TECHNICAL FIELD

[0001] The present disclosure relates to the field of the Internet of Things (IoT) technology, and in particular to a method and apparatus for managing an IoT device, and a server and a non-transitory computer-readable storage medium thereof.

BACKGROUND

[0002] At present, with the rapid development of IoT, more and more devices may be connected to the IoT to realize communications among humans, machines and objects anytime and anywhere. [0003] In the related art, a combination of a username and a password is mostly used to perform identity authentication for management of an IoT device. In the related art, the IoT device is provided with a default credential including a username and a password before delivery from factory. When controlling the IoT device to join an IoT platform, a user inputs the username and the password of the IoT device into the IoT platform, and the IoT platform then authenticates the identity of the IoT device.

[0004] However, in the related art, if the user does not change the password of the IoT device, an attacker may control the IoT device once obtaining the default credential. As a result, both the IoT device and the IoT platform are less secure and are vulnerable to attacks.

SUMMARY

[0005] Embodiments of the present disclosure provide a method and apparatus for managing an IoT device, and a server and a non-transitory computer-readable storage medium thereof, which may solve the problem that both the IoT device and the IoT platform in the related art are less secure and are vulnerable to attacks. The technical solutions are as follows.

[0006] In one aspect, embodiments of the present disclosure provide a method for managing an IoT device. The method includes:

[0007] receiving a join request sent by an IoT device, wherein the join request is to request to join an IoT platform, and the join request includes a device public key of the IoT device and a device level of the IoT device, the device level of the IoT device referring to a level of the IoT device in a hierarchical relationship tree; [0008] determining a standard device public key of the IoT device according to the device level of the IoT device, wherein the standard device public key of the IoT device refers to an authentication public key generated for the IoT device at a validity authentication stage of the IoT device;

[0009] detecting whether the device public key of the IoT device carried in the join request is the same as the standard device public key of the IoT device; and

[0010] if the device public key of the IoT device carried in the join request is the same as the standard device public key of the IoT device, acknowledging that the IoT device is valid, and controlling the IoT device to join the IoT platform.

[0011] In another aspect, embodiments of the present disclosure provide an apparatus for managing an IoT device. The apparatus includes:

[0012] a join requesting module, configured to receive a join request sent by an IoT device, wherein the join request is to request to join an IoT platform, and the join request includes a device public key of the IoT device and a device level of the IoT device, the device level of the IoT device referring to a level of the IoT device in a hierarchical relationship tree;

[0013] a standard computing module, configured to determine a standard device public key of the IoT device according to the device level of the IoT device, wherein the standard device public key of the IoT device refers to an authentication public key generated for the IoT device at a validity authentication stage of the IoT device;

[0014] a relationship detecting module, configured to detect whether the device public key of the IoT device carried in the join request is the same as the standard device public key of the IoT device; and

[0015] an acknowledgment control module, configured to, if the device public key of the IoT device carried in the join request is the same as the standard device public key of the IoT device, acknowledge that the IoT device is valid, and control the IoT device to join the IoT platform.

[0016] In another aspect, embodiments of the present disclosure provide a server. The server includes a processor and a memory, wherein the memory stores a computer program, which is loaded and executed by the processor to perform the method for managing an IoT device as described above.

[0017] In another aspect, embodiments of the present disclosure provide a non-transitory computer- readable storage medium. The non-transitory computer-readable storage medium stores a computer program, wherein the computer program is loaded and executed by a processor to perform the method for managing an IoT device as described above. [0018] In another aspect, embodiments of the present disclosure provide a computer program product, which is executed by a processor to perform the method for managing an IoT device as described above.

[0019] According to the technical solutions according to the embodiments of the present disclosure, after receiving the join request for joining the IoT platform sent by the IoT device, a hierarchical deterministic algorithm module in a server cluster authenticates the validity of the IoT device according to the device public key and device level carried in the join request; and if the validity authentication is successful, the server cluster controls the IoT device to join the IoT platform. With the technical solutions according to the embodiments of the present disclosure, the validity of the IoT device is first authenticated before the IoT device joins the IoT platform, and the device private key corresponding to the IoT device may not be revealed during validity authentication, thereby improving the security for the IoT device and the IoT platform.

BRIEF DESCRIPTION OF THE DRAWINGS

[0020] For clearer descriptions of the technical solutions according to the embodiments of the present disclosure, the following briefly introduces the accompanying drawings required for describing the embodiments. Apparently, the accompanying drawings in the following description show merely some embodiments of the present disclosure, and a person of ordinary skill in the art may still derive other drawings from these accompanying drawings without creative efforts.

