Detailed Description
The technical scheme provided in the present specification is further described in detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings. It should be noted that, without conflict, the embodiments of the present specification and features in the embodiments may be combined with each other.
It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the user should be informed and authorized of the type, usage range, usage scenario, etc. of the personal information related to the present disclosure in an appropriate manner according to the relevant legal regulations.
For example, in response to receiving an active request from a user, a prompt is sent to the user to explicitly prompt the user that the operation it is requesting to perform will require personal information to be obtained and used with the user. Thus, the user can autonomously select whether to provide personal information to software or hardware such as an electronic device, an application program, a server or a storage medium for executing the operation of the technical scheme of the present disclosure according to the prompt information.
As an alternative but non-limiting implementation, in response to receiving an active request from a user, the manner in which the prompt information is sent to the user may be, for example, a popup, in which the prompt information may be presented in a text manner. In addition, a selection control for the user to select to provide personal information to the electronic device in a 'consent' or 'disagreement' manner can be carried in the popup window.
It will be appreciated that the above-described notification and user authorization process is merely illustrative and not limiting of the implementations of the present disclosure, and that other ways of satisfying relevant legal regulations may be applied to the implementations of the present disclosure.
As described above, the entity certificate method is currently commonly used to manage and verify the ownership of the internet of things device, and the entity certificate method has various problems.
Taking the example that the internet of things equipment is a vehicle, the management is generally required to be carried out by relying on paper certificates issued by institutions at the present stage, and various problems exist in the method. For example, paper certificates have the problem of inconvenient carrying, users need to carry the paper certificates at any time to prepare for the needs such as traffic inspection and the like, and the paper certificates are inconvenient to carry at any time and increase the risk of losing. For another example, paper certificates also present a problem of being easily lost or damaged, which may be lost, damaged or worn for a variety of reasons, and once lost, the repair procedure is complicated. As another example, paper certificates present the problem of being more easily counterfeited and tampered with, which can lead to illegal transactions and theft of equipment. For another example, paper certificates have the problem of difficult verification, and when ownership needs to be confirmed, such as trade, processing violations and the like, the paper certificates need to be checked in a physical mode, and the verification process is time-consuming and labor-consuming. For another example, paper certificates have the problem of low transfer efficiency, and when vehicles are purchased or transferred, registration information and entity certificates need to be changed, which is time-consuming and inefficient. In addition, the paper certificate also has the problem of privacy disclosure, and personal information is usually contained on the paper certificate, so that the risk of privacy disclosure is high.
The above problem causes that the user has control rights of the internet of things equipment but lacks an efficient ownership management and verification mode, so that sharing, searching and buying and selling of the internet of things equipment by the user are limited, and rights and interests protection of the internet of things equipment is not well implemented. Taking the internet of things equipment as an electric bicycle as an example, when the user A sells the second-hand electric bicycle to the user B, the user A can possibly face unnecessary legal responsibility or financial loss because the offline changing of the registration information flow of the entity certificate is complicated and the ownership of the second-hand electric bicycle is not transferred, and when the user B violates the traffic rules or generates traffic accidents in the riding process, the ownership of the electric bicycle cannot be effectively proved. In this scenario, the legal responsibility attribution of the internet of things device becomes ambiguous, such that the user assumes additional risk during the transaction.
