Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Status of Claims
Claims 2-21 are subject to examination.
Claim 1 is cancelled.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 2, 8, 14, 3, 9, 15, 4, 10, 16, 20, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hanes et al., GB 2533348 A in view of Zhang et al., CN 104639668 A and Kong et al., CN103929435 A, and CN103269371A.
Referring to claim(s) 2, 8, 14, Hanes discloses a device for authenticating a message produced by an internet of things (IoT) device, the device comprising: a memory containing instructions; and one or more processors, operably connected to the memory, that executes the instructions to perform operations comprising:
a method for authenticating a message produced by an internet of things (IoT) device, the method comprising: obtaining, by a device, the message, the message has been cryptographically signed by a private key associated with the IoT device, and the message comprises data
In another embodiment, mutual authentication of the loT device and the service provider can be obtained using asymmetric cryptography, for example the IoT device private key Kipr together with the corresponding IoT device public key K, p"., and the service provider private key Ks pi together with the corresponding service provider public key Ks pm In the mutual authentication, the IoT device encrypts a hash of a message using the IoT device private key Ki.pr and transmits the partially encrypted message to the service provider. In a corresponding way the service provider encrypts a hash of a message using the service provider private key Ks pr and transmits the partially encrypted message to the IoT device. The IoT device obtains its own hash of the message and compares this with the hash obtained by decrypting the encrypted hash with the service provider public key Ks p" If the two hashes match then the service provider is authenticated. Similarly, the service provider obtains a hash from the IoT device message and compares it with the hash obtained by decrypting the encrypted hash received with the message using the loT device public key Ki.pu. Again if the two hashes match then the IoT device is authenticated, 6th para, page 8,
and an identifier of the IoT device;
Figure 9 schematically illustrates a method of establishing a trusted relationship between an loT device and a resource / service provider, following selection of the service provider by the user via the authentication device. In order to establish a trusted relationship between the IoT device and the service provider, the IoT device sends the service provider a registration request specifying an identifier of the loT device, in one example the serial number of the loT device at step 5102, 7th para, page 7,
sending, by the device and in response to obtaining the message, a query for information associated with the IoT device to a server, wherein the query is initiated based on the identifier of the IOT device, obtaining, based at least in part on sending the DNS query for the record associated with the IoT device to the serves, based the information to authenticate the message, the message is authenticated using a public key corresponding to the private key associated with the IoT device (
The public key pu of the IoT device key pair, corresponding to the private key Ki pl of the IoT device key pair is sent to the authentication device, together with the authentication device request and the request for the users consent at step 5702. The request for consent is sent to the user, via the authentication device. The public key for the IoT device is stored at the authentication device, last para, page 7,
An authentication response is communicated from the authentication device to the IoT device, which includes the public key of the authentication device and the users consent. The digital signature computed over the authentication response message demonstrates that the authentication device was involved in the communication exchange and the users consent unlocks the private key required for computing this digital signature (see step S802), second para, page 7.
Finally, the service provider stores the information about the IoT device, the IoT device public key K, pu, the authentication device public key p" and the users consent at step S112, third para, page 7
The IoT device private key Kip,. and the corresponding IoT device public key Ki.pii together create a secret data communication channel between the IoT device and the service provider, fourth para, page 7.
In another embodiment, mutual authentication of the loT device and the service provider can be obtained using asymmetric cryptography, for example the IoT device private key Kipr together with the corresponding IoT device public key K, p"., and the service provider private key Ks pi together with the corresponding service provider public key Ks pm In the mutual authentication, the IoT device encrypts a hash of a message using the IoT device private key Ki.pr and transmits the partially encrypted message to the service provider. In a corresponding way the service provider encrypts a hash of a message using the service provider private key Ks pr and transmits the partially encrypted message to the IoT device. The IoT device obtains its own hash of the message and compares this with the hash obtained by decrypting the encrypted hash with the service provider public key Ks p" If the two hashes match then the service provider is authenticated. Similarly, the service provider obtains a hash from the IoT device message and compares it with the hash obtained by decrypting the encrypted hash received with the message using the loT device public key Ki.pu. Again if the two hashes match then the IoT device is authenticated, 6th para, page 8.
