CN114372245A

Movatterモバイル変換

Info

Publication number: CN114372245A
Application number: CN202111652282.XA
Authority: CN
Inventors: 赵玉雪; 张宇; 丁霞; 朱明�
Original assignee: Tianyi IoT Technology Co Ltd
Current assignee: Tianyi IoT Technology Co Ltd
Priority date: 2021-12-30
Filing date: 2021-12-30
Publication date: 2022-04-19
Anticipated expiration: 2041-12-30
Also published as: CN114372245B

Abstract

The invention provides a block chain-based Internet of things terminal authentication method, system, device and medium, wherein the method comprises the following steps: encrypting according to terminal information of the Internet of things terminal to be authenticated to form a ciphertext and a signature, and combining according to the ciphertext and the signature to form a first characteristic character string; encrypting the first characteristic character string to obtain a first encryption character string, and storing the first encryption character string to the block chain; acquiring a registration request, acquiring a second encrypted character string from the block chain according to the registration request, and decrypting the second encrypted character string to obtain a second characteristic character string; the method and the system have the advantages that the first characteristic character string and the second characteristic character string are matched, identity authentication is conducted on the terminal of the Internet of things to be authenticated according to the matching result, the block chain and the Internet of things are combined, simplification of terminal implementation and diversification of service requirements are comprehensively considered, data leakage of the characteristic string can be effectively avoided, safety of terminal authentication is improved, and the method and the system can be widely applied to the technical field of the Internet of things.

Description

Translated fromChinese

基于区块链的物联网终端认证方法、系统、设备及介质Blockchain-based IoT terminal authentication method, system, equipment and medium

技术领域technical field

本发明涉及物联网技术领域，尤其是基于区块链的物联网终端认证方法、系统、设备及存储介质。The invention relates to the technical field of the Internet of Things, in particular to a method, system, equipment and storage medium for the authentication of the Internet of Things terminal based on a blockchain.

背景技术Background technique

随着智能硬件技术的兴起，近年来物联网市场呈现指数级增长态势，物联网平台处于万物互联时代软硬结合的枢纽位置，在物联网产业生态中越来越重要。与此同时，物联网安全事件也呈爆发增长态势，尤其是物联网终端成为重点攻击目标，数据泄露事件频发。隐私数据主要存在云端、物联网终端设备，一方面云端服务平台可能遭受外部攻击或内部泄密，或者由于云服务用户弱密码认证等原因，均有可能导致敏感数据泄露；另一方面，设备与设备之间也存在数据泄露的可能。With the rise of intelligent hardware technology, the IoT market has shown an exponential growth trend in recent years. The IoT platform is at the hub of the combination of software and hardware in the era of the Internet of Everything, and is becoming more and more important in the IoT industry ecology. At the same time, IoT security incidents are also showing an explosive growth trend, especially IoT terminals have become the key attack targets, and data leakage incidents have occurred frequently. Private data mainly exists in the cloud and IoT terminal devices. On the one hand, the cloud service platform may be subject to external attacks or internal leaks, or due to weak password authentication of cloud service users, sensitive data may be leaked; on the other hand, equipment and equipment There is also the possibility of data leakage.

发明内容SUMMARY OF THE INVENTION

有鉴于此，为至少部分解决上述技术问题之一，本发明实施例目的在于提供基于区块链的能够有效避免数据泄露、安全性更高的物联网终端认证方法；与此同时，本申请技术方案还提供能够对应实现该方法的系统、设备及计算机可读写的存储介质。In view of this, in order to at least partially solve one of the above technical problems, the embodiment of the present invention aims to provide a blockchain-based IoT terminal authentication method that can effectively avoid data leakage and has higher security; The solution also provides a system, a device and a computer readable and writable storage medium capable of correspondingly implementing the method.

一方面，本申请技术方案提供了基于区块链的物联网终端认证方法，方法包括以下步骤：On the one hand, the technical solution of the present application provides a blockchain-based IoT terminal authentication method, and the method includes the following steps:

根据待认证物联网终端的终端信息进行加密形成密文和签名，根据所述密文以及所述签名组合形成第一特征字符串；Encrypt according to the terminal information of the IoT terminal to be authenticated to form a ciphertext and a signature, and form a first characteristic string according to the combination of the ciphertext and the signature;

加密所述第一特征字符串得到第一加密字符串，将所述第一加密字符串存储至区块链；Encrypting the first feature string to obtain a first encrypted string, and storing the first encrypted string in the blockchain;

获取注册请求，根据所述注册请求从所述区块链中获取第二加密字符串，解密所述第二加密字符串得到第二特征字符串；Obtain a registration request, obtain a second encrypted character string from the blockchain according to the registration request, and decrypt the second encrypted character string to obtain a second characteristic character string;

根据所述第一特征字符串与所述第二特征字符串进行匹配，根据匹配结果对待认证物联网终端进行身份认证。The first feature string is matched with the second feature string, and the identity authentication of the IoT terminal to be authenticated is performed according to the matching result.

在本申请方案的一种可行的实施例中，根据所述物联网终端的终端信息进行加密形成密文和签名这一步骤之前，所述认证方法包括：In a feasible embodiment of the solution of the present application, before performing encryption according to the terminal information of the IoT terminal to form a ciphertext and a signature, the authentication method includes:

初始化所述待认证物联网终端，生成所述待认证物联网终端的公钥和私钥；Initializing the IoT terminal to be authenticated, and generating the public key and private key of the IoT terminal to be authenticated;

根据所述待认证物联网终端中的用户信息生成根密钥；Generate a root key according to the user information in the IoT terminal to be authenticated;

所述公钥用于对所述第一特征字符串进行加密得到所述第一加密字符串；所述私钥用于对所述第二加密字符串进行解密得到所述第二特征字符串；所述根密钥用于对所述密文进行加密得到所述签名。The public key is used to encrypt the first feature string to obtain the first encrypted string; the private key is used to decrypt the second encrypted string to obtain the second feature string; The root key is used to encrypt the ciphertext to obtain the signature.