[0021] FIG. 1 is a schematic diagram of an implementation environment according to an embodiment of the present disclosure;

[0022] FIG. 2 is a flowchart of a method for managing an IoT device according to an embodiment of the present disclosure;

[0023] FIG. 3 is a flowchart of a method for managing an IoT device according to another embodiment of the present disclosure;

[0024] FIG. 4 is a flowchart of a method for managing an IoT device according to a further embodiment of the present disclosure;

[0025] FIG. 5 is a flowchart of a method for managing an IoT device according to a further another embodiment of the present disclosure;

[0026] FIG. 6 is a schematic diagram of a hierarchical relationship tree involved in an embodiment of the present disclosure;

[0027] FIG. 7 is a schematic diagram of a method for computing a public-private key pair involved in an embodiment of the present disclosure; [0028] FIG. 8 is a block diagram of an apparatus for managing an IoT device according to an embodiment of the present disclosure;

[0029] FIG. 9 is a block diagram of an apparatus for managing an IoT device according to another embodiment of the present disclosure; and

[0030] FIG. 10 is a structural block diagram of a server according to an embodiment of the present disclosure.

DETAILED DESCRIPTION

[0031] The embodiments of the present disclosure are described in further detail hereinafter with reference to the enclosed drawings, to clearly present the objects, technical solutions, and advantages of the present disclosure.

[0032] Referring to FIG. 1, a schematic diagram of an implementation environment involved in an embodiment of the present disclosure is illustrated. The implementation environment may include a server cluster 101, an IoT device 102, and a computer device 103.

[0033] A server cluster 101 is a cluster that aggregates multiple servers for computing and storing data information. In this embodiment of the present disclosure, the server cluster 101 includes at least one server. In this embodiment of the present disclosure, the server cluster includes an IoT platform and a hierarchical deterministic algorithm module, wherein the IoT platform is configured to receive and respond to requests sent by an IoT device 102 and a computer device 103, and issue a command for validity authentication; and the hierarchical deterministic algorithm module is configured to compute an assignment identifier and perform validity authentication for the IoT device 102 and the computer device 103. The IoT platform may be deployed in one or more servers, and the hierarchical deterministic algorithm module may also be deployed in one or more servers, which is not limited in the embodiment of the present disclosure. Alternatively, in order to save the cost on the server, the IoT platform and the hierarchical deterministic algorithm module may be deployed in the same server.

[0034] The IoT device 102 refers to an embedded physical device, which has a computerized system such as software and sensors, and is widely applied to the network convergence through communication sensing technologies, such as intelligent sensing, identification, and computing. The IoT device 102 may include a refrigerator, an air conditioner, a fitness device, a security system, an alarm system, etc., and the IoT device 102 may access the IoT platform in the server cluster 101. [0035] The computer device 103 refers to a device having capabilities of processing and storing data, such as a personal computer (PC), a server, or other electronic devices having a computing capability, which is not limited by the embodiment of the present disclosure. The computer device 103 may be registered in the IoT platform in the server cluster 101 to enable subsequent operation and management of the IoT device 102, such as controlling the IoT device 102 to start or stop working.

[0036] The IoT device 102 and the computer device 103 are connected to the server cluster 101 via a network, which may be either a wired network or a wireless network. For example, the connections between the IoT device 102 and the server cluster 101 and between the computer device 103 and the server cluster 101 may be practiced in a device-to-device (Ad-Hoc) fashion, or may be enabled under the coordination of a base station or a wireless access point (AP), which is not limited in the embodiment of the present disclosure.

[0037] Referring to FIG. 2, a flowchart of a method for managing an IoT device according to an embodiment of the present disclosure is illustrated. This method may be applied to the server cluster in the implementation environment shown in FIG. 1. The method may include the following steps (201-204).

[0038] In step 201, a join request sent by an IoT device is received, wherein the join request is to request to join an IoT platform, and the join request includes a device public key of the IoT device and a device level of the IoT device, wherein the device level of the IoT device refers to a level of the IoT device in a hierarchical relationship tree.

[0039] The IoT device needs to join the IoT platform before use, and here, the IoT device sends the join request to the IoT platform, wherein the join request carries the device public key and device level corresponding to the IoT device.