Hanes, does not specifically mention about, which is well-known in the art, which Zhang discloses,
sending, by the device to a server, a domain name system (DNS) query for a record associated with the device, wherein the DNS query is based on the identifier, and wherein the identifier is associated with the record; and
(0055) if the user selects the forward query, can be obtained corresponding to the identifier in the selected time period needs to be analyzed by the network address is address of the domain name parsing record and queries each domain name recorded in network address corresponding to the selected identifier is parsed to which network address, and then each one network address resolution to one identifier is displayed in the first display interface. If the user selects the reverse query, then can obtain the identifier corresponding to the network address is a domain name resolution record of the analysis result to the selected in the selected time period, and queries in the respective domain name parsing record corresponding to the identifier of the network address is the network address which parsed, then query every one network address obtained by an identifier showing in the first display interface.
0003] accessing a server on the Internet, must be realized by IP address, and name resolution that is the domain name into the IP address of the process. generally a name corresponding to an IP address, and an IP address can correspond to a plurality of domain name; the multiple domain names can be resolved to an IP address. domain name resolution needs is finished by the special domain name analyzing server (DNS). For example, a domain name is: ***. com, if the domain name to be accessed, firstly analyzing the website corresponding to one fixed IP of a web server by presetting the DNS server, such as 211.214.1. ***, then, the web server receives the domain name, and the FORMULA. com domain name is mapped to the server, so as to finish the whole process of domain name resolution.
[0002] name resolution specifically is obtaining the corresponding website space IP by analyzing domain name, so that people can conveniently visit to a website by a registered domain name. name resolution also called pointing, the server sets domain name, domain name configuration and reverse IP register and so on. Generally speaking it is good the domain name resolution into an IP address, domain name analysis service DNS server, the DNS server analyzing the domain name to an IP address, then the IP address of the host on the one sub directory and name binding. abbreviation of DNS domain name system (Domain Name System), which is a core service internet, as can be a distributed database of domain name and IP address mapping, it can make people more convenient access to Internet, and does not need to remember can be read directly by a machine IP number string.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by the Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known DNS query. The domain name would be accessed, firstly analyzing the application corresponding to one fixed IP of a device by presetting the DNS server. Based on the record for the identifier the service would be provided, para 3, 2.
Hanes, Zhang does not specifically mention about, which is well-known in the art, which Kong discloses, obtaining the record to authenticate the message (
Claim 1. A DNSSEC and DANE protocol based on a trusted verification method, comprising the following steps: 1) for each object to be verified to generate a group key pair, the public key of the authentication object is submitted to an authoritative server. the private key stored on the encryption card; wherein the set of private key not in the encryption card is copied, 2) authoritative server allocating a sub domain name in the DNS domain is the verification target, and increasing a storage DANE resource record of the public key as the verification target. authoritative server using its own public key to the DANE resource record is signed, 3) user by trusted authentication client terminal obtains identification of the verification object; and converting the backward authoritative server is the domain name of the DNS domain query request; 4) authoritative server according to the inquiry request looking up the corresponding DANE resource record, returns it to the trusted authentication of the client, 5) the user using the trusted verification client terminal obtains identification of the verification object; and sending it to the verification object of the encryption card, the encryption card to encrypt for the identification using the private key of the verification object, generating the ciphertext back to the trusted verification client, 6) the trusted verification client uses the returned DANE resource record in the public key of the ciphertext is decrypted, to verify the verification object, wherein each verification object has a unique identification and corresponding verification sub domain name and the identification of the object.
Claim 2. The method according to claim 1, wherein the type of said DANE resource record is TLSA.