在本申请方案的一种可行的实施例中，所述将所述第一加密字符串存储至区块链这一步骤，包括：In a feasible embodiment of the solution of the present application, the step of storing the first encrypted string in the blockchain includes:

获取数据上链请求；Get data upload request;

确定区块链服务的主节点，通过所述主节点根据所述数据上链请求对所述第一加密字符串进行排序打包得到数据包；Determine the master node of the blockchain service, and obtain a data packet by sorting and packaging the first encrypted string according to the data upload request by the master node;

将所述数据包存储在所述区块链中，生成数据上链凭证。The data package is stored in the blockchain, and a data upload certificate is generated.

在本申请方案的一种可行的实施例中，所述数据上链请求包括第一令牌信息；在获取数据上链请求这一步骤之后，所述认证方法包括：In a feasible embodiment of the solution of the present application, the data uploading request includes first token information; after the step of acquiring the data uploading request, the authentication method includes:

对所述第一令牌信息进行鉴权，确定鉴权通过，调用所述区块链服务的数据存证接口，通过所述数据存证接口上传所述第一加密字符串。The first token information is authenticated, and it is determined that the authentication is passed, the data deposit interface of the blockchain service is called, and the first encrypted character string is uploaded through the data deposit interface.

在本申请方案的一种可行的实施例中，所述注册请求包括第二令牌信息；所述获取注册请求这一步骤之后，所述认证方法包括：In a feasible embodiment of the solution of the present application, the registration request includes second token information; after the step of acquiring the registration request, the authentication method includes:

对所述第二令牌信息进行鉴权，确定鉴权通过，调用所述区块链服务的数据查询接口，Authenticate the second token information, determine that the authentication is passed, and call the data query interface of the blockchain service,

通过所述数据查询接口获取所述第二加密字符。Obtain the second encrypted character through the data query interface.

在本申请方案的一种可行的实施例中，所述通过所述主节点根据所述数据上链请求对所述第一加密字符串进行排序打包得到数据包这一步骤，包括：In a feasible embodiment of the solution of the present application, the step of sorting and packaging the first encrypted string by the master node according to the data upload request to obtain a data packet includes:

将所述第一加密字符串进行排序打包得到数据包，对所述数据包进行第一验证生成合法验证信息；Sorting and packaging the first encrypted string to obtain a data packet, and performing a first verification on the data packet to generate legal verification information;

对所述合法验证信息在所述区块链中进行广播，以使非主节点对所述数据包进行第二验证生成第二验证信息；Broadcasting the legal verification information in the blockchain, so that the non-master node performs second verification on the data packet to generate second verification information;

将所述第二验证信息与所述合法验证信息进行对比，根据对比结果将所述数据包写入所述非主节点中。The second verification information is compared with the legal verification information, and the data packet is written into the non-master node according to the comparison result.

在本申请方案的一种可行的实施例中，在将所述第一加密字符串进行排序打包得到数据包这一步骤之前，所述认证方法包括：In a feasible embodiment of the solution of the present application, before the step of sorting and packaging the first encrypted string to obtain a data packet, the authentication method includes:

根据默克尔树确定所述数据包的哈希值。The hash value of the data packet is determined according to the Merkle tree.

另一方面，本申请技术方案还提供了基于区块链的物联网终端认证系统，包括：On the other hand, the technical solution of the present application also provides a blockchain-based IoT terminal authentication system, including:

数据加密单元，用于根据待认证物联网终端的终端信息进行加密形成密文和签名，根据所述密文以及所述签名组合形成第一特征字符串；加密所述第一特征字符串得到第一加密字符串，将所述第一加密字符串存储至区块链；The data encryption unit is used to encrypt the terminal information of the IoT terminal to be authenticated to form a ciphertext and a signature, and form a first characteristic string according to the combination of the ciphertext and the signature; encrypt the first characteristic string to obtain the first characteristic string. an encrypted character string, storing the first encrypted character string in the blockchain;

终端注册单元，用于获取注册请求；a terminal registration unit, used to obtain a registration request;

数据解密单元，用于根据所述注册请求从所述区块链中获取第二加密字符串，解密所述第二加密字符串得到第二特征字符串；a data decryption unit, configured to obtain a second encrypted character string from the blockchain according to the registration request, and decrypt the second encrypted character string to obtain a second characteristic character string;

身份认证单元，用于根据所述第一特征字符串与所述第二特征字符串进行匹配，根据匹配结果对待认证物联网终端进行身份认证。An identity authentication unit, configured to match the first feature string with the second feature string, and perform identity authentication on the IoT terminal to be authenticated according to the matching result.

另一方面，本发明的技术方案还提供基于区块链的物联网终端认证设备，其包括：On the other hand, the technical solution of the present invention also provides a blockchain-based IoT terminal authentication device, which includes:

至少一个处理器；at least one processor;

至少一个存储器，用于存储至少一个程序；at least one memory for storing at least one program;

当至少一个程序被至少一个处理器执行，使得至少一个处理器运行如前面所述的基于区块链的物联网终端认证方法。When the at least one program is executed by the at least one processor, the at least one processor executes the aforementioned blockchain-based IoT terminal authentication method.

另一方面，本发明的技术方案还提供了一种存储介质，其中存储有处理器可执行的程序，处理器可执行的程序在由处理器执行时用于运行如前面所述的基于区块链的物联网终端认证方法。On the other hand, the technical solution of the present invention also provides a storage medium, in which a program executable by a processor is stored, and the program executable by the processor, when executed by the processor, is used to run the aforementioned block-based program. Chain's IoT terminal authentication method.