Therefore, the embodiment of the specification provides a management and verification method for the ownership of the internet of things equipment, so that the management and verification of the ownership of the internet of things equipment can be safely and efficiently performed. As shown in fig. 1, fig. 1 shows a schematic diagram of one application scenario to which the embodiments of the present description may be applied. In the application scenario shown in fig. 1, the internet of things device is an electric two-wheeled vehicle 101, which electric two-wheeled vehicle 101 belongs to a user Bob, i.e. the user Bob has ownership of the electric two-wheeled vehicle 101. The terminal device 102 of the user Bob may encrypt the identity information of the user Bob to obtain the identity ciphertext X. Thereafter, the terminal device 102 may request the device credential from the device credential issuer 103 based on the identity ciphertext X and the device information of the electric motorcycle 101. The terminal device 102 may then obtain a device credential Y sent by the device credential issuer 103, which includes the identity ciphertext X therein. Finally, the terminal device 102 may import the device credential Y into the electric two-wheeled vehicle 101 for storage, so that the electric two-wheeled vehicle 101 stores the device credential Y including the identity ciphertext X of the user Bob, so as to bind the user Bob and the electric two-wheeled vehicle 101. When the ownership verification of the electric motorcycle 101 is required, the verifier can read the device certificate Y through the verifier device 104 and generate the instruction information. The terminal device 105 corresponding to the second user to be checked for ownership obtains the identity ciphertext X via the indication information provided by the checking party device 104. After that, the terminal device 105 performs a verification operation for verifying whether the second user is the owner of the electric motorcycle 101, that is, verifying whether the second user is the user Bob. The terminal device 105 may present the verification results for viewing by the verifier.
Before the method described in this embodiment is performed, identity information of each participant and each participant device may be registered and authenticated in advance for the convenience of management and identification of each participant and each participant device. For example, management may be performed in a centralized manner, such as an authentication mechanism managed and controlled by a single authority or service provider. In this way both the identity information of the user and the authentication process are centrally handled by one central entity. For another example, the identity management may also be performed in a distributed identity authentication manner, which is a de-centralized identity management scheme that allows individuals or organizations to own and control their own identity and data information.
The distributed identity authentication system with the user as the center is the latest trend of digital identity development, and adopts a blockchain technology, a cryptography algorithm, a novel identity authentication technology and the like to realize distributed identity authentication and identity authorization management for protecting the privacy of the user. The method not only has high security and privacy protection capability, but also can span different digital applications and services to realize the secure, compliance and credible intercommunication of digital identity and identity related data.
For the convenience of subsequent understanding, a distributed identity authentication system that may be applied to embodiments of the present application is described herein. As shown in fig. 2, fig. 2 is a schematic diagram of a distributed identity authentication system that may be used in an embodiment of the present application. In the distributed identity authentication architecture shown in fig. 2, an identity Service Provider (Ident ity Provider, IDP) 201, a credential Issuer (ISSUER) 202, a DID (DECENTRAL IZEDIDENT IFIER, distributed identification) identity holder 203, and a Service Provider (SP) 204 may be included. Wherein the identity service provider IDP201 may interact with the blockchain.
Specifically, the identity service provider IDP201 may provide the DID registration service for each organization and user in the distributed identity authentication system, which mainly participates in the organization residence and user registration process, and provides the organization and user with the DID creation and distributed identification document chaining service, and may also provide the services such as DID alias management. Here, an organization or individual in the distributed identity authentication system may register the DID through the identity service provider IDP201 and upload the distributed identity document containing the identity public key to the blockchain for certification through the identity service provider IDP 201. Upon user initiative application, the credential issuer 202 may issue verifiable credentials (Verifiable CREDENT IALS, VC) to the user side for encrypted storage. When a user needs to present the relevant credentials in a particular business scenario, the verifiable credentials may be assembled and signed into verifiable expressions at the user side and submitted to the business service provider 204 via user authorization. The service provider 204 can obtain the identity public keys of the user and the credential issuer 202, and sequentially perform user authorization verification of verifiable expression and authentication of the credential issuer 202, and after verification, further judge that the declaration content meets the service scene requirement, then the scene service can be provided.
Based on the distributed identity authentication system shown in fig. 2, in the embodiment of the present application, the first internet of things device and the first terminal corresponding to the owner of the first internet of things device (in this example, referred to as the first user) may create the DID in advance, and the first terminal may also apply for the real person credential in advance. As shown in fig. 3, fig. 3 shows a schematic diagram of creating a DID and applying for a real person credential.
The process of creating the DID by the first terminal and the first internet of things device may include the following (1) and (2), specifically:
(1) The first terminal may generate a first public key by using various asymmetric encryption algorithms, send the generated first public key to the identity service provider IDP, and receive and store a first user identifier returned by the identity service provider IDP, where the first user identifier is generated by the identity service provider IDP based on the first public key. For example, the identity service provider IDP may perform a hash calculation on the first public key, and take the calculation result as the first user identifier. Furthermore, the identity service provider IDP may be further configured to store the first user identification and the first public key association to the blockchain.