[0040] In order to improve the security level of the key corresponding to the IoT device, the IoT device also has a device private key accordingly. The device public key of the IoT device and the device private key of the IoT device are a key pair obtained through an asymmetric encryption algorithm. If the device public key of the IoT device is utilized to encrypt data, only the corresponding device private key of the IoT device may be used for decryption. Accordingly, if the device private key of the IoT device is utilized to encrypt the data, only the corresponding device public key of the IoT device may be used for decryption. In this embodiment of the present disclosure, the join request sent by the IoT device to the IoT platform may not include the device private key of the IoT device, in order not to reveal the device private key of the IoT device and further improve the security level. In this embodiment of the present disclosure, the hierarchical relationship tree is configured to indicate a hierarchical structure of respective devices, and is a set of hierarchical relationships composed of n finite nodes.

[0041] In a possible implementation, prior to the receiving the join request sent by the IoT device as described above, the method further includes: receiving a join identifier acquisition request sent by the IoT device, wherein the join identifier acquisition request is to request to acquire a join identifier corresponding to the IoT device, and the join identifier includes the device private key of the IoT device and the device public key of the IoT device; generating the device private key of the IoT device according to the join identifier acquisition request; generating the device public key of the IoT device according to the device private key of the IoT device; and sending the device private key of the IoT device and the device public key of the IoT device to the IoT device.

[0042] The hierarchical deterministic algorithm module in the server cluster is configured to compute the public -private key pair and the level for each device. After receiving the join identifier acquisition request sent by the IoT device, the hierarchical deterministic algorithm module starts to compute the device private key corresponding to the IoT device according to the join identifier acquisition request, then generates the device public key of the IoT device according to the computed device private key of the IoT device, and finally, sends the device private key of the IoT device and the device public key of the IoT device to the IoT device.

[0043] Illustratively, the generating the device private key of the IoT device according to the join identifier acquisition request includes: acquiring a device private key of a management device according to the join identifier acquisition request; and generating the device private key of the IoT device according to the device private key of the management device. Among them, a device level corresponding to the management device is higher than the device level corresponding to the IoT device. Alternatively, the hierarchical deterministic algorithm module in the server cluster may also acquire a chain code of the management device while acquiring the device private key of the management device. In this embodiment of the present disclosure, the chain code represents a computation rule of the hierarchical deterministic algorithm module in the server cluster, that is, the computation rule with which the hierarchical deterministic algorithm module computes the public- private key pair and the level for each device may be constrained via the chain code. Alternatively, for ease of computation, the hierarchical deterministic algorithm module in the server cluster computes the public-private key pair and the level for each device with the same chain code.

[0044] In step 202, a standard device public key of the IoT device is determined according to the device level of the IoT device, wherein the standard device public key of the IoT device refers to an authentication public key generated for the IoT device at a validity authentication stage of the IoT device.

[0045] In this embodiment of the present disclosure, the hierarchical deterministic algorithm module in the server cluster maintains a database, which includes levels and public keys corresponding to all the devices that have acquired the identifiers. At the validity authentication stage of the device, the hierarchical deterministic algorithm module may query the public key of a device in the database maintained thereby according to the level of the device, and acknowledge the public key as the standard device public key of the device.

[0046] After receiving the join request of the IoT device, the IoT platform in the server cluster may, according to the device level corresponding to the IoT device carried in the join request, query the public key corresponding to the device level in the database maintained by the hierarchical deterministic algorithm module in the server cluster, and determine the public key as the standard public key of the IoT device. In the subsequent steps, the validity of the IoT device may be authenticated according to this standard device public key.

[0047] In step 203, whether the device public key of the IoT device carried in the join request is the same as the standard device public key of the IoT device is detected.

[0048] The join request of the IoT device carries the device public key corresponding to the IoT device. After determining the standard device public key of the IoT device, the hierarchical deterministic algorithm module in the server cluster detects whether the device public key of the IoT device in the join request of the IoT device is the same as the standard device public key of the IoT device, in order to achieve the purpose of detecting the validity of the IoT device.

[0049] In step 204, if the device public key of the IoT device carried in the join request is the same as the standard device public key of the IoT device, the IoT device is acknowledged to be valid, and the IoT device is controlled to join the IoT platform.

