication key is distributed at the cloud end of the intelligent equipment production stage and uniquely corresponds to the intelligent equipment identifier;

the mobile terminal generates a first random number, acquires the local area network communication key from a cloud according to the identification of the intelligent device, and encrypts the first random number by using the local area network communication key to obtain first data;

the mobile terminal sends the first data to the intelligent equipment;

the intelligent equipment decrypts the first data through a local area network communication key of the intelligent equipment to obtain a first decryption result, and encrypts the first decryption result and a second random number generated by the intelligent equipment through the local area network communication key to obtain second data;

the mobile terminal receives second data sent by the intelligent equipment, and decrypts the second data through the local area network communication key to obtain a second decryption result;

the intelligent device determines whether the intelligent device is credible according to the second decryption result and the first random number;

and if the mobile terminal is credible, the mobile terminal and the intelligent equipment negotiate a session key according to the first random number and the second random number.

In a fourth aspect, an embodiment of the present application provides a local area network key agreement system, where the system includes: the system comprises a mobile terminal, a cloud terminal and intelligent equipment; wherein:

the cloud is used for distributing a local area network communication key uniquely corresponding to the intelligent equipment in the production stage of the intelligent equipment;

the mobile terminal is configured to activate the intelligent device and acquire a local area network communication key of the intelligent device from a cloud according to the identification of the intelligent device;

the mobile terminal is further configured to generate a first random number, encrypt the first random number by using the local area network communication key to obtain first data, and send the first data to the intelligent device;

the intelligent device is configured to decrypt the first data through a local area network communication key of the intelligent device to obtain a first decryption result, and encrypt the first decryption result and a second random number generated by the intelligent device through the local area network communication key to obtain second data;

the mobile terminal is further configured to receive second data sent by the intelligent device, and decrypt the second data through the local area network communication key to obtain a second decryption result; determining whether the intelligent equipment is trusted according to the second decryption result and the first random number; and if the first random number is credible, negotiating a session key according to the first random number and the second random number.

In a fifth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the local area network key agreement method according to the first aspect.

Compared with the related art, the local area network key agreement method provided by the embodiment of the application comprises the steps of obtaining a local area network communication key of the intelligent device from a cloud end according to the identification of the intelligent device, wherein the intelligent device carries the local area network communication key which is uniquely corresponding to the identification of the intelligent device and is issued by the cloud end; generating a first random number, and encrypting the first random number by using the local area network communication key to obtain first data; sending the first data to the intelligent equipment to trigger the intelligent equipment to decrypt the first data through a local area network communication key of the intelligent equipment to obtain a first decryption result, and triggering the intelligent equipment to encrypt the first decryption result and a second random number generated by the intelligent equipment through the local area network communication key to obtain second data; receiving second data sent by the intelligent equipment, and decrypting the second data through the local area network communication key to obtain a second decryption result; determining whether the intelligent equipment is trusted according to the second decryption result and the first random number; if the session key is credible, the session key is negotiated according to the first random number and the second random number, and the problem that the key negotiation protocol in the related technology is difficult to prevent man-in-the-middle attack and information leakage is caused is solved.

The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a flowchart of a local area network key agreement method applied to a mobile terminal provided in an embodiment;

fig. 2 is a flowchart of a conventional local area network key agreement method provided in one embodiment;

fig. 3 is a flowchart of a local area network key agreement method applied to an intelligent device provided in one embodiment;

fig. 4 is a flowchart of a local area network key agreement method applied to a system in one embodiment;

fig. 5 is an interaction diagram of a local area network key agreement method provided in an embodiment;

fig. 6 is a block diagram illustrating a configuration of a local area network key agreement apparatus provided in an embodiment;

FIG. 7 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.

It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.

Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.

Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.

Various techniques described herein may be applied to smart homes, such as smart door locks, smart desk lamps, anti-lost devices, and the like.

Fig. 1 is a flowchart of a local area network key agreement method provided in an embodiment, which is applied to a mobile terminal, where the mobile terminal may specifically be an APP installed in the mobile terminal, and the APP is described below. As shown in fig. 1, the method includessteps 110 to 160; wherein:

and step 110, acquiring a local area network communication key of the intelligent device from the cloud according to the identifier of the intelligent device, wherein the intelligent device carries the local area network communication key which is uniquely corresponding to the identifier of the intelligent device and is issued by the cloud.

