Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Before the management method introducing home network device provided by the invention, first concise and to the point introduction is carried out to rudimentary knowledge of the present invention:
Define CP (Control Point, control point) and Device (UPnP device) two kinds of logic entity: CP use UPnP protocol and devices communicating in UPnP standard and equipment is controlled; And between CP and CP, directly mutually do not control by UPnP protocol between equipment and equipment.
Similarly, also define client and equipment two logic entities in IGRS agreement, behavior is similar to the CP in UPnP and equipment.This framework achieves distributed network, namely may have multiple CP/ client and multiple equipment in home network, and not have the concept of control centre's equipment.
Fig. 1 is the flow chart of the security initialization method of a kind of home network device that the embodiment of the present invention provides, the method can be applied in UPnP or IGRS, the present embodiment is described for UPnP standard, under this kind of standard, executive agent is control appliance, be specially control point, see Fig. 1, the method comprises:
101, control point and home network device carry out mutual certification;
In the present embodiment, in the process of control point and home network device certification mutually, its authentication information can comprise PIN code or keeper's account information of home network device.Authentication information is fed back to home network device by control appliance and control point, home network device is made to carry out certification according to authentication information to control point, and return authentication result, control point carries out certification according to authentication result to home network device, its verification process is prior art, does not repeat them here.In addition, those skilled in the art can be known, control point obtains authentication information by the PIN code or keeper's account information receiving the home network device of user's input.
102, after described mutual certification is passed through, described control appliance receives First Certificate and second certificate of the transmission of described main equipment, described First Certificate is generated by the signing messages of described main equipment according to the PKI of described home network device and described main equipment, and described second certificate is the certificate of described main equipment;
Those skilled in the art can be known, control point can obtain the facility information of home network device, and after mutual certification is passed through, this facility information are sent to the main equipment of equipment group.Facility information at least comprises following any one: device identification, PKI, equipment Serial Number, UUID, identification of the manufacturer and the date of production etc.
PKI can be comprised in facility information, also PKI can not be comprised, when home network equipment has the ability producing PKI, when receiving the IGRS order at control point, a pair PKI and private key can be generated, and be included in facility information by PKI and send to control point, then be transmitted to the main equipment of equipment group by control point; And home network equipment does not have when producing the ability of PKI, PKI is not comprised in facility information, control point and main equipment set up escape way (such as TLS (Transport Layer Security, safe transmission layer protocol)), main equipment generates a pair PKI and private key, and private key is sent to control point by described escape way, by control point, this private key is sent to home network device.
103, described First Certificate and described second certificate are sent to described home network device by control point, make described home network device use First Certificate and described second certificate to add the equipment group at described main equipment place, and use described First Certificate to communicate with the equipment in described equipment group with described second certificate.
Fig. 2 is the flow chart of the security initialization method of a kind of home network device that the embodiment of the present invention provides, and the method can be applied in UPnP or IGRS, and the present embodiment is described for IGRS standard, under this kind of standard, executive agent is main equipment, and see Fig. 2, the method comprises:
201, main equipment and home network device carry out mutual certification;
202, this is after certification is passed through mutually, First Certificate and the second certificate are sent to described home network device by described main equipment, make described home network device use described First Certificate and described second certificate to add the equipment group at described main equipment place, and use described First Certificate to communicate with the equipment in described equipment group with described second certificate; Described First Certificate generates according to the signing messages of the PKI of described home network device and described main equipment; Described second certificate is the certificate of described main equipment.
Fig. 3 is the flow chart of the security initialization method of a kind of home network device that the embodiment of the present invention provides, the method can be applied in UPnP or IGRS, and the executive agent of this embodiment is home network device, see Fig. 3, control appliance is the main equipment of control point or equipment group, and the method comprises:
301, home network device and control appliance carry out mutual certification;
302, after mutual certification is passed through, described home network device receives First Certificate from described control appliance and the second certificate, use described First Certificate and described second certificate to add equipment group, and use described First Certificate to communicate with the equipment in described equipment group with the second certificate; Described First Certificate generates according to the signing messages of the PKI of described home network device and described main equipment; Described second certificate is the certificate of described main equipment.
In the present embodiment, in home network equipment and network issued other devices communicatings of certificate by same main equipment time, the certificate information of the main equipment of preservation can be used to verify the certificate of other equipment, be all main equipment issue certificate equipment between can directly trust each other.Particularly, the PKI of main equipment can be comprised in the certificate information of the main equipment that home network device is preserved, with other equipment connect (as TLS) obtain the other side's certificate time, the signing messages of this public key verifications the other side certificate can be used, learn that its certificate is also that main equipment is issued thus.Other equipment also can make this new equipment of certification in a like fashion.