(2) The first internet of things device may also generate a second public key by adopting various asymmetric encryption algorithms, send the generated second public key to the identity service provider IDP, and receive and store a first device identifier returned by the identity service provider IDP, where the first device identifier may be generated by the identity service provider IDP based on the second public key of the first internet of things device. The identity service provider IDP may also store the first device identification and the second public key association to the blockchain.
In one example, the credential issuer may include a real-person credential issuer, which may refer to an organization with real-person credential issuance qualification, and a device credential issuer, which may refer to an organization with device credential issuance qualification. Here, the credential issuer corresponds to an electronic device used by the credential issuer. Based on this, the process of the first terminal applying for the real person credential may include the following (one) and (two), in particular:
(one), the first terminal requests the first real person credential from the real person credential issuer. As an example, the user may request the first real person credential from the real person credential issuer by brushing a face, inputting a password, or the like, so that the real person credential issuer may send the real person credential after verification of the face or the password, or the like.
And (II) the first terminal obtains the first real person certificate sent by the real person certificate issuer. The first real person credential may include first identity information of the first user, for example, the first identity information may include a user name, an identity, a face image, and so on. The first real person credential may be sent by the real person credential issuer if the identity information of the first user is verified.
With continued reference to fig. 4, fig. 4 illustrates a flowchart of a method of managing ownership of an internet of things device according to one embodiment. It is understood that the method may be performed by a first terminal used by an owner of a first internet of things device, where the first internet of things device may be various internet of things devices including, but not limited to, home appliances, vehicles, etc., and the first terminal may include, but not limited to, a smart phone, a tablet computer, a smart watch, a notebook computer, etc. As shown in fig. 4, the method for managing ownership of an internet of things device may include the following steps 401 to 404, specifically:
step 401, encrypt the first identity information of the first user to obtain a first identity ciphertext.
In this embodiment, the first terminal may store the first identity information of the first user in advance. The first identity information may be obtained in a number of ways. For example, it may be input by the first user himself. As another example, it may also be issued by an entity's credential issuer. The first terminal may encrypt the first identity information of the first user using a first encryption algorithm, thereby obtaining a first identity ciphertext. Here, the first identity information of the first user may include, but is not limited to, a user name, an identity, a face image, and the like of the first user. The first encryption algorithm may include various encryption algorithms, for example, a hash algorithm. For example, the first terminal may combine the information such as the user name and the identity identifier according to a preset rule, and then perform hash calculation on the combined result to obtain the first identity ciphertext.
Step 402, based on the first identity ciphertext, device information of the first internet of things device requests the device credential issuer for the device credential.
In this embodiment, the first terminal may obtain the device information of the first internet of things device through various manners (for example, user input, or reading with the first internet of things device through the internet of things), where the device information may include, but is not limited to, an identifier, a picture, a production number, a production date, a manufacturer, and the like of the first internet of things device. The first terminal may then send the first identity ciphertext and device information of the first internet of things device to a device credential issuer to request the device credential. Here, the device credential issuer may refer to an organization that is eligible for device credential issuance. Different internet of things devices may correspond to different device credential issuers, which may include a vehicle authority, taking an example of an internet of things device being a vehicle.
Step 403, obtaining a first device credential sent by a device credential issuer.
In this embodiment, after the device credential issuer receives the request from the first terminal, the first identity ciphertext, the device information of the first internet of things device, and the like may be verified, for example, manually verified, or compared with the pre-stored information, and after the verification is passed, the first device credential is returned to the first terminal, where the first device credential may include the first identity ciphertext.