Step 120, generating a first random number, and encrypting the first random number by using the local area network communication key to obtain first data.

Step 130, sending the first data to the intelligent device, so as to trigger the intelligent device to decrypt the first data through its own local area network communication key to obtain a first decryption result, and trigger the intelligent device to encrypt the first decryption result and a second random number generated by itself through the local area network communication key to obtain a second data.

And step 140, receiving the second data sent by the intelligent device, and decrypting the second data through the local area network communication key to obtain a second decryption result.

And 150, determining whether the intelligent device is trusted according to the second decryption result and the first random number.

And step 160, if the session key is trusted, negotiating the session key according to the first random number and the second random number.

Conventionally, the local area network key agreement mechanism is implemented by using ECDH, which is mainly used to establish a secure common encrypted data in an insecure channel, generally speaking, a private key is exchanged, and this key is generally used as a symmetric encrypted key to be used by both parties in subsequent data transmission. ECDH is based on the premise that: given a point P on the elliptic curve, an integer k, Q = KP is easy to solve; but solving K by Q, P is difficult. The ECDH key agreement flow is shown in figure 2.

The APP and the intelligent device exchange the keys on an insecure line, and the exchanged keys cannot be known by intermediaries. Firstly, the APP and the intelligent equipment complete distribution network, and the two parties agree to use an ECDH key exchange algorithm. At this time, both sides also know a large prime number P in the ECDH algorithm, and this P can be regarded as a constant in the algorithm. The number of bits of P determines the difficulty of cracking by an attacker. There is also an integer g to assist the whole key exchange process, g is not very large, typically 2 or 5, and both parties know g and p before the ECDH key exchange process is started. The APP knows common parameters p and g, generates a private integer a as a private key, and generates A as a public key for transmission by using p, g and a through a formula g ^ a mod p = A. The intelligent device receives p, g and A sent by the APP through the link, and knows the public key A of the APP. At this time, the smart device also generates its own private key B, and then generates its own public key B by the formula g ^ B mod p = B. Before sending the public key B, the intelligent device generates K as a public key through A ^ B mod p = K, but does not send the public key to the APP, and only sends B through a link. After receiving the public key B sent by the intelligent device, the APP also generates a public key K through B ^ a mod p = K, so that the APP and the intelligent device finish the negotiation of the public key K by not transmitting the private keys a and B.

However, since the ECDH key exchange protocol does not verify the identity of the public key sender, man-in-the-middle attacks cannot be thwarted. If a man-in-the-middle intercepts the public key of the APP, the man-in-the-middle can replace the public key with the public key of the man-in-the-middle and send the public key to the intelligent device. The man-in-the-middle can also intercept the public key of the intelligent device, replace the public key with the public key of the man-in-the-middle, and send the public key to the APP. In this way, the man-in-the-middle can easily decrypt any messages sent between the APP and the smart device. Then the man-in-the-middle can modify the content, encrypt the content with the new cipher key and send to the intelligent device, thus cause the information to reveal easily, the information transmission is unsafe.

Compared with the prior art, the local area network key agreement method provided by the application writes a local area network communication key distributed from the cloud in the production stage of the intelligent equipment, the local area network communication key is uniquely corresponding to the intelligent equipment identifier, one machine is one secret, and different intelligent equipment can distribute different keys. After the APP activates the intelligent device, the cloud end can be reached to obtain the local area network communication key of the intelligent device, key negotiation is carried out by using the local area network communication key in the local area network communication, and the agent cannot be forged because the man-in-the-middle can not obtain the local area network communication key, so that man-in-the-middle attack can be prevented, and the safety of data transmission is improved.

In some embodiments, obtaining the local area network communication key of the smart device through the cloud includes:

the mobile terminal sends a service set identifier, a password and user-defined information codes which need to be connected with the router to the intelligent equipment, so that the intelligent equipment can find the corresponding router after receiving the service set identifier, the password and the user-defined information codes and complete the distribution process; the mobile terminal activates the intelligent equipment and acquires a local area network communication key of the intelligent equipment from the cloud.