By home network device and main equipment mutually certification add equipment group with the relation of breaking the wall of mistrust, be the main equipment certificate that home network device issues for certification by main equipment, between follow-up main equipment and this home network device, home network device and other organize in the mutual certificate all using main equipment to issue between equipment to ensure safety, because the certificate from equipment is all that main equipment is issued, then when this home network device communicates with the equipment in equipment group, certificate by using main equipment to issue carries out verifying the relation of breaking the wall of mistrust, in this process, do not need the participation again of user, do not need between the equipment in home network device and this equipment group, to utilize the contents such as facility information to carry out complicated mutual certification yet, simplify the reciprocal process between equipment.
Fig. 4 is the flow chart of the management method of a kind of home network device that the embodiment of the present invention provides, in the present embodiment, with applied environment be only UPnP, executive agent for control point for example is described, this home network comprises equipment group, equipment group comprises control point, main equipment and multiple from equipment, an existing home network device adds this network, and see Fig. 4, the method comprises:
401: home network device is reached the standard grade, send SSDP alive multicast message, this SSDP alive multicast message carries the UUID (Universally Unique Identifier, general unique identifier) of home network device;
In the present embodiment, home network device sends SSDP alive multicast message in home network, and this message is equipment on-line message, for notifying that this home network device of control point is reached the standard grade.
402: when control point receives SSDP alive multicast message, the UUID carried by SSDP alive multicast message judges whether this home network device has added this home network;
If not, step 403 is performed;
If so, terminate.
In the present embodiment, the list of devices that has added home network is preserved at control point, can comprise the UUID of equipment, device name etc. in list.Particularly, this step 402 comprises: judge whether comprise this UUID in the list of devices at control point, if, then illustrate that this home network device is registered on control point, for the existing device in home network, if not, then illustrating that this home network device does not add this home network, is new log equipment.
403: when home network equipment does not add this home network, control point sends IGRS control command to home network device;
Alternatively, this IGRS control command is HTTP POST message, and this IGRS control command carries keeper's account information.
404: home network device returns the response of refusal command request to control point, home network device authentication information is carried in this response;
In the present embodiment, because now home network device and control point also do not break the wall of mistrust relation, then home network device can return the response of refusal command request;
Such as, this response can be " 401 Unauthorized ", and alternatively, following information is carried in this response: random value RAND, challenging value CHAL, device authentication information ATUN, session key resource SKEY, set of algorithms ALGO and authentication information type TYPE.
After CP receives above-mentioned response, can, according to the set of algorithms of instruction in response, first check the AUTN value of home network device whether correct by the PIN/ADMIN value of RAND and acquisition; Then, use the PIN/ADMIN of the home network device of the CHAL in above-mentioned message and acquisition to calculate authentication result RES, again send control command and carry authentication result RES wherein.In addition, CP also needs to use the SKEY in responding to calculate key EKey and IKey of the follow-up use of this session.Wherein, Ekey is used in certification by rear CP and home network device coded communication data, and Ikey is used for the integrity protection of CP and home network device communication data after this step.
The information of carrying in this response specifically for:
1) random value RAND, home network device uses this random value and PIN code/keeper's account information to calculate and generates home network device authentication information.After CP knows equipment PIN code/keeper's account information, PIN code/Administrator account the information of algorithm to this random value and equipment in set of algorithms is adopted to calculate, obtain the authentication information of home network device, according to this authentication information, certification is carried out to home network device.
2) challenging value CHAL, this challenging value is random number, and this challenging value of home network device carrys out certification CP.CP uses the PIN code of this challenging value and home network device/keeper's account information to calculate authenticated client information, and carries when retransmitting control command to home network device.
3) home network device authentication information ATUN, home network device uses RAND and PIN code/keeper's account information to calculate this home network device authentication information ATUN.CP calculates can authenticate home network device with RAND after knowing equipment PIN code/keeper's account information.CP is by calculating ATUN value, and then compare by the ATUN value of the ATUN calculated and reception, if unanimously, then home network device passes through certification.
4) session key resource SKEY, the information for the protection of the communication between CP and home network device is not intercepted by third party and decodes.Wherein comprise the material SKEY1 calculating encryption key and the material SKEY2 calculating message integrity key, for home network device and CP calculate the resource of the key (encryption key EKey, message integrity key IKey) after this session.
5) set of algorithms ALGO, set of algorithms is used to indicate the method calculating authentication information, and the algorithm of session encryption.Such as, use the hashing algorithms such as message authentication mechanisms or MD5, SHA1, SHA256 such as MAC, HMAC or use the DEAs such as AES, 3DES.