[0054] for anti-counterfeiting of commodity such as shown in FIG. 5, is divided into two stages: registration and query. the registration stage, the merchandise production manufacturer is each goods distributing a private key and the public key and a product identification is submitted to the national Internet of things identification managing public service platform, a platform for the commodity distributing one corresponding domain name (here assumed to be 987604.redwine.niot.cn) and creating a TLSA resource record for the domain name, the resource record comprises the public key information of the goods. query is as follows: commodity anti-fake APP to scan the goods, obtaining commodity identification 987604, then the converted to domain name 987604.redwine.niot.cn and identification management public services to national Internet of things platform searching the TLSA resource record of the domain name. Merchandise anti-fake APP to obtain the TLSA resource record to obtain the public key of the commodity, and commodity anti-fake APP to one random is encrypted using the public key, and the ciphertext after encrypting to the encryption machine. encryption machine using the stored information regarding product 987604 the private key to decrypt the ciphertext and then returning it to the random number decrypted commodity anti-fake APP.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by the Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known record for authentication. Based on the record for the identifier the public key would be provided. The TSLA record of the domain name would enable stored information for securing an entity, para 54, claim 1.
Hanes, Zhang, Kong does not specifically mention about, which is well-known in the art, which CN103269371A discloses, published by the IoT device (
Summary of the invention
To realize data security, high efficiency synchronous based on multicast, guarantee fail safe and the access control of DS inquiry, and guarantee the subscriber identity information safety of transmission.
Claim: 1. Internet of Things DS querying method based on Anycast, its step comprises:
1) DS service inquiry server is formed a services set by Anycast mechanism, by hiding main DS server maintenance DS service inquiry data in server integrality and accuracy, and the Anycast group address is registered to dns server;
2) the IS server sends to the state information of article the Anycast address of DS service inquiry server, the DS service inquiry server that receives information is forwarded to this renewal hides main DS server, hides between all nodes that main DS server is recorded in this renewal the Anycast group and carries out synchronously;
3) user that need obtain the DS information of article inquires about by dns server, obtains the Anycast address of DS service inquiry server;
4) user obtains the authorization information of query requests from authentication server, and sends query requests to this Anycast group;
5) the nearest Anycast node of distance users is received the query requests packet, and the DS service inquiry server of this Anycast node is forwarded to authentication server with this request data package; This user's access rights are verified and determined to this authentication server to this request data package, will verify that at last result and access privilege return to corresponding DS service inquiry server;
6) this corresponding this user's of DS service inquiry server buffer checking result and access rights, and return to the Query Result of this user's correspondence according to this authority.
2. the method for claim 1, it is characterized in that: described hiding main DS server is organized the RP of the multicast group of all nodes compositions as Anycast, anyly receive that more the DS service inquiry server of new data at first sends to RP with data, and by RP by multicast path by being distributed to the DS service inquiry server that all are monitoring same multicast group.
3. the method for claim 1 is characterized in that: the authorization information when described DS service inquiry server stores user inquires about for the first time, and in follow-up this authorization information of directly using when being inquired about by same user.
4. the method for claim 1 is characterized in that: the user comprises usemame/password and the public key information that is encrypted from the authorization information of the query requests that authentication server obtains; Authentication server is decrypted the usemame/password information of encrypting by the private key of oneself safeguarding, and verifies the correctness of this usemame/password.
Background technology
Internet of Things is the important component part of generation information technology.Generally, Internet of Things is exactly one " the Internet that the thing thing links to each other ".It is on the basis of the Internet, introduces REID (RFID, Radio Frequency Identification), and user side is extended to new network between any object and the object.The final goal of Internet of Things is connected any object exactly with the Internet, carry out information exchange and communicate by letter, to realize intellectuality identification, location, tracking, monitoring and the management to object.Therefore, Internet of Things also needs the addressing system of DNS in the similar the Internet, is used for realizing the functions such as identification, location, information inquiry and information interaction of Internet of Things article.Object oriented analysis service (ONS, Object Naming Service) in Here it is the Internet of Things.But ONS just is used for obtaining EPC(Electronic Product Code) owner's (being generally the manufacturer) EPCIS address of service of safeguarding, and in supply chain, the EPCIS of other enterprise also may catch the article multidate information relevant with this EPC, and can not obtain the address of these EPCIS services by ONS.This service is provided by EPCIS Discovery.In the supply chain that a plurality of participants are formed, certain participant can inquire the part/composition of a certain article by EPCIS Discovery, and where these part/compositions come from, and how these article consign to the end user.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known communication of subscriber information associated with a device. A message would be produced by an internet of things (IoT) device. The information of the message would enable providing of information to other devices using the well-known methods, background.