[0050] When it is detected that the device public key of the IoT device in the join request of the IoT device is the same as the standard device public key of the IoT device, the hierarchical deterministic algorithm module in the server cluster acknowledges that the IoT device is valid. Here, the hierarchical deterministic algorithm module in the server cluster sends a message, indicating that the validity authentication of the IoT device is successful, to the IoT platform in the server cluster; after receiving this message, the IoT platform acknowledges that the IoT device may be authorized to join the IoT platform; and then, the server cluster controls the IoT device to join the IoT platform. When it is detected that the device public key of the IoT device in the join request of the IoT device is different from the standard device public key of the IoT device, the hierarchical deterministic algorithm module in the server cluster acknowledges that the IoT device is invalid. Here, the hierarchical deterministic algorithm module in the server cluster sends a message, indicating that the validity authentication of the IoT device fails, to the IoT platform in the server cluster; after receiving this message, the IoT platform acknowledges that the IoT device cannot be authorized to join the IoT platform; and then, the server cluster does not allow the IoT device to join the IoT platform. [0051] In a possible implementation, as shown in FIG. 3, the method for managing an IoT device according to an embodiment of the present disclosure may include the following steps:

[0052] step 301: receiving a join identifier acquisition request sent by the IoT device;

[0053] step 302: computing a join identifier corresponding to the IoT device;

[0054] step 303: receiving a join request sent by the IoT device;

[0055] step 304: authenticating the validity of the IoT device according to the join request;

[0056] step 305: sending an authentication result to the IoT platform; and

[0057] step 306: judging whether the IoT device is to be authorized to join the IoT platform.

[0058] In summary, with the technical solutions according to the embodiments of the present disclosure, after receiving the join request for joining the IoT platform sent by the IoT device, the hierarchical deterministic algorithm module in the server cluster authenticates the validity of the IoT device according to the device public key and device level of the IoT device carried in the join request; and if the validity authentication is successful, the server cluster controls the IoT device to join the IoT platform. With the technical solutions according to the embodiments of the present disclosure, the validity of the IoT device is first authenticated before the IoT device joins the IoT platform, and the device private key corresponding to the IoT device may not be revealed during validity authentication, thereby improving the security for the IoT device and the IoT platform. [0059] In a possible implementation, the method for managing an IoT device further includes: receiving a registration request sent by the management device, wherein the registration request is to request to register the management device in the IoT platform, the registration request includes a device public key of the management device and a device level of the management device, and the device level of the management device refers to a level of the management device in the hierarchical relationship tree; determining a standard device public key of the management device according to the device level of the management device, wherein the standard device public key of the management device refers to an authentication public key generated for the management device at a validity authentication stage of the management device; detecting whether the device public key of the management device carried in the registration request is the same as the standard device public key of the management device; and if the device public key of the management device carried in the registration request is the same as the standard device public key of the management device, acknowledging that the management device is valid, and registering the management device in the IoT platform.

[0060] The management device needs to be registered in the IoT platform before use, and here, the management device sends the registration request to the IoT platform, wherein the registration request carries the device public key and device level corresponding to the management device. In this embodiment of the present disclosure, the registration request sent by the management device to the IoT platform may not include the device private key of the management device, in order not to reveal the device private key of the management device and further improve the security level. [0061] After receiving the registration request of the management device, the IoT platform in the server cluster may, according to the device level corresponding to the management device carried in the registration request, query the public key corresponding to the device level of the management device in the database maintained by the hierarchical deterministic algorithm module in the server cluster, and determine the public key as the standard device public key of the management device. The registration request of the management device carries the device public key corresponding to the management device. After determining the standard device public key of the management device, the hierarchical deterministic algorithm module in the server cluster detects whether the device public key of the management device in the registration request of the management device is the same as the standard device public key of the management device, in order to achieve the purpose of detecting the validity of the management device.

[0062] When it is detected that the device public key of the management device in the registration request of the management device is the same as the standard device public key of the management device, the hierarchical deterministic algorithm module in the server cluster acknowledges that the management device is valid. Here, the hierarchical deterministic algorithm module in the server cluster sends a message, indicating that the validity authentication of the management device is successful, to the IoT platform in the server cluster; after receiving this message, the IoT platform acknowledges that the management device may be authorized to be registered in the IoT platform; and then, the server cluster controls the management device to be registered in the IoT platform. When it is detected that the device public key of the management device in the registration request of the management device is different from the standard device public key of the management device, the hierarchical deterministic algorithm module in the server cluster acknowledges that the management device is invalid. Here, the hierarchical deterministic algorithm module in the server cluster sends a message, indicating that the validity authentication of the management device fails, to the IoT platform in the server cluster; after receiving this message, the IoT platform acknowledges that the device cannot be authorized to be registered in the IoT platform; and then, the server cluster does not allow the management device to be registered in the IoT platform.