6) authentication information type TYPE, is used for distinguishing authentication information, and authentication information can be PIN code, keeper's account or other information, and the value of this authentication information type can be " PIN " or " ADMIN ".In reality, home network device is determined to use what value to carry out certification client according to the configuring condition that dispatches from the factory of oneself, PIN or Admin account information can be presented on home network device screen in verification process, or user goes the label on physical equipment to find this information; Above input at the UI (User Interface, user interface) of client after user reads data, UI can be display screen.
In addition, home network device also needs oneself to calculate and preserves the session key used after a while, and the check code (XRES) whether authentication information for checking CP to return is correct.In reality, this step operates after also can replying receiving CP again.
405: control point receives response, according to response, certification is carried out to home network device, and certification by time send command request information to home network device, carry certification in this command request information and pass through information;
In the present embodiment, certification comprises PIN code or administrator's information of home network device by information.Particularly, when home network device networks, the interface that user can provide at control point inputs the PIN code of this home network device to add in management by home network device, or, the interface that user can provide at control point inputs keeper's user profile, through authentication calculations, notice this control point of home network device is the legal control appliance in network.
Illustrate, the authentication information of replying according to above-mentioned response and CP carries out the method for certification can be as follows:
When CP receives response, algorithm according to specifying in response calculates random value, if the AUTN calculated with response in obtain consistent, then can assert that home network device is believable, authentication authorization and accounting equipment passes through, to home network device return authentication result RES, for home network device certification control point.
EKey=SHA1(SKEY1||PIN)
IKey=SHA1(SKEY2||PIN)
Those skilled in the art can be known, SHA1 is a kind of hash (Hash) algorithm, || represent and SKEY1 and PIN numerical value is spliced.
406: when home network device receives command request information, by information, certification is carried out to control point according to the certification of carrying in command request information, and certification by time to control point feedback certification pass through information;
Particularly, this home network device receives certification by after information, preset algorithm calculating is carried out by information according to certification, the XRES calculated before calculating XRES or use carrys out the RES value of carrying in comparison message, if the two is identical, think that control point is believable, namely control point certification is passed through.Home network device returns the response message of this order to control point.Now control point and home network device achieve mutual trust, and home network device obeys the control at control point completely.The EKey known by both sides is encrypted by session below, and IKey verifies message integrity.
Above-mentioned steps 401 to 406 is the mutual authentication process between home network device and control point, to be gained credit relation by this verification process between home network device and control point, it should be noted that, algorithm in this verification process and home network device and control point mutual, be prior art, do not repeat them here.
407: when the certification receiving home network device feedback when control point is by information, control point notice home network device generates a pair PKI and private key, and to home network device transmission group announcement message;
Wherein, the main equipment information of Portable device group information and this equipment group in this group announcement message; The main equipment information of the equipment group information that home network device can provide according to control point and equipment group adds equipment group.The main equipment information of this equipment group information and this equipment group can also be carried by group announcement message and main equipment announcement message respectively, then in step 407 to home network device transmission group announcement message time, can also comprise: send main equipment announcement message to home network device.
408: PKI is sent to control point by home network device;
After control point receives PKI, SSDP Search multicast message can be sent, by this multicast message, find main equipment, and set up safety corridor with this main equipment, mutual between follow-up control point and main equipment, can be transmitted by this safety corridor.
In the present embodiment, PKI is carried in facility information and sends, and facility information at least comprises following any one: device identification, PKI, equipment Serial Number, UUID, identification of the manufacturer and the date of production etc.
409: control point receives PKI, and PKI is transmitted to main equipment;
In the present embodiment, information forwarding, as the control appliance in home network, after the mutual certification between home network device is passed through, can be carried out in control point between home network device and main equipment.
410: main equipment receives PKI, and generate First Certificate according to the PKI of home network device and the signing messages of main equipment, First Certificate, the second certificate are sent to control point;
Those skilled in the art can be known, the signing messages of PKI and main equipment is the necessary component generating First Certificate, in generative process, facility information can also be had to comprise the participations such as device identification, equipment Serial Number, UUID, identification of the manufacturer or the date of production.