本发明的优点和有益效果将在下面的描述中部分给出，其他部分可以通过本发明的具体实施方式了解得到：The advantages and beneficial effects of the present invention will be given in part in the following description, and other parts can be obtained through the specific implementation of the present invention:

本申请的技术方案基于区块链分布式存储、共识机制的核心技术，通过终端信息进行加密形成密文和签名，根据密文以及签名组合形成特征字符串，并进一步加密存储至区块链中；在终端请求注册时，通过从区块链中获取加密字符串并进行解密得到特征字符串，进行终端接入的身份认证，方案解决了现有平台在终端认证时特征串明文显示的问题，实现了特征串的安全存储。此外，方案中终端不需要预置特征串，有效避免了终端在平台迁移时重新烧录的问题，从而推动终端业务的多样化发展；方案结合了区块链和物联网，并综合考虑了终端实现的简单化，业务需求的多样化，能有效避免特征串的数据泄露，提高终端认证的安全性。The technical solution of this application is based on the core technology of blockchain distributed storage and consensus mechanism, encrypts the terminal information to form ciphertext and signature, forms a characteristic string according to the combination of ciphertext and signature, and further encrypts it and stores it in the blockchain ; When the terminal requests registration, the encrypted string is obtained from the blockchain and decrypted to obtain the characteristic string, and the identity authentication of the terminal access is performed. The solution solves the problem that the existing platform displays the characteristic string in plain text during terminal authentication. The secure storage of characteristic strings is realized. In addition, the terminal does not need to preset feature strings in the solution, which effectively avoids the problem of re-programming the terminal during platform migration, thereby promoting the diversified development of terminal services; the solution combines blockchain and the Internet of Things, and comprehensively considers the terminal The simplification of implementation and the diversification of business requirements can effectively avoid data leakage of characteristic strings and improve the security of terminal authentication.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案，下面将对实施例描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

图1是本发明实施例中提供的基于区块链的物联网终端认证方法的步骤流程图；Fig. 1 is the step flow chart of the authentication method of the Internet of Things terminal based on the block chain provided in the embodiment of the present invention;

图2是本发明实施例中终端认证过程中终端与物联网平台的交互流程图；Fig. 2 is the interaction flow chart of the terminal and the Internet of Things platform in the terminal authentication process in the embodiment of the present invention;

图3是本发明实施例中特征串生成和上链过程中的交互流程图。FIG. 3 is an interaction flow chart in the process of generating and uploading a feature string in an embodiment of the present invention.

具体实施方式Detailed ways

下面详细描述本发明的实施例，实施例的示例在附图中示出，其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的，仅用于解释本发明，而不能理解为对本发明的限制。对于以下实施例中的步骤编号，其仅为了便于阐述说明而设置，对步骤之间的顺序不做任何限定，实施例中的各步骤的执行顺序均可根据本领域技术人员的理解来进行适应性调整。Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary, only used to explain the present invention, and should not be construed as a limitation of the present invention. The numbers of the steps in the following embodiments are only set for the convenience of description, and the sequence between the steps is not limited in any way, and the execution sequence of each step in the embodiments can be adapted according to the understanding of those skilled in the art Sexual adjustment.

结合前述背景技术中的所明确指出相关技术所存在的技术问题或缺陷，需要进一步补充说明的是，在较为常见的应用场景中，物联网平台通常要承载海量物联网终端的接入，为保证终端接入的安全性，平台会对接入的物联网终端进行身份认证。相关技术中，平台针对不同协议的设备提供了国密算法认证、证书认证以及特征串认证等多种方式；以特征串认证为例，平台为终端分配特征串，其中，特征串可唯一标识终端，终端开发者需将其导入到终端内，在终端登录平台时，需要携带终端安全身份认证信息来完成终端认证。目前，相关技术中物联网平台的特征串认证流程过于简单，平台为终端分配特征串后，需要终端开发人员手动从平台门户拷贝后写入终端，如果特征串发生变化，需要重新烧录，不仅给终端开发者带来不便，更缺乏对特征串数据的隐私保护，存在极大的安全隐患。In combination with the technical problems or defects in the related technologies that are clearly pointed out in the aforementioned background art, it should be further explained that in the more common application scenarios, the IoT platform usually carries the access of a large number of IoT terminals. The security of terminal access, the platform will authenticate the identity of the connected IoT terminal. In related technologies, the platform provides various methods such as national secret algorithm authentication, certificate authentication, and feature string authentication for devices with different protocols; taking feature string authentication as an example, the platform assigns a feature string to the terminal, where the feature string can uniquely identify the terminal. , the terminal developer needs to import it into the terminal, and when the terminal logs in to the platform, the terminal security identity authentication information needs to be carried to complete the terminal authentication. At present, the feature string authentication process of the IoT platform in the related art is too simple. After the platform assigns the feature string to the terminal, the terminal developer needs to manually copy it from the platform portal and write it into the terminal. If the feature string changes, it needs to be re-burned, not only It brings inconvenience to terminal developers, and lacks privacy protection for feature string data, which has great security risks.

基于上述的相关技术中所存在的明显缺陷，一方面，如图1所示，本申请的实施例提供了基于区块链的物联网终端认证方法，方法包括步骤S100-S400：Based on the obvious defects in the above-mentioned related technologies, on the one hand, as shown in FIG. 1 , an embodiment of the present application provides a blockchain-based IoT terminal authentication method, and the method includes steps S100-S400:

S100、根据待认证物联网终端的终端信息进行加密形成密文和签名，根据密文以及签名组合形成第一特征字符串；S100. Encrypt according to the terminal information of the IoT terminal to be authenticated to form a ciphertext and a signature, and form a first characteristic string according to the combination of the ciphertext and the signature;

其中，待认证物联网终端是进行初始化，并且需要接入至实施例中的物联网平台的终端，并且在本申请的方案中，主要是针对采用移动蜂窝网络进行通信的物联网终端，在说明书后续的内容中，默认通信协方式是采用移动蜂窝网络进行通信。具体在本实施例中，第一特征字符串是由身份验证合法的终端通过第一轮加密得到的密文，再通过对密文进行第二轮加密得到的签名，根据密文以及签名组合形成的特征字符串。Among them, the IoT terminal to be authenticated is a terminal that is initialized and needs to be connected to the IoT platform in the embodiment, and in the solution of this application, it is mainly aimed at the IoT terminal that uses the mobile cellular network for communication. In the following content, the default communication protocol is to use the mobile cellular network for communication. Specifically in this embodiment, the first characteristic string is a ciphertext obtained by a terminal with valid identity verification through the first round of encryption, and then a signature obtained by performing the second round of encryption on the ciphertext, which is formed according to the combination of the ciphertext and the signature. character string.