[0063] Illustratively, prior to the receiving the registration request sent by the management device as described above, the method further includes: receiving a registration identifier acquisition request sent by the management device, wherein the registration identifier acquisition request is to request to acquire a registration identifier corresponding to the management device, and the registration identifier includes the device private key of the management device and the device public key of the management device; generating the device private key of the management device according to the registration identifier acquisition request; generating the device public key of the management device according to the device private key of the management device; and sending the device private key of the management device and the device public key of the management device to the management device.

[0064] After receiving the registration identifier acquisition request sent by the management device, the hierarchical deterministic algorithm module starts to compute the device private key corresponding to the management device according to the registration identifier acquisition request, then generates the device public key of the management device according to the computed device private key of the management device, and finally, sends the device private key of the management device and the device public key of the management device to the management device.

[0065] Illustratively, the generating the device private key of the management device according to the registration identifier acquisition request includes: acquiring a device private key of an organization device according to the registration identifier acquisition request; and generating the device private key of the management device according to the device private key of the organization device. Among them, a device level corresponding to the organization device is higher than the device level corresponding to the management device. Alternatively, the hierarchical deterministic algorithm module in the server cluster may also acquire a chain code of the organization device while acquiring the device private key of the organization device.

[0066] In a possible implementation, as shown in FIG. 4, the method for managing an IoT device according to an embodiment of the present disclosure may also include the following steps:

[0067] step 401: receiving a registration identifier acquisition request sent by the management device;

[0068] step 402: computing a registration identifier corresponding to the management device;

[0069] step 403: receiving a registration request sent by the management device;

[0070] step 404: authenticating the validity of the management device according to the registration request;

[0071] step 405: sending an authentication result the IoT platform; and

[0072] step 406: judging whether the management device is to be authorized to be registered in the IoT platform.

[0073] In summary, with the technical solutions according to the embodiments of the present disclosure, after receiving the registration request for registering in the IoT platform sent by the management device, the hierarchical deterministic algorithm module in the server cluster authenticates the validity of the management device according to the device public key and device level of the management device carried in the registration request; and if the validity authentication is successful, the server cluster controls the management device to be registered in the IoT platform. With the technical solutions according to the embodiments of the present disclosure, the validity of the management device is first authenticated before the management device joins the IoT platform, and the device private key corresponding to the management device may not be revealed during validity authentication, thereby improving the security for the management device and the IoT platform.

[0074] In another possible implementation, the method above further includes: receiving a control request sent by the management device, wherein the control request is to request to control the IoT device, the control request includes the device public key of the management device, the device level of the management device and the device level of the IoT device, and the device level of the management device refers to the level of the management device in the hierarchical relationship tree; computing the standard device public key and a device level list for the management device according to the device level of the management device, wherein the device level list refers to a list consisting of the level of the IoT device managed by the management device in the hierarchical relationship tree; if the device level of the IoT device is in the device level list, detecting whether the device public key of the management device carried in the control request is the same as the standard device public key of the management device; and if the device public key of the management device carried in the control request is the same as the standard device public key of the management device, acknowledging that the management device is valid, and allowing the management device to control the IoT device.

[0075] In this embodiment of the present disclosure, the management device does not directly operate the IoT device, but indirectly performs the operation to the IoT device through the IoT platform in the server cluster. Moreover, in order to improve the security of the server cluster, the management device needs to firstly perform validity authentication by the hierarchical deterministic algorithm module in the server cluster before operating the IoT device through the IoT platform in the server cluster, and when the validity authentication is successful, the IoT platform responds to the operation of the management device to the IoT device; and when the validity authentication fails, the IoT platform does not respond to the operation of the management device to the IoT device. [0076] After receiving a control request of the management device, the IoT platform in the server cluster may, according to the device level corresponding to the management device carried in the control request, query the standard device public key and a device level list, corresponding to the device level of the management device, in the database maintained by the hierarchical deterministic algorithm module in the server cluster; and the device level list refers to a list consisting of the level of the IoT device managed by the management device in the hierarchical relationship tree. The control request sent by the management device carries the device public key of the management device, and the device level of the IoT device to be controlled by the management device. When acknowledging that the device level of the IoT device is in the device level list, the hierarchical deterministic algorithm module in the server cluster detects whether the device public key of the management device in the control request is the same as the standard device public key; and when acknowledging that the device level of the IoT device is not in the device level list, the hierarchical deterministic algorithm module in the server cluster controls the IoT platform in the server cluster not to respond to the operation of the management device to the IoT device.