Regarding claim 20, CN103269371A discloses the server is a DNS server, and the record is a DNS record comprising the public key associated with the loT device (claim 1).
Regarding claim 21, CN103269371A discloses wherein the server is a first server and the message is published by a second server that is distinct from the first server (claim 1, abstract).
Abstract
The invention relates to an EPC network DS checking method and system based on an Anycast. A service set is formed by DS service checking servers through an Anycast mechanism, the service set is responsible for directly receiving DS update data and responses to a user, a concealed main DS server is responsible for maintaining integrity and accuracy of data of the DS servers and registers a maintained Anycast set address to a DNS server, a verification server is responsible for maintaining received verification information and corresponding access control strategies, and an IS server sends state information of an object to an Anycast address of a DS service checking server. The EPC network DS checking method and system based on the Anycast can achieve safety and efficient data synchronization based on multicast, ensure safety and access control of DS checking, and ensure safety of user identity information transmission.
Regarding claim 3, 9, 15, Kong discloses, wherein the record is TLSA record type, Claim 2, para 54.
Regarding claim 4, 10, 16, Kong discloses, wherein the record is TLSA record type wherein the record is signed using DNSSEC, claim 1.
Claim(s) 5, 11, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hanes, CN103269371A, Zhang, Kong and Tsai 20150347432.
Referring to claims 5, 11, 17, Hanes, CN103269371A, Zhang, Wang and Kong does not contain, which Tsai discloses wherein the first message includes a first feed identifier associated with the first feed, and the second device obtains the first message from the first feed based on the first feed identifier, para 48. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide well known usage of the feed to communicate subscribed information from service provider, para 48.
Claim(s) 6, 12, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hanes, CN103269371A, Zhang, Kong, Cheshire CN 1951081 B and Wang et al., CN 101883042 B.
Referring to claims 6, 12, 18, Hanes discloses the device being well-known IOT device. Hanes, CN103269371A, Zhang, Wang, and Kong does not contain, which Cheshire discloses wherein the identifier comprises a domain name associated with the IoT device (claim 12). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide well known usage of domain name associated with the device. The domain name field of the message would contain the domain name. The associated of the domain name with the device would enable a response of the message and a user to be provided the domain name by the device for access, claim 12. Hanes, Shuman, Zhang, Wang, Cheshire and Kong does not contain, which Wang2 discloses wherein the public key associated with the device is bound to the identifier by the record (claim 5, para 72). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well known public key of a device meant for the identifier. The record would enable it which would enhance the security, claim 5, para 72.
Claim(s) 6, 12, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hanes, CN103269371A, Zhang, Kong and Kim WO 2008066249 A1 and Wang et al., CN 101883042 B.
Referring to claims 6, 12, 18, Hanes discloses the device being well-known IOT device. Hanes, CN103269371A, Zhang, Wang and Kong does not contain, which Kim discloses wherein the identifier comprises a domain name associated with the IoT device (para 14). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide well known usage of domain name associated with the device. The domain name field of the message would contain the domain name. The associated of the domain name with the device would enable a response of the message and a user to be provided the domain name by the device for access, para 14.
Hanes, Shuman, Zhang, Wang, Kim and Kong does not contain, which Wang2 discloses wherein the public key associated with the device is bound to the identifier by the record (claim 5, para 72). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well known public key of a device meant for the identifier. The record would enable it which would enhance the security, claim 5, para 72.
Claim(s) 7, 13, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hanes, CN103269371A, Zhang, Kong and Wang.