It will be appreciated that the first device credential may include other information in addition to the first identity cryptogram. Such as a first user identification, a first device identification, device information for a first internet of things device, and so forth. In particular, in some implementations, the first terminal may obtain a first device identification from the first internet of things device, which may be generated by the identity service provider IDP based on a second public key of the first internet of things device. Based on this, in step 402, the device credential issuer is requested for the device credential, which may also be specifically implemented by requesting the device credential from the device credential issuer based on the first identity ciphertext, the first user identification, the first device identification, and the device information. The first device credential thus requested may include, in addition to the first identity cryptogram, a first user identification, a first device identification, device information, and so forth.
Step 404, importing the first device credential into the first internet of things device for storage.
In this embodiment, the first terminal may guide the first device credential into the first internet of things device for storage through various manners (e.g., a wired manner, a wireless manner, a cloud platform transfer manner, etc.), so that the first internet of things device may store the first identity ciphertext, and binding between the first user and the first internet of things device is achieved.
In some implementations, to secure data, the first internet of things device may employ a secure element or trusted execution environment (Trusted Execut ion Environment, TEE) to store the first device credentials. The Secure element may include a SE chip (Secure ELEMENT CHIP) that, independent of the host processor, may provide a Secure environment to perform sensitive operations such as encryption and key management. The TEE may provide an isolated secure area in the host processor for executing sensitive code and processing sensitive data. By adopting the SE chip or the TEE to store the first device certificate, it can be ensured that even if the first Internet of things device is destroyed, sensitive information such as the first device certificate and the like can not be revealed.
In some implementations, the step 404 may be specifically performed by transmitting the first device credential to the first internet of things device via a close range communication protocol.
In this implementation, the first terminal may transmit the first device credential to the first internet of things device through a close range communication protocol. By way of example, the near field communication protocol may include, but is not limited to, bluetooth (Bluetooth), NFC (NEAR FIELD Communicat ion ), RFID (Radio-Frequency IDENT IFICAT ion), and the like.
In some implementations, the method for managing ownership of an internet of things device may further include the following steps a) and b), specifically:
and a step a), the first terminal sends a device certificate revocation request to a device certificate issuer so that the device certificate issuer can revoke the first device certificate.
In this implementation, the device credential revocation request may be used to request a device credential issuer to revoke the first device credential. The device credential issuer may conduct a real-person verification of the first user before revoking the first device credential. Here, the real person verification is a process of verifying the true identity of a user through technical means, ensuring that a user operating or servicing online is a true, legal person, not a false identity or an impostor identity. The real person verification used in this example includes, but is not limited to, face alignment, verification of other biological features (e.g., fingerprints, voiceprints, etc.), and the like. After the verification of the entity passes, the device credential issuer may revoke the first device credential.
And b), the first terminal deletes the first equipment certificate stored in the first Internet of things equipment. Therefore, the ownership of the first Internet of things equipment by the first user can be relieved.
By the method shown in fig. 4, the first device credential including the first identity ciphertext may be stored in the first internet of things device. In order to realize verification of the ownership of the first internet of things device, the embodiment of the specification also provides a verification method of the ownership of the first internet of things device, so that the ownership of the first internet of things device can be safely and efficiently verified.
With continued reference to fig. 5, fig. 5 illustrates a flow chart of a method of verifying ownership of an internet of things device according to one embodiment. Here, the first device credential may be pre-stored in the first internet of things device, where the first device credential may include a first identity ciphertext corresponding to the first user as the owner, and the first device credential may be imported by the first terminal into the first internet of things device through a method shown in fig. 4. It can be appreciated that the method for verifying ownership of the internet of things device may be performed by a second terminal corresponding to the second user, where the second terminal may include, but is not limited to, a smart phone, a tablet computer, a smart watch, a notebook computer, and the like. As shown in fig. 5, the method for verifying ownership of an internet of things device may include the following steps 501 and 502, specifically:
Step 501, obtaining a first identity cryptogram via indication information provided by a verifier device.