[0077] If it is detected that the device public key of the management device in the control request is the same as the standard device public key, the hierarchical deterministic algorithm module in the server cluster acknowledges that the management device is valid. Herein, the hierarchical deterministic algorithm module in the server cluster sends a message, indicating that the validity authentication for the management device and the control request is successful, to the IoT platform in the server cluster. After receiving this message, the IoT platform acknowledges that the management device may be authorized to control the IoT device. The server cluster then controls the IoT platform to send a control request of the management device to the IoT device. The IoT device responds to the control command, and then returns a control result to the management device through the IoT platform, wherein the control result is to indicate that the control request has been completed. If it is detected that the device public key of the management device in the control request is different from the standard device public key, the hierarchical deterministic algorithm module in the server cluster acknowledges that the management device is invalid. Herein, the hierarchical deterministic algorithm module in the server cluster sends a message, indicating that the validity authentication for the management device fails, to the IoT platform in the server cluster. After receiving this message, the IoT platform acknowledges not to respond to the operation of the management device to the IoT device.

[0078] In a possible implementation, as shown in FIG. 5, the method for managing an IoT device according to an embodiment of the present disclosure may also include the following steps:

[0079] step 501: receiving a control request sent by the management device;

[0080] step 502: authenticating the validity of the management device according to the control request;

[0081] step 503: sending an authentication result to the IoT platform; [0082] step 504: acknowledging whether to respond to the control request according to the authentication result, and if responding to the control request, issuing a control command to the IoT device;

[0083] step 505: receiving a responding result sent by the IoT device; and [0084] step 506: sending the responding result to the management device.

[0085] In summary, before an administrator operates the IoT device through the management device, by authenticating the validity of the management device and the hierarchical relationship between the management device and the IoT device to be operated thereby according to the technical solutions according to the embodiment of the present disclosure, the management device operating the IoT device is ensured to have an operating authority for the IoT device, and moreover is valid, thereby improving the security for the IoT device and the IoT platform.

[0086] In another possible implementation, as shown in FIG. 6, the hierarchical relationship tree corresponding to the method for managing an IoT device according to the embodiment of the present disclosure has three levels, with a level 601 corresponding to the device level of the organization device, a level 602 corresponding to the device level of the management device, and a device level 603 corresponding to the device level of the IoT device, wherein the device level of the organization device is higher than the device level of the management device, and the device level of the management device is higher than the device level of the IoT device.

[0087] In another possible implementation, in the method for managing an IoT device according to an embodiment of the present disclosure as shown in FIG. 7, the public -private key pair corresponding to each device is generated by HMAC SHA512 (a Hash algorithm). As shown in FIG. 7, a root mnemonic is firstly generated by an organization device 701 using a stochastic algorithm, and then generates a root seed, with which the device private key and the chain code of the organization device are in turn generated by HMAC SHA512. The device private key and chain code of the management device corresponding to the management device 702 are computed from the device private key and chain code of the organization device corresponding to the organization device 701 by HMAC SHA512. Similarly, the device private key and chain code of the IoT device corresponding to the IoT device 703 are computed from the device private key and chain code of the organization device corresponding to the organization device 702 by HMAC SHA512. Among them, the public key corresponding to each device is computed from the private key corresponding to the device.

[0088] Hereinafter described are apparatus embodiments of the present disclosure, which may be used to implement the method embodiments of the present disclosure. For details not disclosed in the apparatus embodiments of the present disclosure, a reference may be made to the method embodiments of the present disclosure.

[0089] Referring to FIG. 8, a block diagram of an apparatus 800 for managing an IoT device according to an embodiment of the present disclosure is illustrated. The apparatus 800 has the capability of implementing the method embodiments described above, and this capability may be implemented either by hardware or by corresponding software being executed by the hardware. The apparatus 800 may be the server described above. The apparatus 800 may include: a join requesting module 801, a standard computing module 802, a relationship detecting module 803 and an acknowledgment control module 804.

[0090] The join requesting module 801 is configured to receive a join request sent by an IoT device, wherein the join request is to request to join an IoT platform, and the join request includes a device public key of the IoT device and a device level of the IoT device, wherein the device level of the IoT device refers to a level of the IoT device in a hierarchical relationship tree.