在一些可选择的实施例中，在步骤S100根据物联网终端的终端信息进行加密形成密文和签名这一过程之前，方法可以包括步骤S001和步骤S002：In some optional embodiments, before step S100 performs encryption according to the terminal information of the IoT terminal to form a ciphertext and a signature, the method may include steps S001 and S002:

S001、初始化待认证物联网终端，生成待认证物联网终端的公钥和私钥；S001, initialize the IoT terminal to be authenticated, and generate a public key and a private key of the IoT terminal to be authenticated;

S002、根据待认证物联网终端中的用户信息生成根密钥；S002, generating a root key according to user information in the IoT terminal to be authenticated;

在步骤S001-S002中，公钥是用于对第一特征字符串进行加密得到第一加密字符串；私钥是用于对第二加密字符串进行解密得到第二特征字符串；根密钥是用于对密文进行加密得到签名。In steps S001-S002, the public key is used to encrypt the first character string to obtain the first encrypted character string; the private key is used to decrypt the second encrypted character string to obtain the second character string; the root key It is used to encrypt the ciphertext to obtain the signature.

具体在实施例中，如图2所示，首先，实施例获取用户唯一标识信息，例如用户注册的平台账户以及该平台账户所绑定的手机号码等，实施例首先对用户的唯一标识信息进行实名认证，进而平台为该用户生成一个根密钥RootKey。在进行实名认证之后，实施例再对需要接入物联网平台的蜂窝物联网终端进行设备初始化操作，生成该终端独立的公钥PK_Device和私钥SK_Device。Specifically in the embodiment, as shown in FIG. 2 , first, the embodiment obtains the user's unique identification information, such as the platform account registered by the user and the mobile phone number bound to the platform account, etc. The embodiment firstly performs the user's unique identification information. Real-name authentication, and then the platform generates a root key RootKey for the user. After the real-name authentication is performed, the embodiment further performs a device initialization operation on the cellular IoT terminal that needs to access the IoT platform, and generates an independent public key PK_Device and private key SK_Device of the terminal.

除此之外，在实施例中，在登录物联网平台之后，平台可以创建物联区块链产品，该产品是同一种类型终端的集合；在平台提供的用户交互窗口中，用户可以进行产品分类的选择或设置，例如，通信协议选择移动蜂窝网络，认证方式选择特征串认证。In addition, in the embodiment, after logging into the IoT platform, the platform can create an IoT blockchain product, which is a collection of terminals of the same type; in the user interaction window provided by the platform, the user can The selection or setting of the classification, for example, the communication protocol selects the mobile cellular network, and the authentication method selects the characteristic string authentication.

在物联网平台中创建好的产品之后，实施例可以通过输入终端名称、终端编号、终端公钥等信息来添加终端，其中，输入终端即为待认证的物联网终端。实施例中物联网平台接收到新增设备指令后，首先生成设备ID作为该终端在平台的唯一标识，然后使用Base64对终端ID等信息加密生成payload密文，再通过步骤S002得到的根密钥对payload密文使用HMAC-SHA256加密生成签名，payload密文加上签名组合成特征串token；例如，token为：Dj9pt7s7fEbk9VOzicmQ8834Lp4IRDCwtWkva1yPQW8。After the product is created in the IoT platform, the embodiment may add a terminal by inputting information such as terminal name, terminal number, terminal public key, etc., where the input terminal is the IoT terminal to be authenticated. In the embodiment, after receiving the newly added device instruction, the IoT platform firstly generates a device ID as the unique identifier of the terminal on the platform, then uses Base64 to encrypt information such as the terminal ID to generate a payload ciphertext, and then passes through the root key obtained in step S002. The payload ciphertext is encrypted with HMAC-SHA256 to generate a signature, and the payload ciphertext and the signature are combined to form a characteristic string token; for example, the token is: Dj9pt7s7fEbk9VOzicmQ8834Lp4IRDCwtWkva1yPQW8.

S200、加密第一特征字符串得到第一加密字符串，将第一加密字符串存储至区块链；S200, encrypting the first characteristic character string to obtain the first encrypted character string, and storing the first encrypted character string in the blockchain;

其中，第一加密字符串是指通过步骤S001中生成的公钥进行加密得到的字符串。具体在实施例中，物联网平台中的终端管理单元通过终端公钥加密特征串PK_Device(token)，然后调用区块链服务的数据存证接口将特征串密文保存到物联区块链中。The first encrypted character string refers to a character string obtained by encrypting with the public key generated in step S001. Specifically in the embodiment, the terminal management unit in the IoT platform encrypts the feature string PK_Device(token) through the terminal public key, and then calls the data certificate interface of the blockchain service to save the encrypted text of the feature string in the IoT blockchain .

S300、获取注册请求，根据注册请求从区块链中获取第二加密字符串，解密第二加密字符串得到第二特征字符串；S300, obtaining a registration request, obtaining a second encrypted character string from the blockchain according to the registration request, and decrypting the second encrypted character string to obtain a second characteristic character string;

其中，第二加密字符串是根据发起注册请求的终端的ID标识，通过对区块链上存储的数据块进行查询并得到的字符串，第二特征字符串是指通过步骤S001中的私钥对第二加密字符串进行解密所得到的字符串。Wherein, the second encrypted character string is a character string obtained by querying the data blocks stored on the blockchain according to the ID of the terminal that initiated the registration request, and the second characteristic character string is obtained through the private key in step S001 A string obtained by decrypting the second encrypted string.