In this embodiment, the verifier may refer to a user who needs to authenticate ownership of the first internet of things device, and take the first internet of things device as an example of a vehicle, the verifier may be a buyer who wants to buy the vehicle, or may be a traffic manager who handles violations, and so on. A verifier device may refer to a device used by a verifier, including but not limited to a smart phone, tablet, smart watch, notebook, etc. The verifier may read the first device credential from the first internet of things device through the verifier device, e.g., may read the first device credential from the first internet of things device through a near field communication protocol. As an example, the first device credential may include a first identity cryptogram, and may also include a first user identification, a first device identification, device information, and so on. The first user identifier, the first device identifier, the device information and the like can be displayed on the verifier device for the verifier to view. The verifier device may also generate indication information that may be used to instruct the second terminal to obtain the first identity cryptogram. The verifier device can display the generated indication information to the second user so as to be acquired by the second user through the second terminal. Or the verifier device may send the indication information to the second terminal. In this way, the second terminal may obtain the first identity ciphertext via the indication information provided by the verifier device.
In some implementations, the indication information provided by the verifier device may be a code of a website, and based on this, the step 501 may specifically include obtaining the first identity ciphertext and the identity verification service by accessing the website.
In this implementation manner, the second terminal may access a website, and the web page corresponding to the website may provide the first ciphertext and the identity verification service.
In some implementations, the indication information provided by the verifier device may be in the form of a two-dimensional code, a bar code, or the like. The identity verification service may be an applet. Taking the indication information as a two-dimensional code form as an example, the checking party can show the two-dimensional code through checking party equipment, and a second user can scan the two-dimensional code by using a second terminal and analyze the two-dimensional code to obtain a website. And then, the second terminal can access the website to obtain the first identity ciphertext and call the applet to execute verification operation.
It may be appreciated that, before checking the ownership of the internet of things device, to further ensure security, the ownership of the second terminal may also be verified, i.e. whether the second user has ownership of the second terminal. The process of verifying ownership of the second terminal may include the following steps one) and two), in particular:
step one), receiving verification information sent by a second user.
In this example, the second terminal may receive authentication information sent by the second user, where the authentication information may be used to authenticate the second user as the owner of the second terminal. Here, the authentication information may be in various forms, and for example, may be a local PIN (Personal IDENT IFICAT ion Number), a password, or the like.
And step two), determining that the second user is the owner of the second terminal according to the verification information.
In this case, the second terminal may determine whether the second user is the owner of the second terminal according to the authentication information, and if it is determined that the second user is the owner of the second terminal, continue to perform the next verification operation, and if it is determined that the second user is not the owner of the second terminal, no further subsequent verification operation is performed.
As an example, the second terminal may have stored therein encrypted biometric information in advance, which may be generated based on biometric information (e.g., face, fingerprint, voiceprint, iris, etc.) of an owner of the second terminal. Based on this, the authentication information transmitted by the second user may include biometric information, and the second step may specifically include performing Zero-proof of knowledge (Zero-Knowledge Proo, ZKP) calculation on the biometric information and the encrypted biometric information, and determining that the second user is the owner of the second terminal according to the calculation result.
Here, zero-knowledge proof is an encryption protocol that allows one party (prover) to prove to another party (verifier) that a statement is authentic without revealing any information other than the correctness of the statement. Taking the biological characteristic information as face information as an example, ZKP face can refer to the face information of a person verified by using a zero knowledge proof technology, and the validity of identity is verified under the condition that the face information is not revealed. Specifically, during the recording, privacy calculation is performed on the collected face information at the terminal side, and under the condition that the data does not go out of the terminal, an encrypted information is obtained and stored safely at the terminal. During verification, whether the user is the same user is determined by performing ZKP calculation on the collected face information and the encryption information stored on the terminal. Because the ZKP face only needs to process and verify the face information at the second terminal, and the second terminal locally stores the calculated privacy data, any specific face information cannot be obtained from the privacy data, so that the leakage of the face information can be prevented.
Step 502, performing a verification operation, where the verification operation includes the following steps 5021 to 5023, specifically:
step 5021, determining whether the local contains the second real person credential corresponding to the second user.
In this embodiment, the second real person credential may be a real person credential issued by a real person credential issuer for the second user, which may include second identity information of the second user. For example, the second identity information may include a user name, identity, face image, etc. of the second user.