[0091] The standard computing module 802 is configured to determine a standard device public key of the IoT device according to the device level of the IoT device, wherein the standard device public key of the IoT device refers to an authentication public key generated for the IoT device at a validity authentication stage of the IoT device.

[0092] The relationship detecting module 803 is configured to detect whether the device public key of the IoT device carried in the join request is the same as the standard device public key of the IoT device.

[0093] The acknowledgment control module 804 is configured to, if the device public key of the IoT device carried in the join request is the same as the standard device public key of the IoT device, acknowledge that the IoT device is valid, and control the IoT device to join the IoT platform.

[0094] Alternatively, as shown in FIG. 9, the apparatus 800 further includes: an identifier requesting module 805, an identifier generating module 806 and an identifier sending module 807. The identifier requesting module 805 is configured to receive a join identifier acquisition request sent by the IoT device, wherein the join identifier acquisition request is to request to acquire a join identifier corresponding to the IoT device, and the join identifier includes a device private key of the IoT device and a device public key of the IoT device. The identifier generating module 806 is configured to generate the device private key of the IoT device according to the join identifier acquisition request; and the identifier generating module 806 is further configured to generate the device public key of the IoT device according to the device private key of the IoT device. The identifier sending module 807 is configured to send the device private key of the IoT device and the device public key of the IoT device to the IoT device. [0095] Illustratively, as shown in FIG. 9, the identifier generating module 806 is further configured to: acquire the device private key of the management device according to the join identifier acquisition request; and generate the device private key of the IoT device according to the device private key of the management device.

[0096] Alternatively, as shown in FIG. 9, the apparatus 800 further includes: a registration requesting module 808. The registration requesting module 808 is configured to receive a registration request sent by the management device, wherein the registration request is to request to register the management device in the IoT platform, and the registration request includes a device public key of the management device and a device level of the management device, wherein the device level of the management device refers to a level of the management device in the hierarchical relationship tree. The standard computing module 802 is further configured to determine a standard device public key of the management device according to the device level of the management device, wherein the standard device public key of the management device refers to an authentication public key generated for the management device at a validity authentication stage of the management device. The relationship detecting module 803 is further configured to detect whether the device public key of the management device carried in the registration request is the same as the standard device public key of the management device. The acknowledgment control module 804 is further configured to, if the device public key of the management device carried in the registration request is the same as the standard device public key of the management device, acknowledge that the management device is valid, and register the management device in the IoT platform.

[0097] Alternatively, as shown in FIG. 9, the apparatus 800 further includes: an identifier requesting module 805, an identifier generating module 806 and an identifier sending module 807. The identifier requesting module 805 is configured to receive a registration identifier acquisition request sent by the management device, wherein the registration identifier acquisition request is to request to acquire a registration identifier corresponding to the management device, and the registration identifier includes a device private key of the management device and a device public key of the management device. The identifier generating module 806 is configured to generate the device private key of the management device according to the registration identifier acquisition request, wherein the identifier generating module 806 is further configured to generate the device public key of the management device according to the device private key of the management device. The identifier sending module 807 is configured to send the device private key of the management device and the device public key of the management device to the management device. [0098] Illustratively, as shown in FIG. 9, the identifier generating module 806 is further configured to: acquire the device private key of the organization device according to the registration identifier acquisition request; and generate the device private key of the management device according to the device private key of the organization device.

[0099] Alternatively, as shown in FIG. 9, the apparatus 800 further includes: a control requesting module 809. The control requesting module 809 is configured to receive a control request sent by the management device, wherein the control request is to request to control the IoT device, the control request includes the device public key of the management device, the device level of the management device and the device level of the IoT device, and the device level of the management device refers to the level of the management device in the hierarchical relationship tree. The standard computing module 802 is further configured to compute the standard device public key and a device level list for the management device according to the device level of the management device, wherein the device level list refers to a list consisting of the level of the IoT device managed by the management device in the hierarchical relationship tree. The relationship detecting module

803 is further configured to, if the device level of the IoT device is in the device level list, detect whether the device public key of the management device carried in the control request is the same as the standard device public key of the management device. The acknowledgment control module

804 is further configured to, if the device public key of the management device carried in the control request is the same as the standard device public key of the management device, acknowledge that the management device is valid, and allow the management device to control the IoT device.