在具体的实施例中，物联网平台获取得到待认证物联网终端所发起的注册请求，经由对注册请求解析得到注册报文，根据注册报文中的设备ID标识调用数据查询接口从区块链服务模块获取到该终端的特征串密文，并将密文返回给终端。终端收到特征串密文后，使用私钥解密SK_Device(token)获取到特征串。In a specific embodiment, the IoT platform obtains the registration request initiated by the IoT terminal to be authenticated, obtains the registration message by parsing the registration request, and calls the data query interface from the blockchain according to the device ID in the registration message. The service module obtains the ciphertext of the characteristic string of the terminal, and returns the ciphertext to the terminal. After receiving the ciphertext of the characteristic string, the terminal decrypts SK_Device(token) with the private key to obtain the characteristic string.

S400、根据第一特征字符串与第二特征字符串进行匹配，根据匹配结果对待认证物联网终端进行身份认证；S400. Match according to the first feature string and the second feature string, and perform identity authentication on the IoT terminal to be authenticated according to the matching result;

具体在实施例中，由终端解密得到特征串之后，将携带特征串的登录报文发到物联网平台，物联网平台解析报文后，根据终端ID和用户根密钥，使用HMAC-SHA256生成特征串token，与终端登录报文里携带的token进行比较，验证特征串的合法性，完成对终端的身份认证，并将登录结果返回给终端。若终端接入认证成功，平台会显示终端在线，终端可以跟平台进行数据上报等通信。Specifically in the embodiment, after the terminal decrypts and obtains the characteristic string, the login message carrying the characteristic string is sent to the IoT platform. After the IoT platform parses the message, the terminal ID and user root key are used to generate the HMAC-SHA256 The characteristic string token is compared with the token carried in the terminal login message to verify the validity of the characteristic string, complete the identity authentication of the terminal, and return the login result to the terminal. If the terminal access authentication is successful, the platform will display that the terminal is online, and the terminal can communicate with the platform such as data reporting.

在一些可选择的实施例中，方法步骤S200中，将第一加密字符串存储至区块链这一过程，可以包括步骤S210-S230：In some optional embodiments, in the method step S200, the process of storing the first encrypted string to the blockchain may include steps S210-S230:

S210、获取数据上链请求；S210. Obtain a data upload request;

S220、确定区块链服务的主节点，通过主节点根据数据上链请求对第一加密字符串进行排序打包得到数据包；S220. Determine the master node of the blockchain service, and obtain a data packet by sorting and packaging the first encrypted string according to the data upload request by the master node;

S230、将数据包存储在区块链中，生成数据上链凭证；S230. Store the data packet in the blockchain, and generate a data uploading certificate;

具体在实施例中，区块链服务接收到数据上链请求后，区块链服务动态选举出来的主节点Primary，负责对物联网终端的所有消息进行排序打包，其中，消息内容包括但不限于数据上链请求以及注册请求等，实施例中，区块链服务采用RBFT共识算法将数据纳入区块链存储，在数据完成记录之后，区块链服务返回数据上链凭证。Specifically in the embodiment, after the blockchain service receives the data upload request, the primary node dynamically elected by the blockchain service is responsible for sorting and packaging all messages of the IoT terminal, wherein the message content includes but is not limited to Data upload request and registration request, etc. In the embodiment, the blockchain service adopts the RBFT consensus algorithm to store the data in the blockchain. After the data is recorded, the blockchain service returns the data upload certificate.

在一些可选择的实施例中，在部署区块链基础链过程中，可以封装区块链底层能力，由物联网平台终端管理模块统一与区块链服务进行交互；因此，在实施例中数据上链请求以及注册请求中，均可以携带相应的令牌信息。进而，实施例方法在步骤S210获取数据上链请求这一过程之前，还可以包括步骤S201：In some optional embodiments, in the process of deploying the blockchain base chain, the underlying capabilities of the blockchain can be encapsulated, and the terminal management module of the IoT platform can interact with the blockchain service in a unified manner; therefore, in the embodiment, the data Both the on-chain request and the registration request can carry the corresponding token information. Furthermore, before the process of acquiring the data upload request in step S210, the embodiment method may further include step S201:

S201、对第一令牌信息进行鉴权，确定鉴权通过，调用区块链服务的数据存证接口，通过数据存证接口上传第一加密字符串。S201. Authenticate the first token information, determine that the authentication is passed, call the data deposit interface of the blockchain service, and upload the first encrypted character string through the data deposit interface.

此外，实施例在方法步骤S300获取注册请求这一过程之后，还可以包括步骤S301：In addition, after the process of acquiring the registration request in method step S300, the embodiment may further include step S301:

S301、对第二令牌信息进行鉴权，确定鉴权通过，调用区块链服务的数据查询接口，通过数据查询接口获取第二加密字符。S301. Authenticate the second token information, determine that the authentication is passed, call a data query interface of the blockchain service, and obtain the second encrypted character through the data query interface.

具体在实施例中，如图3所示，区块链服务可以分配全局的令牌，物联网平台在调用API时需要携带令牌信息，做鉴权使用，保证接口访问安全。数据上链时，终端管理模块调用区块链服务的数据存证API；终端认证时，终端管理模块调用区块链服务的数据查询API获取到特征串数据。Specifically, in the embodiment, as shown in Figure 3, the blockchain service can allocate a global token, and the IoT platform needs to carry the token information when calling the API, which is used for authentication to ensure the security of interface access. When the data is uploaded to the chain, the terminal management module calls the data storage API of the blockchain service; when the terminal is authenticated, the terminal management module calls the data query API of the blockchain service to obtain the characteristic string data.