Regarding claim 7, 13, 19, Hanes, CN103269371A, Zhang, Wang and Kong does not contain, wherein the server is a domain name resolver, which had been well-known in the art, which Wang discloses,
[0004] DNSSEC is a DNS security extensions, which provides a source identification and data integrity of expansion. DNSSEC on the original DNS by key technology, the information in the DNS for digital signature, so as to provide secure authentication and information integrity check of DNS. all the returned digital signature response to the name resolver (a DNS client program) in the DNSSEC. domain name resolver by the digital signature to verify the record domain name server of the record is completely consistent with the authority. digital signature uses key encryption system, which generates a key pair into a public key and a private key two part. wherein the private key secure storage for DNS information in the zone file of the digital digest encrypting public key needs to issue claims on the DNS server, the domain name resolver receives a response record sent by the domain name server, and then uses the public key to decrypt the digital signature in the response record, comparing value of the obtained value with the received DNS information obtained by calculation, if they are the same, indicating that the record is valid. In order to realize the function, DNSSEC defines three resource record set (Resource Record) for storing DNS information digital signature resource record signature record (RRSIG) for storing the decrypted public key DNS resource records key set (DNSKEY) key for DNS resource record set verification, storing the key label, an encryption algorithm and a DNS key resource record set abstract information of the authorized signer (Delegat1n Signer abbreviated as DS).
[0002] domain name system (Domain Name System (DNS) is a hierarchical distributed database comprising a series recording, record comprises the name, IP address, host information content. DNS is a set of protocols and services which allows user when searching the network resource using the hierarchical name of the user to replace the IP address. when the inquiry request of DNS client end sends the IP address to the DNS server, the DNS server can be searched from the database in the required IP address to the DNS client. This process of finding the client IP address by a DNS server in its database is called " host name resolution. the latest record (0003) the DNS in order to improve query efficiency, using the caching mechanism, the query is stored in the cache, and setting life cycle (Time To Live (TTL). before the record does not exceed the TTL, if inquiry record of client end further in the DNS cache, the DNS server (including all the level name server) the record in the cache directly back to the client, and does not need to inquire, improves the search speed. DNS cache poisoning is cache mechanism uses the DNS query record in the cache of DNS server stores error data recording drive for the user query. Because the cache amount error of the recording is an attacker forging, the forged may be set according to different intended corresponding record between specific domain name and IP address.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known domain name resolver. The name resolver (a DNS client program) in the DNSSEC would enable to verify the record domain name server of the record for consistency with the authority. The domain name resolver receives a response record sent by the domain name server, and then enables using the public key to decrypt the content in the response record, comparing value of the obtained value with the received DNS information obtained by calculation, and if they are the same, indicating that the record is valid, para 4.
Response to Arguments
Remarks/Arguments filed 8/7/24, pages 2-11 have been fully considered but they are not persuasive. Therefore, rejection of claims 2-21 is maintained.
Regarding Applicant’s concern for limitations,
the combination of Hannes, Shuman, Zhang, and Kong fails to teach or suggest “sending, ... in response to obtaining [a] message [cryptographically signed by a private key associated with an loT device], a DNS query for a record associated with the loT device to a server,” as recited in the amended claim 2.
the rejections of the amended limitations are updated accordingly.
A message signed by a private key of an IOT device is also taught by CN103269371A, claim 4. One of ordinary skilled in the art would readily know that use of private key with the IOT device was invented long time ago for secure communication.
CN103269371A also discloses the claimed communication, DNS query for a record associated with the loT device to a server, Internet of Things also needs the addressing system of DNS in the similar the Internet, is used for realizing the functions such as identification, location, information inquiry and information interaction of Internet of Things article.Object oriented analysis service (ONS, Object Naming Service) in Here it is the Internet of Things.But ONS just is used for obtaining EPC(Electronic Product Code) owner's (being generally the manufacturer) EPCIS address of service of safeguarding, and in supply chain, the EPCIS of other enterprise also may catch the article multidate information relevant with this EPC, and can not obtain the address of these EPCIS services by ONS.This service is provided by EPCIS Discovery.In the supply chain that a plurality of participants are formed, certain participant can inquire the part/composition of a certain article by EPCIS Discovery, and where these part/compositions come from, and how these article consign to the end user, background. Also, the claim 1 discloses the claimed communication.