[00100] In summary, with the technical solutions according to the embodiments of the present disclosure, after receiving the join request for joining the IoT platform sent by the IoT device, the hierarchical deterministic algorithm module in the server cluster authenticates the validity of the IoT device according to the device public key and device level of the IoT device carried in the join request; and if the validity authentication is successful, the server cluster controls the IoT device to join the IoT platform. With the technical solutions according to the embodiments of the present disclosure, the validity of the IoT device is first authenticated before the IoT device joins the IoT platform, and the device private key corresponding to the IoT device may not be revealed during validity authentication, thereby improving the security for the IoT device and the IoT platform.

[00101] It should be noted that the apparatus according to the above embodiments only takes division of all the functional modules as an example for explanation. In practice, the above functions may be implemented by the different functional modules as required. That is, the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus according to the above embodiments is based on the same inventive concept as the method according to the above embodiment. For the specific implementation process of the device, reference may be made to the method embodiment, which is not repeated herein.

[00102] FIG. 10 shows a structural block of a server according to an embodiment of the present disclosure. The server cluster formed by the servers may be used to perform the method for managing an IoT device according to the above embodiments. For example, the server may be the server in the application environment shown in FIG. 1.

[00103] Specifically, the server 1000 includes a processing unit 1001 (such as a central processing unit (CPU), a graphics processing unit (GPU) and a field programmable gate array (FPGA)), a system memory 1004 including a random access memory (RAM) 1002 and a read-only memory (ROM) 1003, and a system bus 1005 connecting the system memory 1004 and the central processing unit 1001. The server 1000 further includes a basic input/output system (I/O system) 1006 which helps transmit information between various components within the server, and a high- capacity storage device 1007 for storing an operating system 1013, an application 1014 and other program modules 1015.

[00104] The basic input/output system 1006 includes a display 1008 for displaying information and an input device 1009, such as a mouse and a keyboard, for inputting information by the user. Both the display 1008 and the input device 1009 are connected to the central processing unit 1001 through an input/output controller 1010 connected to the system bus 1005. The basic input/output system 1006 may also include the input/output controller 1010 for receiving and processing input from a plurality of other devices, such as the keyboard, the mouse, or an electronic stylus. Similarly, the input/output controller 1010 further provides output to the display, a printer or other types of output devices.

[00105] The high -capacity storage device 1007 is connected to the central processing unit 1001 through a high -capacity storage controller (not shown) connected to the system bus 1005. The high-capacity storage device 1007 and a server-readable medium associated therewith provide nonvolatile storage for the server 1000. That is, the high-capacity storage device 1007 may include the server-readable medium (not shown), such as a hard disk or a CD-ROM driver.

[00106] Without loss of generality, the server-readable medium may include a server storage medium and a communication medium. The server storage medium includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as a server-readable instruction, a data structure, a program module or other data. The server storage medium includes a RAM, a ROM, an erasable programmable ROM (EPROM), an electrically erasable programmable ROM (EEPROM), a flash memory or other solid- state storage technologies; a CD-ROM, DVD or other optical storage; and a tape cartridge, a magnetic tape, a disk storage or other magnetic storage devices. Of course, it ,may be known by a person skilled in the art that the server storage medium is not limited to the above. The above system memory 1004 and the high -capacity storage device 1007 may be collectively referred to as the memory.

[00107] According to the embodiment of the present disclosure, the server 1000 may also be run through a remote server connected to a network via a network, such as the Internet. That is, the server 1000 may be connected to the network 1012 by a network interface unit 1011 connected to the system bus 1005, or may be connected to other types of networks or remote server systems (not shown) with the network interface unit 1011.

[00108] The memory includes at least one instruction, at least one program, a code set, or an instruction set stored therein. The at least one instruction, the at least one program, the code set, or the instruction set are stored in the memory and are configured to be executed by one or more processors to perform the method for manating an IoT device.

[00109] An embodiment of the present disclosure provides a computer-readable storage medium storing at least one instruction, at least one program, a code set, or an instruction set. The at least one instruction, the at least one program, the code set, or the instruction set may be executed by a processor to perform the method for manating an IoT device.

[00110] An embodiment of the present disclosure provides a computer program product. When the computer program product is executed by a processor, the method for manating an IoT device may be performed.

[00111] It should be understood that the term "and/or" only describes an association relationship between associated objects and indicates that there may be three relationships. For example, A and/or B may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately. In addition, the character "/" herein generally indicates that an "or" relationship exists between contextual objects.

[00112] Described above are merely exemplary embodiments of the present disclosure, and are not intended to limit the present disclosure. Within the spirit and principles of the disclosure, any modifications, equivalent substitutions, or improvements are within the protection scope of the present disclosure.