Step 5022, if the second identity information is included, extracting the second identity information from the second real person certificate and encrypting the second identity information to obtain a second identity ciphertext.
In this embodiment, if the local of the second terminal includes the second real person credential corresponding to the second user, the second terminal may extract the second identity information from the second real person credential and encrypt the second identity information to obtain the second identity ciphertext. The encryption algorithm used by the second terminal may be the same as the encryption algorithm corresponding to the first identity cryptogram.
As an example, the first identity ciphertext may be generated by a first encryption algorithm, based on which the second terminal may encrypt the second identity information using the first encryption algorithm.
In some implementations, the verification operation may further include the following steps 1) and 2), specifically:
Step 1), if the local does not contain the second real person credential corresponding to the second user, requesting the second real person credential from a real person credential issuer.
Step 2), a second real person credential sent by a real person credential issuer is obtained, the second real person credential can comprise second identity information of a second user, and the second real person credential can be sent by the real person credential issuer under the condition that the identity information of the second user is verified.
For example, if the second terminal does not locally contain the second real person credential corresponding to the second user, the second terminal may prompt the second user to request the second real person credential from the real person credential issuer. The second user can request the second real person certificate from the real person certificate issuer through the modes of face brushing, password inputting and the like, so that the real person certificate issuer can send the real person certificate after the authentication of the face or the password and the like is passed.
Step 5023, matching the second identity ciphertext with the first identity ciphertext, and determining whether the second user is an owner of the first internet of things device according to a matching result.
In this embodiment, the second terminal may match, for example, compare, the second identity ciphertext with the first identity ciphertext, and determine, according to a matching result, whether the second user is an owner of the first internet of things device. The method comprises the steps of determining whether a first user is an owner of a first Internet of things device according to a first identity ciphertext, and if the first user is the owner of the first Internet of things device, determining that the first user is not the owner of the first Internet of things device according to a second identity ciphertext. After obtaining the conclusion whether the second user is the owner of the first internet of things device, the second terminal may display the conclusion for the verifier to view on site, or the second terminal may also send the conclusion to the verifier device for the verifier to view through its device.
According to an embodiment of another aspect, a management device for ownership of an internet of things device is provided. The management device of the ownership of the internet of things device can be deployed at a first terminal, the first terminal is a terminal used by an owner of the first internet of things device, the first internet of things device can be various internet of things devices including but not limited to home appliances, vehicles and the like, and the first terminal can include but not limited to a smart phone, a tablet computer, a smart watch, a notebook computer and the like.
Fig. 6 shows a schematic block diagram of an apparatus for managing ownership of an internet of things device according to an embodiment. As shown in fig. 6, the management apparatus 600 of the ownership of the internet of things device includes an encryption unit 601 configured to encrypt first identity information of a first user to obtain a first identity ciphertext, a request unit 602 configured to request a device credential from a device credential issuer based on the device information of the first internet of things device, an obtaining unit 603 configured to obtain the first device credential sent by the device credential issuer, including the first identity ciphertext, and an import unit 604 configured to import the first device credential into the first internet of things device for storage.
In some optional implementations of this embodiment, the apparatus 600 further includes a real-person credential requesting unit (not shown in the figure) configured to request the first real-person credential from the real-person credential issuer, and a real-person credential obtaining unit (not shown in the figure) configured to obtain the first real-person credential sent by the real-person credential issuer, where the first real-person credential includes the first identity information of the first user, where the first real-person credential issuer sends the first real-person credential when the identity information of the first user is verified.
In some optional implementations of this embodiment, the apparatus 600 further includes a user identifier obtaining unit (not shown in the figure) configured to send the generated first public key to an identity service provider and receive a first user identifier returned by the identity service provider, where the first user identifier is generated by the identity service provider based on the first public key, a device identifier obtaining unit (not shown in the figure) configured to obtain a first device identifier from the first internet of things device, where the first device identifier is generated by the identity service provider based on the second public key of the first internet of things device, and a requesting unit 602 further configured to request a device credential from the device issuer based on the first identity ciphertext, the first user identifier, the first device identifier, and device information, where the first device credential further includes the first user identifier and the first device identifier.