Hanes discloses a device for authenticating a message produced by an internet of things (IoT) device, the device comprising: a memory containing instructions; and one or more processors, operably connected to the memory, that executes the instructions to perform operations comprising:
a method for authenticating a message produced by an internet of things (IoT) device, the method comprising: obtaining, by a device, the message, the message has been cryptographically signed by a private key associated with the IoT device, and the message comprises data
In another embodiment, mutual authentication of the loT device and the service provider can be obtained using asymmetric cryptography, for example the IoT device private key Kipr together with the corresponding IoT device public key K, p"., and the service provider private key Ks pi together with the corresponding service provider public key Ks pm In the mutual authentication, the IoT device encrypts a hash of a message using the IoT device private key Ki.pr and transmits the partially encrypted message to the service provider. In a corresponding way the service provider encrypts a hash of a message using the service provider private key Ks pr and transmits the partially encrypted message to the IoT device. The IoT device obtains its own hash of the message and compares this with the hash obtained by decrypting the encrypted hash with the service provider public key Ks p" If the two hashes match then the service provider is authenticated. Similarly, the service provider obtains a hash from the IoT device message and compares it with the hash obtained by decrypting the encrypted hash received with the message using the loT device public key Ki.pu. Again if the two hashes match then the IoT device is authenticated, 6th para, page 8,
and an identifier of the IoT device;
Figure 9 schematically illustrates a method of establishing a trusted relationship between an loT device and a resource / service provider, following selection of the service provider by the user via the authentication device. In order to establish a trusted relationship between the IoT device and the service provider, the IoT device sends the service provider a registration request specifying an identifier of the loT device, in one example the serial number of the loT device at step 5102, 7th para, page 7,
sending, by the device and in response to obtaining the message, a query for information associated with the IoT device to a server, wherein the query is initiated based on the identifier of the IOT device, obtaining, based at least in part on sending the DNS query for the record associated with the IoT device to the serves, based the information to authenticate the message, the message is authenticated using a public key corresponding to the private key associated with the IoT device (
The public key pu of the IoT device key pair, corresponding to the private key Ki pl of the IoT device key pair is sent to the authentication device, together with the authentication device request and the request for the users consent at step 5702. The request for consent is sent to the user, via the authentication device. The public key for the IoT device is stored at the authentication device, last para, page 7,
An authentication response is communicated from the authentication device to the IoT device, which includes the public key of the authentication device and the users consent. The digital signature computed over the authentication response message demonstrates that the authentication device was involved in the communication exchange and the users consent unlocks the private key required for computing this digital signature (see step S802), second para, page 7.
Finally, the service provider stores the information about the IoT device, the IoT device public key K, pu, the authentication device public key p" and the users consent at step S112, third para, page 7
The IoT device private key Kip,. and the corresponding IoT device public key Ki.pii together create a secret data communication channel between the IoT device and the service provider, fourth para, page 7.
In another embodiment, mutual authentication of the loT device and the service provider can be obtained using asymmetric cryptography, for example the IoT device private key Kipr together with the corresponding IoT device public key K, p"., and the service provider private key Ks pi together with the corresponding service provider public key Ks pm In the mutual authentication, the IoT device encrypts a hash of a message using the IoT device private key Ki.pr and transmits the partially encrypted message to the service provider. In a corresponding way the service provider encrypts a hash of a message using the service provider private key Ks pr and transmits the partially encrypted message to the IoT device. The IoT device obtains its own hash of the message and compares this with the hash obtained by decrypting the encrypted hash with the service provider public key Ks p" If the two hashes match then the service provider is authenticated. Similarly, the service provider obtains a hash from the IoT device message and compares it with the hash obtained by decrypting the encrypted hash received with the message using the loT device public key Ki.pu. Again if the two hashes match then the IoT device is authenticated, 6th para, page 8.
Hanes, does not specifically mention about, which is well-known in the art, which Zhang discloses,
sending, by the device to a server, a domain name system (DNS) query for a record associated with the device, wherein the DNS query is based on the identifier, and wherein the identifier is associated with the record; and
(0055) if the user selects the forward query, can be obtained corresponding to the identifier in the selected time period needs to be analyzed by the network address is address of the domain name parsing record and queries each domain name recorded in network address corresponding to the selected identifier is parsed to which network address, and then each one network address resolution to one identifier is displayed in the first display interface. If the user selects the reverse query, then can obtain the identifier corresponding to the network address is a domain name resolution record of the analysis result to the selected in the selected time period, and queries in the respective domain name parsing record corresponding to the identifier of the network address is the network address which parsed, then query every one network address obtained by an identifier showing in the first display interface.