在一些可选择的实施例中，方法步骤S220确定区块链服务的主节点，通过主节点根据数据上链请求对第一加密字符串进行排序打包得到数据包这一过程，其可以包括步骤S221-S223：In some optional embodiments, the method step S220 determines the master node of the blockchain service, and the master node sorts and packs the first encrypted string according to the data upload request to obtain a data packet, which may include step S221 -S223:

S221、将第一加密字符串进行排序打包得到数据包，对数据包进行第一验证生成合法验证信息；S221, sorting and packaging the first encrypted string to obtain a data packet, and performing a first verification on the data packet to generate legal verification information;

S222、对合法验证信息在区块链中进行广播，以使非主节点对数据包进行第二验证生成第二验证信息；S222, broadcasting the legal verification information in the blockchain, so that the non-master node performs the second verification on the data packet to generate the second verification information;

S223、将第二验证信息与合法验证信息进行对比，根据对比结果将数据包写入非主节点中。S223. Compare the second verification information with the legal verification information, and write the data packet into the non-master node according to the comparison result.

在实施例中，区块链服务采用的是RBFT共识算法；实施例鲁棒拜占庭容错算法RBFT，在原生的PBFT算法中穿插了交易验证环节，提升了方案的稳定性。RBFT共识保留了PBFT原有的三阶段处理流程(PrePrepare、Prepare、Commit)的同时增加了重要的交易验证(validate)环节，在保证对交易执行顺序达成共识的同时也保证了对区块验证结果的共识。RBFT共识算法提供了一种动态数据自动恢复的机制，添加了保持集群在非停机的情况下动态增删节点的功能，增强了共识模块的可用性。In the embodiment, the blockchain service adopts the RBFT consensus algorithm; in the embodiment, the robust Byzantine fault-tolerant algorithm RBFT intersperses the transaction verification link in the native PBFT algorithm, which improves the stability of the solution. RBFT consensus retains the original three-stage processing flow of PBFT (PrePrepare, Prepare, Commit) while adding an important transaction verification (validate) link, which not only ensures a consensus on the order of transaction execution, but also ensures the block verification results. consensus. The RBFT consensus algorithm provides a mechanism for automatic recovery of dynamic data, adds the function of keeping the cluster dynamically adding and deleting nodes without downtime, and enhances the availability of the consensus module.

具体在实施例中，主节点将交易打包成块后先行验证，并将验证结果包含到PrePrepare消息中进行全网广播，这样PrePrepare消息中既包含了排好序的交易信息也包含了区块验证结果。从节点在收到主节点的PrePrepare消息后先检查消息的合法性，检查通过后广播Prepare消息表明本节点同意主节点的排序结果；在收到达到共识需要的结点数量(quorum-1)个Prepare消息后从节点才会开始验证区块，并将验证结果与主节点的验证结果进行比对，比对结果一致则广播Commit表明本节点同意主节点的验证结果，否则直接发起ViewChange表明本节点认为主节点有异常行为。Specifically, in the embodiment, the master node verifies the transaction first after packaging it into blocks, and includes the verification result in the PrePrepare message for broadcast on the whole network, so that the PrePrepare message contains both the sorted transaction information and the block verification. result. After receiving the PrePrepare message from the master node, the slave node first checks the validity of the message, and broadcasts the Prepare message after the check is passed, indicating that the node agrees with the sorting result of the master node; after receiving the number of nodes (quorum-1) required to reach the consensus After the Prepare message, the slave node will start to verify the block, and compare the verification result with the verification result of the master node. If the comparison result is consistent, it broadcasts Commit to indicate that the node agrees with the verification result of the master node. Otherwise, it directly initiates ViewChange to indicate that the node It is believed that the master node is behaving abnormally.

在一些可选择的实施例中，方法可以通过默克尔树确定数据包的哈希值。In some alternative embodiments, the method may determine the hash value of the data packet through a Merkle tree.

在实施例中，采用例如默克尔树的分布式存储，记录数据块的哈希值，优化了区块链的存储架构，提高了区块链存储效率。示例性地，在构造Merkle树时，首先要对数据块计算哈希值，实施例中选用SHA-256等哈希算法。但如果仅仅防止数据不是蓄意的损坏或篡改，可以改用一些安全性低但效率高的校验和算法，如CRC。然后将数据块计算的哈希值两两配对(如果是奇数个数，最后一个自己与自己配对)，计算上一层哈希，再重复这个步骤，一直到计算出根哈希值。In the embodiment, distributed storage such as Merkle tree is adopted to record the hash value of the data block, which optimizes the storage architecture of the blockchain and improves the storage efficiency of the blockchain. Exemplarily, when constructing a Merkle tree, a hash value is first calculated for a data block, and a hash algorithm such as SHA-256 is selected in the embodiment. But if the only protection against data is not intentional damage or tampering, some less secure but more efficient checksum algorithms, such as CRC, can be used instead. Then pair the hash values calculated by the data block in pairs (if it is an odd number, the last one is paired with itself), calculate the hash of the previous layer, and repeat this step until the root hash value is calculated.

结合附图2，对本申请方案的完整实施过程进行详细的描述如下：In conjunction with accompanying drawing 2, the complete implementation process of the solution of the present application is described in detail as follows:

(1)用户使用手机号注册平台账号，并进行实名认证，平台为该用户生成一个根密钥RootKey；(1) The user uses the mobile phone number to register the platform account, and performs real-name authentication, and the platform generates a root key RootKey for the user;

(2)用户对蜂窝物联网终端进行设备初始化操作，生成该终端独立的公钥PK_Device和私钥SK_Device；(2) The user performs a device initialization operation on the cellular IoT terminal, and generates the independent public key PK_Device and private key SK_Device of the terminal;

(3)用户登录物联网平台，创建物联区块链产品(产品是同一种类型终端的集合)，选择产品分类，需注意通信协议选择“移动蜂窝网络”，认证方式选择“特征串认证”；(3) The user logs in to the IoT platform, creates an IoT blockchain product (the product is a collection of terminals of the same type), selects the product category, and pays attention to selecting "mobile cellular network" for the communication protocol and "feature string authentication" for the authentication method ;