The distribution network is used for meeting the networking requirements of the internet of things equipment, and mainly informs a Service Set Identifier (SSID) and a password of a router to a wireless module in the intelligent equipment in a certain mode, and then the intelligent equipment can be connected with the designated router according to the received SSID and password.

The mobile terminal may send the distribution network information in a broadcast manner, for example, the mobile terminal may encode a length field of a broadcast packet to perform data transmission, and the intelligent device decodes the broadcast data after receiving the broadcast packet to obtain the distribution network information. Or, the mobile terminal may also send the distribution network information in a multicast manner, for example, the mobile terminal may set a group of multicast addresses, encode the distribution network information in a data bit after the multicast addresses, and then send the distribution network information through a multicast packet, so that the intelligent device may decode the multicast packet to obtain the distribution network information; the method and the device for sending and receiving the distribution network information are not limited.

And after the mobile terminal activates the intelligent equipment, acquiring a local area network communication key of the intelligent equipment from the cloud according to the identification of the intelligent equipment. After the mobile terminal and the intelligent device are activated and bound, the mobile terminal sends a data request to the cloud according to the identification of the intelligent device, and requests to acquire the local area network communication key of the intelligent device corresponding to the identification. And after receiving the request, the cloud inquires whether the stored data has the identification of the intelligent equipment, and if so, the cloud sends the corresponding local area network communication key to the mobile terminal.

An Advanced Encryption Standard (AES) Encryption function is a symmetric Encryption algorithm. Assuming the AES encryption function as E, C = E (K, P), where P is plaintext, K is a key, and C is ciphertext. That is, the encryption function E outputs the ciphertext C by inputting the plaintext P and the key K as parameters of the encryption function. The AES encryption mode is adopted, so that the method is safe and reliable, the purpose of rapid encryption can be realized, the security of network communication is ensured, and the method has a good application prospect.

The AES encryption algorithm uses 128, 192, or 256 bit keys and encrypts the data in 128-bit data block packets. AES names the different key sizes as AES-x, where x is the key size. In the application, the AES-256 encryption algorithm is adopted, so that the safety and the reliability can be improved. It will be appreciated that an AES-128 encryption algorithm or an AES-192 encryption algorithm may also be employed.

In some embodiments, determining whether the smart device is authentic based on the second decryption result and the first random number comprises:

judging whether the second decryption result comprises the data same as the first random number or not;

and if the second decryption result comprises the first random number and the second random number, determining that the intelligent device is credible.

And the second decryption result is obtained by decrypting the second data sent by the intelligent device by the mobile terminal according to the key acquired from the cloud. Theoretically, if the sender, i.e., the smart device, is trusted, the first decryption result should be the first random number, and the second data is obtained by encrypting the first random number and the second random number according to the local area network communication key of the smart device itself. And if the local area network communication key acquired by the mobile terminal from the cloud is the key corresponding to the intelligent device, decrypting the second data according to the key to obtain a decryption result which is a first random number and a second random number. Therefore, whether the intelligent device is credible or not can be judged by judging the decryption result of the mobile terminal, and if the intelligent device is credible, the session key is further negotiated according to the first random number and the second random number. Whether the intelligent equipment is credible or not is verified through the local area network communication key obtained from the cloud, and then subsequent key negotiation is carried out, so that the problem that privacy security data are leaked due to the danger of attack and replay by a man-in-the-middle when the mobile terminal and the intelligent equipment carry out local area network communication can be prevented, and the security of a key negotiation algorithm is improved.

In some of these embodiments, negotiating the session key based on the first random number and the second random number includes:

encrypting the first random number and the second random number through a second encryption algorithm to obtain a session key, and sending the session key to the intelligent equipment;

and receiving response information sent by the intelligent equipment, and finishing the key negotiation process.

In one embodiment, the session key for the subsequent communication can be negotiated by the first random number ^ the second random number.

After the session key is negotiated, the intelligent device sends response information to the mobile terminal, so that the mobile terminal can know that the key negotiation is completed, and then starts to communicate with the intelligent device.