0003] accessing a server on the Internet, must be realized by IP address, and name resolution that is the domain name into the IP address of the process. generally a name corresponding to an IP address, and an IP address can correspond to a plurality of domain name; the multiple domain names can be resolved to an IP address. domain name resolution needs is finished by the special domain name analyzing server (DNS). For example, a domain name is: ***. com, if the domain name to be accessed, firstly analyzing the website corresponding to one fixed IP of a web server by presetting the DNS server, such as 211.214.1. ***, then, the web server receives the domain name, and the FORMULA. com domain name is mapped to the server, so as to finish the whole process of domain name resolution.
[0002] name resolution specifically is obtaining the corresponding website space IP by analyzing domain name, so that people can conveniently visit to a website by a registered domain name. name resolution also called pointing, the server sets domain name, domain name configuration and reverse IP register and so on. Generally speaking it is good the domain name resolution into an IP address, domain name analysis service DNS server, the DNS server analyzing the domain name to an IP address, then the IP address of the host on the one sub directory and name binding. abbreviation of DNS domain name system (Domain Name System), which is a core service internet, as can be a distributed database of domain name and IP address mapping, it can make people more convenient access to Internet, and does not need to remember can be read directly by a machine IP number string.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by the Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known DNS query. The domain name would be accessed, firstly analyzing the application corresponding to one fixed IP of a device by presetting the DNS server. Based on the record for the identifier the service would be provided, para 3, 2.
Hanes, Zhang does not specifically mention about, which is well-known in the art, which Kong discloses, obtaining the record to authenticate the message (
Claim 1. A DNSSEC and DANE protocol based on a trusted verification method, comprising the following steps: 1) for each object to be verified to generate a group key pair, the public key of the authentication object is submitted to an authoritative server. the private key stored on the encryption card; wherein the set of private key not in the encryption card is copied, 2) authoritative server allocating a sub domain name in the DNS domain is the verification target, and increasing a storage DANE resource record of the public key as the verification target. authoritative server using its own public key to the DANE resource record is signed, 3) user by trusted authentication client terminal obtains identification of the verification object; and converting the backward authoritative server is the domain name of the DNS domain query request; 4) authoritative server according to the inquiry request looking up the corresponding DANE resource record, returns it to the trusted authentication of the client, 5) the user using the trusted verification client terminal obtains identification of the verification object; and sending it to the verification object of the encryption card, the encryption card to encrypt for the identification using the private key of the verification object, generating the ciphertext back to the trusted verification client, 6) the trusted verification client uses the returned DANE resource record in the public key of the ciphertext is decrypted, to verify the verification object, wherein each verification object has a unique identification and corresponding verification sub domain name and the identification of the object.
Claim 2. The method according to claim 1, wherein the type of said DANE resource record is TLSA.
[0054] for anti-counterfeiting of commodity such as shown in FIG. 5, is divided into two stages: registration and query. the registration stage, the merchandise production manufacturer is each goods distributing a private key and the public key and a product identification is submitted to the national Internet of things identification managing public service platform, a platform for the commodity distributing one corresponding domain name (here assumed to be 987604.redwine.niot.cn) and creating a TLSA resource record for the domain name, the resource record comprises the public key information of the goods. query is as follows: commodity anti-fake APP to scan the goods, obtaining commodity identification 987604, then the converted to domain name 987604.redwine.niot.cn and identification management public services to national Internet of things platform searching the TLSA resource record of the domain name. Merchandise anti-fake APP to obtain the TLSA resource record to obtain the public key of the commodity, and commodity anti-fake APP to one random is encrypted using the public key, and the ciphertext after encrypting to the encryption machine. encryption machine using the stored information regarding product 987604 the private key to decrypt the ciphertext and then returning it to the random number decrypted commodity anti-fake APP.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by the Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known record for authentication. Based on the record for the identifier the public key would be provided. The TSLA record of the domain name would enable stored information for securing an entity, para 54, claim 1.