In some optional implementations of this embodiment, the identity service provider is configured to store the first user identification and the first public key association to a blockchain and store the first device identification and the second public key association to the blockchain.
In some optional implementations of this embodiment, the apparatus 600 further includes a revocation unit (not shown in the figure) configured to send a device credential revocation request to the device credential issuer to revoke the first device credential, and a deletion unit (not shown in the figure) configured to delete the first device credential stored in the first internet of things device.
In some optional implementations of this embodiment, the importing unit 604 is further configured to transmit the first device credential to the first internet of things device through a short-range communication protocol.
In some optional implementations of this embodiment, the first device credential is stored by the first internet of things device using a secure element or a trusted execution environment.
According to an embodiment of another aspect, a verification device for ownership of an internet of things device is provided. The first equipment certificate comprises a first identity ciphertext corresponding to a first user serving as an owner, and the device is deployed at a second terminal corresponding to a second user. The verification device of the ownership of the internet of things device may be deployed at a second terminal corresponding to a second user, where the first internet of things device may be various internet of things devices, including but not limited to home appliances, vehicles, and the like, and the second terminal may include but not limited to a smart phone, a tablet computer, a smart watch, a notebook computer, and the like.
Fig. 7 shows a schematic block diagram of a checking apparatus of ownership of an internet of things device according to an embodiment. As shown in fig. 7, the verification apparatus 700 for ownership of the internet of things device includes a ciphertext obtaining unit 701 configured to obtain the first identity ciphertext via indication information provided by a verifier device, a verification unit 702 configured to perform a verification operation, where the verification unit 702 includes a determining subunit 7021 configured to determine whether a second entity credential corresponding to the second user is locally included, an encrypting subunit 7022 configured to extract and encrypt second identity information from the second entity credential if included to obtain a second identity ciphertext, and a matching subunit 7023 configured to match the second identity ciphertext with the first identity ciphertext, and determine whether the second user is an owner of the first internet of things device according to a matching result.
In some optional implementations of this embodiment, the indication information is a code of a website, where the ciphertext obtaining unit 701 is further configured to obtain the first identity ciphertext and the identity verification service by accessing the website, and the verification operation is performed by running the identity verification service.
In some optional implementations of this embodiment, the indication information is in a two-dimensional code form, and the identity verification service is an applet.
In some alternative implementations of the present embodiment, the first identity ciphertext is generated by a first encryption algorithm, and the encryption subunit 7022 is further configured to encrypt the second identity information using the first encryption algorithm.
In some optional implementations of this embodiment, the verification unit 702 further includes a second real person credential request unit (not shown in the figure) configured to request the second real person credential from the real person credential issuer if the second real person credential corresponding to the second user is not included locally, and a second real person credential acquisition unit (not shown in the figure) configured to acquire the second real person credential sent by the real person credential issuer, including the second identity information of the second user, where the second real person credential issuer sends the identity information verification of the second user.
In some optional implementations of this embodiment, the apparatus 700 further includes an authentication message receiving unit (not shown in the figure) configured to receive authentication information sent by the second user, where the authentication information is used to authenticate that the second user is an owner of the second terminal, and a terminal owner determining unit (not shown in the figure) configured to determine that the second user is an owner of the second terminal according to the authentication information.
In some optional implementations of this embodiment, the authentication information includes biometric information, the second terminal has stored therein encrypted biometric information, the encrypted biometric information is generated based on biometric information of an owner of the second terminal, and a terminal owner determination unit (not shown in the drawings) is further configured to perform zero knowledge proof calculation on the biometric information and the encrypted biometric information, and determine that the second user is the owner of the second terminal according to a calculation result.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in fig. 4 or fig. 5.
According to an embodiment of a further aspect, there is also provided a computing device including a memory and a processor, wherein the memory stores executable code, and the processor, when executing the executable code, implements the method described in fig. 4 or fig. 5.
Those of ordinary skill would further appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those of ordinary skill in the art may implement the described functionality using different approaches for each particular application, but such implementation is not considered to be beyond the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.