The present application further provides a local area network key agreement method, which is applied to an intelligent device, as shown in fig. 3, the method includessteps 310 to 340; wherein:

step 310, receiving first data sent by the mobile terminal, wherein the first data is obtained by encrypting a first random number generated by the mobile terminal through a local area network communication key; the local area network communication key is obtained by the mobile terminal from the cloud according to the identification of the intelligent equipment;

step 320, decrypting the first data by using the local area network communication key carried by the mobile terminal to obtain a first decryption result, generating a second random number, encrypting the first decryption result and the second random number by using the local area network communication key carried by the mobile terminal to obtain second data, and sending the second data to the mobile terminal;

step 330, receiving a session key sent by the mobile terminal, wherein the session key is obtained by the mobile terminal through the operation of the first random number and the second random number after the mobile terminal verifies that the intelligent device is credible;

step 340, sending response data to the mobile terminal to respond to the negotiation request of the mobile terminal, and completing the key negotiation.

The present application further provides a local area network key agreement method, as shown in fig. 4, the method includessteps 410 to 480; wherein:

step 410, the mobile terminal and the intelligent device complete a network distribution;

step 420, the mobile terminal activates the intelligent device, and acquires a local area network communication key of the intelligent device from the cloud according to the identification of the intelligent device; the local area network communication key is distributed at the cloud end in the production stage of the intelligent equipment, and the local area network communication key is uniquely corresponding to the intelligent equipment identifier;

430, the mobile terminal generates a first random number, and encrypts the first random number by using a local area network communication key to obtain first data;

step 440, the mobile terminal sends the first data to the intelligent device;

step 450, the intelligent device decrypts the first data through the local area network communication key of the intelligent device to obtain a first decryption result, and encrypts the first decryption result and a second random number generated by the intelligent device through the local area network communication key to obtain second data;

step 460, the mobile terminal receives the second data sent by the intelligent device, and decrypts the second data through the local area network communication key to obtain a second decryption result;

step 470, the smart device determines whether the smart device is trusted according to the second decryption result and the first random number;

and step 480, if the mobile terminal is trusted, the mobile terminal and the intelligent device negotiate a session key according to the first random number and the second random number.

The specific interaction process is shown in fig. 5.

1. The intelligent equipment writes a secret key distributed from the cloud end in the production process, one secret key is used, and different firmware distributes different secret keys;

2. after the APP activates the intelligent equipment, the APP goes to the cloud end to obtain a localKey key of the intelligent equipment;

3. when the APP terminal performs local area network key negotiation, a 16-bit random number randA is generated firstly, and the randA is encrypted through AES256Encrypt (localKey, randA);

4. sending the encrypted randA to the intelligent device, decrypting the randA by the intelligent device through the localKey to generate randB, encrypting the randA and the randB for the localKey through the AES256 key, and sending the encrypted randA and the encrypted randB to the APP terminal;

5. the APP terminal decrypts randA and randB through localKey, compares with local RandA, if the randA is the same, the data is considered to be credible, and then negotiates a key for subsequent communication through randA ^ randB.

The method provided by the embodiment, through can write in a key that distributes from the cloud in the production of intelligent equipment, one secret is one machine, different intelligent equipment can distribute different keys, APP enters the intelligent equipment and activates the back, can go to the cloud end and acquire this intelligent equipment's localKey, utilize localKey to carry out key agreement in LAN communication, because the intermediary does not know localKey, so just can't forge the agent, thereby can effectively prevent to be attacked by the intermediary when APP and intelligent equipment carry out LAN communication, cause the problem that privacy security data reveal, the security of communication has been improved.

It should be understood that although the various steps in the flowcharts of fig. 1, 3 and 4 are shown in order as triggered by the arrows, the steps are not necessarily performed in order as triggered by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 1, 3, and 4 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternatingly with other steps or at least some of the sub-steps or stages of other steps.

The present application also provides a local area network key agreement system, as shown in fig. 6, the system includes: the system comprises amobile terminal 610, acloud 620 andintelligent equipment 630; wherein:

thecloud 620 is configured to allocate a local area network communication key uniquely corresponding to the intelligent device in the production stage of the intelligent device;

themobile terminal 610 is configured to activate the smart device and obtain a local area network communication key of the smart device from the cloud according to the identifier of the smart device;

themobile terminal 610 is further configured to generate a first random number, encrypt the first random number with a local area network communication key to obtain first data, and send the first data to thesmart device 630;

thesmart device 630 is configured to decrypt the first data by its own local area network communication key to obtain a first decryption result, and encrypt the first decryption result and a second random number generated by itself by its own local area network communication key to obtain a second data;

themobile terminal 610 is further configured to receive the second data sent by thesmart device 630, and decrypt the second data through the local area network communication key to obtain a second decryption result; determining whether the intelligent equipment is trusted or not according to the second decryption result and the first random number; and if the first random number is credible, negotiating a session key according to the first random number and the second random number.