Hanes, Zhang, Kong does not specifically mention about, which is well-known in the art, which CN103269371A discloses, published by the IoT device (
Summary of the invention
To realize data security, high efficiency synchronous based on multicast, guarantee fail safe and the access control of DS inquiry, and guarantee the subscriber identity information safety of transmission.
Claim: 1. Internet of Things DS querying method based on Anycast, its step comprises:
1) DS service inquiry server is formed a services set by Anycast mechanism, by hiding main DS server maintenance DS service inquiry data in server integrality and accuracy, and the Anycast group address is registered to dns server;
2) the IS server sends to the state information of article the Anycast address of DS service inquiry server, the DS service inquiry server that receives information is forwarded to this renewal hides main DS server, hides between all nodes that main DS server is recorded in this renewal the Anycast group and carries out synchronously;
3) user that need obtain the DS information of article inquires about by dns server, obtains the Anycast address of DS service inquiry server;
4) user obtains the authorization information of query requests from authentication server, and sends query requests to this Anycast group;
5) the nearest Anycast node of distance users is received the query requests packet, and the DS service inquiry server of this Anycast node is forwarded to authentication server with this request data package; This user's access rights are verified and determined to this authentication server to this request data package, will verify that at last result and access privilege return to corresponding DS service inquiry server;
6) this corresponding this user's of DS service inquiry server buffer checking result and access rights, and return to the Query Result of this user's correspondence according to this authority.
2. the method for claim 1, it is characterized in that: described hiding main DS server is organized the RP of the multicast group of all nodes compositions as Anycast, anyly receive that more the DS service inquiry server of new data at first sends to RP with data, and by RP by multicast path by being distributed to the DS service inquiry server that all are monitoring same multicast group.
3. the method for claim 1 is characterized in that: the authorization information when described DS service inquiry server stores user inquires about for the first time, and in follow-up this authorization information of directly using when being inquired about by same user.
4. the method for claim 1 is characterized in that: the user comprises usemame/password and the public key information that is encrypted from the authorization information of the query requests that authentication server obtains; Authentication server is decrypted the usemame/password information of encrypting by the private key of oneself safeguarding, and verifies the correctness of this usemame/password.
Background technology
Internet of Things is the important component part of generation information technology.Generally, Internet of Things is exactly one " the Internet that the thing thing links to each other ".It is on the basis of the Internet, introduces REID (RFID, Radio Frequency Identification), and user side is extended to new network between any object and the object.The final goal of Internet of Things is connected any object exactly with the Internet, carry out information exchange and communicate by letter, to realize intellectuality identification, location, tracking, monitoring and the management to object.Therefore, Internet of Things also needs the addressing system of DNS in the similar the Internet, is used for realizing the functions such as identification, location, information inquiry and information interaction of Internet of Things article.Object oriented analysis service (ONS, Object Naming Service) in Here it is the Internet of Things.But ONS just is used for obtaining EPC(Electronic Product Code) owner's (being generally the manufacturer) EPCIS address of service of safeguarding, and in supply chain, the EPCIS of other enterprise also may catch the article multidate information relevant with this EPC, and can not obtain the address of these EPCIS services by ONS.This service is provided by EPCIS Discovery.In the supply chain that a plurality of participants are formed, certain participant can inquire the part/composition of a certain article by EPCIS Discovery, and where these part/compositions come from, and how these article consign to the end user.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Hanes to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known communication of subscriber information associated with a device. A message would be produced by an internet of things (IoT) device. The information of the message would enable providing of information to other devices using the well-known methods, background.
Conclusion
Please see teachings of CN103269371A reference regarding well-known limitations, including limitations of new claims 20, 21. Please see claim 2, which merely accomplishes authenticating a message produced by a well-known IOT device. One of ordinary skilled in the art would readily know that the use of private key, DNS query, record, servers, authenticate the message using a public key had been in use for long prior to the effective filling date of this applicati