(4)用户在创建好的产品下通过输入终端名称、终端编号、终端公钥等信息来添加终端。平台终端管理模块接受到新增设备指令后，首先生成设备ID作为该终端在平台的唯一标识，然后使用Base64对终端ID等信息加密生成payload密文，再用步骤(1)的根密钥对payload密文使用HMAC-SHA256加密生成签名，payload密文加上签名组合成特征串token例如：Dj9pt7s7fEbk9VOzicmQ8834Lp4IRDCwtWkva1yPQW8)；(4) The user adds a terminal by entering information such as terminal name, terminal number, and terminal public key under the created product. After receiving the new device instruction, the platform terminal management module firstly generates the device ID as the unique identifier of the terminal on the platform, and then uses Base64 to encrypt the terminal ID and other information to generate the payload ciphertext, and then uses the root key of step (1) to pair The payload ciphertext is encrypted with HMAC-SHA256 to generate a signature, and the payload ciphertext plus the signature is combined into a characteristic string token (for example: Dj9pt7s7fEbk9VOzicmQ8834Lp4IRDCwtWkva1yPQW8);

(5)终端管理模块使用终端公钥加密特征串PK_Device(token)，然后调用区块链服务的数据存证接口将特征串密文保存到物联区块链；(5) The terminal management module uses the terminal public key to encrypt the feature string PK_Device(token), and then calls the data storage interface of the blockchain service to save the feature string ciphertext to the IoT blockchain;

(6)区块链服务接收到数据上链请求后，区块链服务动态选举出来的主节点Primary，负责对客户端消息的排序打包，采用RBFT共识算法将数据纳入区块链存储，区块链服务返回数据上链凭证。(6) After the blockchain service receives the data upload request, the primary node, which is dynamically elected by the blockchain service, is responsible for sorting and packaging client messages. The RBFT consensus algorithm is used to incorporate the data into the blockchain for storage. The chain service returns the data upload certificate.

(7)终端发送注册请求到平台，终端接入模块解析注册报文，将请求发送给终端管理。终端管理根据设备ID标识，调用数据查询接口从区块链服务模块获取到该终端的特征串密文，并将密文返回给终端。(7) The terminal sends a registration request to the platform, and the terminal access module parses the registration message and sends the request to the terminal for management. According to the device ID, the terminal management calls the data query interface to obtain the ciphertext of the characteristic string of the terminal from the blockchain service module, and returns the ciphertext to the terminal.

(8)终端收到特征串密文后，使用私钥解密SK_Device(token)获取到特征串，然后将携带特征串的登录报文发到平台，终端接入模块解析报文后，转发给终端管理模块。(8) After the terminal receives the ciphertext of the characteristic string, it uses the private key to decrypt the SK_Device (token) to obtain the characteristic string, and then sends the login message carrying the characteristic string to the platform. After the terminal access module parses the message, it forwards it to the terminal management module.

(9)终端管理模块根据终端ID和用户根密钥，使用HMAC-SHA256生成特征串token，与终端登录报文里携带的token进行比较，验证特征串的合法性，完成对终端的身份认证，并将登录结果返回给终端。(9) The terminal management module uses HMAC-SHA256 to generate a characteristic string token according to the terminal ID and user root key, compares it with the token carried in the terminal login message, verifies the validity of the characteristic string, and completes the identity authentication of the terminal. And return the login result to the terminal.

(10)若终端接入认证成功，平台会显示终端在线，终端可以跟平台进行数据上报等通信。(10) If the terminal access authentication is successful, the platform will display that the terminal is online, and the terminal can communicate with the platform such as data reporting.

第二方面，本申请的技术方案还提供了基于区块链的物联网终端认证系统，该系统包括两个主要的对象：蜂窝终端以及物联网平台；在物联网平台中，主要包括：In the second aspect, the technical solution of the present application also provides a blockchain-based IoT terminal authentication system, which includes two main objects: cellular terminals and IoT platforms; in the IoT platform, it mainly includes:

数据加密单元，用于根据待认证物联网终端的终端信息进行加密形成密文和签名，根据密文以及签名组合形成第一特征字符串；加密第一特征字符串得到第一加密字符串，将第一加密字符串存储至区块链；The data encryption unit is used for encrypting the terminal information of the IoT terminal to be authenticated to form a ciphertext and a signature, and forming a first characteristic string according to the combination of the ciphertext and the signature; encrypting the first characteristic string to obtain a first encrypted character string, and The first encrypted string is stored in the blockchain;

数据解密单元，用于根据注册请求从区块链中获取第二加密字符串，解密第二加密字符串得到第二特征字符串；a data decryption unit, configured to obtain the second encrypted character string from the blockchain according to the registration request, and decrypt the second encrypted character string to obtain the second characteristic character string;

身份认证单元，用于根据第一特征字符串与第二特征字符串进行匹配，根据匹配结果对待认证物联网终端进行身份认证。The identity authentication unit is configured to match the first feature string with the second feature string, and perform identity authentication on the IoT terminal to be authenticated according to the matching result.

在一些可选择的实施例中，可以对物联网中的功能单元进行细分，例如在一些实施例的无量网平台中还包括：In some optional embodiments, functional units in the Internet of Things may be subdivided, for example, the Wuliang network platform in some embodiments further includes:

终端接入单元：用于处理终端登录报文的接收与响应，以及对特征串的校验；Terminal access unit: used to process the reception and response of the terminal login message, and the verification of the characteristic string;

终端管理单元：用于生成并保存特征串，公钥加密特征串，并与区块链服务交互；Terminal management unit: used to generate and save feature strings, encrypt feature strings with public keys, and interact with blockchain services;

区块链服务单元：用于链上存储终端特征串信息，对外提供数据存证、查询接口。Blockchain service unit: used to store terminal feature string information on the chain, and provide external data storage and query interfaces.