According to the method provided by the embodiment, the key distributed from the cloud end can be written in during the production of the intelligent equipment, one key is used, different keys can be distributed to different intelligent equipment, the mobile terminal APP can go to the cloud end to obtain the local area network communication key of the intelligent equipment after activating the intelligent equipment, and the local area network communication key is utilized for subsequent key negotiation during local area network communication. Because the LAN communication key is obtained from the high in the clouds, and the LAN communication key is not transmitted in the interaction process, the agent cannot be forged by the man in the middle, so that the problem that privacy security data is leaked due to the fact that the man in the middle attacks easily when the APP and the intelligent equipment carry out LAN communication can be effectively prevented, and the security of communication is improved.

In addition, the local area network communication key agreement method described in the embodiment of the present application with reference to fig. 1 may be implemented by a computer device. Fig. 7 is a hardware structure diagram of a computer device according to an embodiment of the present application.

The computer device may comprise aprocessor 71 and amemory 72 in which computer program instructions are stored.

Specifically, theprocessor 71 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.

Memory 72 may include, among other things, mass storage for data or instructions. By way of example, and not limitation,memory 72 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these.Memory 72 may include removable or non-removable (or fixed) media, where appropriate. Thememory 72 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, thememory 72 is a Non-Volatile (Non-Volatile) memory. In particular embodiments,Memory 72 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.

Thememory 72 may be used to store or cache various data files for processing and/or communication use, as well as possibly computer program instructions for execution by theprocessor 72.

Theprocessor 71 reads and executes the computer program instructions stored in thememory 72 to implement any one of the local area network communication key agreement methods in the above embodiments.

In some of these embodiments, the computer device may also include acommunication interface 73 and abus 70. As shown in fig. 7, theprocessor 71, thememory 72, and thecommunication interface 73 are connected via thebus 70 to complete mutual communication.

Thecommunication interface 73 is used for realizing communication among modules, devices, units and/or equipment in the embodiment of the present application. Thecommunication port 73 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.

Thebus 70 comprises hardware, software, or both that couple the components of the computer device to one another.Bus 70 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation,Bus 70 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these.Bus 70 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.

The computer device may execute the local area network communication key agreement method in the embodiment of the present application based on the obtained program instruction, thereby implementing the local area network communication key agreement method described in conjunction with fig. 1.

In addition, in combination with the local area network communication key negotiation method in the foregoing embodiments, embodiments of the present application may provide a computer-readable storage medium to implement the method. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the above-described embodiments of the method for local area network communication key agreement.

The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the claims. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A local area network key negotiation method is applied to a mobile terminal, and is characterized by comprising the following steps:

acquiring a local area network communication key of the intelligent equipment from a cloud according to the identification of the intelligent equipment; the intelligent device carries a local area network communication key which is uniquely corresponding to the identification of the intelligent device and is issued by a cloud end;

2. The method of claim 1, wherein prior to obtaining the local area network communication key with the smart device via the cloud, the method further comprises:

3. The method of claim 1, wherein obtaining the local area network communication key of the smart device from a cloud according to the identity of the smart device comprises:

4. The method of claim 1, wherein the first random number is encrypted by an AES-256 encryption algorithm using the local area network communication key to obtain the first data.

5. The method of claim 1, wherein the determining whether the smart device is authentic according to the second decryption result and the first random number comprises:

6. The method of claim 1, wherein negotiating a session key based on the first random number and the second random number comprises:

7. A local area network key agreement method is characterized in that the method is applied to intelligent equipment, and in the production stage of the intelligent equipment, a cloud distributes a local area network communication key uniquely corresponding to an identifier of the intelligent equipment; the method comprises the following steps:

8. A local area network key agreement method, characterized in that the method comprises:

the mobile terminal sends the first data to the intelligent equipment;

9. A local area network key agreement system, the system comprising: the system comprises a mobile terminal, a cloud terminal and intelligent equipment; wherein:

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 8.