第三方面，本申请的技术方案还提供基于区块链的物联网终端认证设备，其包括：In the third aspect, the technical solution of the present application also provides a blockchain-based IoT terminal authentication device, which includes:

至少一个处理器；至少一个存储器，该存储器用于存储至少一个程序；当至少一个程序被至少一个处理器执行，使得至少一个处理器运行如第一方面中的基于区块链的物联网终端认证方法。at least one processor; at least one memory for storing at least one program; when the at least one program is executed by the at least one processor, the at least one processor executes the blockchain-based IoT terminal authentication in the first aspect method.

本发明实施例还提供了一种存储介质内存储有程序，程序被处理器执行，实现上述基于区块链的物联网终端认证方法。The embodiment of the present invention further provides a storage medium with a program stored in the storage medium, and the program is executed by a processor to implement the above blockchain-based IoT terminal authentication method.

从上述具体的实施过程，可以总结出，本发明所提供的技术方案相较于现有技术存在以下优点或优势：From the above-mentioned specific implementation process, it can be concluded that the technical solution provided by the present invention has the following advantages or advantages compared with the prior art:

1.数据存储安全。目前主流的物联网平台对蜂窝物联网设备接入认证时，一般都采用特征串认证，特征串明文显示在平台门户，无法保证特征串的隐私性，本发明方法将特征串加密后存储在区块链服务，数据安全可靠。1. Data storage security. The current mainstream IoT platforms generally use feature string authentication when accessing cellular IoT devices. The feature string is displayed in plain text on the platform portal, and the privacy of the feature string cannot be guaranteed. The method of the present invention encrypts the feature string and stores it in the Blockchain service, data is safe and reliable.

2.认证流程简单。本申请技术方案使用设备的公钥/私钥来加密/解密特征串，在提高终端认证安全的前提下简化认证流程，减轻终端侧的开发工作量。终端不与区块链服务直接交互，减少终端交互流程。2. The certification process is simple. The technical solution of the present application uses the public key/private key of the device to encrypt/decrypt the feature string, simplify the authentication process on the premise of improving the security of terminal authentication, and reduce the development workload on the terminal side. The terminal does not directly interact with the blockchain service, reducing the terminal interaction process.

在一些可选择的实施例中，在方框图中提到的功能/操作可以不按照操作示图提到的顺序发生。例如，取决于所涉及的功能/操作，连续示出的两个方框实际上可以被大体上同时地执行或所述方框有时能以相反顺序被执行。此外，在本发明的流程图中所呈现和描述的实施例以示例的方式被提供，目的在于提供对技术更全面的理解。所公开的方法不限于本文所呈现的操作和逻辑流程。可选择的实施例是可预期的，其中各种操作的顺序被改变以及其中被描述为较大操作的一部分的子操作被独立地执行。In some alternative implementations, the functions/operations noted in the block diagrams may occur out of the order noted in the operational diagrams. For example, two blocks shown in succession may, in fact, be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/operations involved. Furthermore, the embodiments presented and described in the flowcharts of the present invention are provided by way of example in order to provide a more comprehensive understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of the various operations are altered and in which sub-operations described as part of larger operations are performed independently.

此外，虽然在功能性模块的背景下描述了本发明，但应当理解的是，除非另有相反说明，功能和/或特征中的一个或多个可以被集成在单个物理装置和/或软件模块中，或者一个或多个功能和/或特征可以在单独的物理装置或软件模块中被实现。还可以理解的是，有关每个模块的实际实现的详细讨论对于理解本发明是不必要的。更确切地说，考虑到在本文中公开的装置中各种功能模块的属性、功能和内部关系的情况下，在工程师的常规技术内将会了解该模块的实际实现。因此，本领域技术人员运用普通技术就能够在无需过度试验的情况下实现在权利要求书中所阐明的本发明。还可以理解的是，所公开的特定概念仅仅是说明性的，并不意在限制本发明的范围，本发明的范围由所附权利要求书及其等同方案的全部范围来决定。Furthermore, although the invention is described in the context of functional modules, it is to be understood that, unless stated to the contrary, one or more of the functions and/or features may be integrated in a single physical device and/or software module or one or more functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to understand the present invention. Rather, given the attributes, functions, and internal relationships of the various functional modules in the apparatus disclosed herein, the actual implementation of the modules will be within the routine skill of the engineer. Accordingly, those skilled in the art, using ordinary skill, can implement the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are illustrative only and are not intended to limit the scope of the invention, which is to be determined by the appended claims along with their full scope of equivalents.

在流程图中表示或在此以其他方式描述的逻辑和/或步骤，例如，可以被认为是用于实现逻辑功能的可执行指令的定序列表，可以具体实现在任何计算机可读介质中，以供指令执行系统、装置或设备(如基于计算机的系统、包括处理器的系统或其他可以从指令执行系统、装置或设备取指令并执行指令的系统)使用，或结合这些指令执行系统、装置或设备而使用。The logic and/or steps represented in flowcharts or otherwise described herein, for example, may be considered an ordered listing of executable instructions for implementing the logical functions, may be embodied in any computer-readable medium, For use with, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can fetch instructions from and execute instructions from an instruction execution system, apparatus, or apparatus) or equipment.

在本说明书的描述中，参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中，对上述术语的示意性表述不一定指的是相同的实施例或示例。而且，描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

尽管已经示出和描述了本发明的实施例，本领域的普通技术人员可以理解：在不脱离本发明的原理和宗旨的情况下可以对这些实施例进行多种变化、修改、替换和变型，本发明的范围由权利要求及其等同物限定。Although embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that various changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, The scope of the invention is defined by the claims and their equivalents.

以上是对本发明的较佳实施进行了具体说明，但本发明并不限于上述实施例，熟悉本领域的技术人员在不违背本发明精神的前提下还可做作出种种的等同变形或替换，这些等同的变形或替换均包含在本申请权利要求所限定的范围内。The above is a specific description of the preferred implementation of the present invention, but the present invention is not limited to the above-mentioned embodiments, and those skilled in the art can also make various equivalent deformations or replacements on the premise of not violating the spirit of the present invention. Equivalent modifications or substitutions are included within the scope defined by the claims of the present application.