411: control point receives First Certificate, the second certificate, and First Certificate and the second certificate are transmitted to home network device;
Above-mentioned steps 407-411 is that main equipment generates First Certificate and First Certificate is presented to the process of home network device, in the present embodiment, home network device possesses the equipment generating PKI and private key ability, therefore a pair PKI and private key is generated by home network device, and in another embodiment, home network equipment is when not possessing the equipment generating PKI and private key ability, PKI and private key can be generated by main equipment, main equipment generates First Certificate according to the signing messages of the PKI of described home network device and described main equipment, and by First Certificate, private key and the second certificate send to control point, these information is forwarded to home network device by control point.Particularly, the main equipment of control point and equipment group sets up safety corridor, PKI and private key is generated by main equipment, and generate First Certificate according to the PKI of described home network device and the signing messages of described main equipment, and by safety corridor, First Certificate, the second certificate and private key are issued control point, and by control point, First Certificate, the second certificate and private key are transmitted to home network device, make it preserve and follow-up with the communication of other equipment in use.
It should be noted that, no matter use which kind of scheme above-mentioned, First Certificate is all that main equipment is issued, and namely carries the signing messages of main equipment in First Certificate, those skilled in the art can be known, this signing messages is that main equipment uses the private key of oneself to the signature of this certificate.This First Certificate is used for using when communicating with any device security in equipment group after home network device.
412: home network device uses First Certificate and the second certificate to add the equipment group at main equipment place;
In verification process, control point is by the main equipment message notice of equipment group and equipment group to home network device, and wherein, equipment group is identified by group ID.
Particularly, home network device adds equipment group and comprises: use First Certificate and described main equipment to set up secure connection, and sent the request adding described main equipment place equipment group to described main equipment by described secure connection, described main equipment is made to use home network device described in described second certificate verification, when certification is passed through, receive the response adding described equipment group that described main equipment sends.
Its concrete steps are:
1) home network device receives the group announcement message of main equipment, checks according to the group ID in this group announcement message and the group ID that receives in verification process, being checked specify with control point consistent.
2) home network device sets up safety corridor (as TLS) to main equipment, certificate exchange process is completed in safety corridor process of establishing, namely First Certificate is sent to main equipment by home network device, and receiving the second certificate of main equipment transmission, the second certificate that home network device can be received by comparison carrys out the identity of certification main equipment with the second certificate that control appliance forwards before;
3) home network device sends to main equipment and adds the request of described equipment group, to ask to add equipment group;
4) main equipment is according to the second certificate verification home network device, and namely use the PKI of the second certificate can identify main equipment in First Certificate and use the signing messages of private key generation, the certificate identifying home network device is that main equipment is signed and issued;
5) when certification home network device passes through, main equipment returns the response of this message, and instruction home network device successfully adds equipment group.
It should be noted that, after home network equipment adds equipment group, main equipment obtains the control to home network device; Those skilled in the art can be known, main equipment after obtaining the control to home network device, for home network device issues initial configuration information;
413: in home network equipment and equipment group from devices communicating time, using First Certificate and the second certificate and should verify from equipment, when being verified, to break the wall of mistrust relation from equipment with this.
Particularly, use described First Certificate to verify the described First Certificate from equipment, when the described First Certificate from equipment is consistent with the signing messages described First Certificate, then described is that described main equipment is issued from the First Certificate of equipment, is verified.
Wherein, home network device with from equipment by being connected safety corridor (as TLS) to obtain the other side's certificate and to verify the signing messages of the other side's certificate, learn that its certificate is also that main equipment is issued thus, other equipment also can make this home network device of certification in a like fashion.
By home network device and control point mutually certification add equipment group with the relation of breaking the wall of mistrust, be the main equipment certificate that home network device issues for certification by the main equipment of equipment group, between follow-up main equipment and this home network device, home network device and other organize in the mutual certificate all using main equipment to issue between equipment to ensure safety, because the certificate from equipment is all that main equipment is issued, then when this home network device communicates with the equipment in equipment group, certificate by using main equipment to issue carries out verifying the relation of breaking the wall of mistrust, in this process, do not need the participation again of user, do not need between the equipment in home network device and this equipment group, to utilize the contents such as facility information to carry out complicated mutual certification yet, simplify the reciprocal process between equipment.
Fig. 5 is the flow chart of the management method of a kind of home network device that the embodiment of the present invention provides, in the present embodiment, with applied environment be only IGRS agreement, executive agent for main equipment for example is described, this home network comprises equipment group, equipment group comprises main equipment and multiple from equipment, an existing home network device adds this network, see Fig. 5, the method comprises:
501: home network device is reached the standard grade, send SSDP alive multicast message, this SSDP alive multicast message carries the UUID of home network device;
After home network equipment is reached the standard grade, user can input PIN code or keeper's account information, carries out certification to make main equipment by this information to new equipment.The detailed process of this step is similar to step 201, repeats no more.
502: home network device and main equipment carry out mutual certification;
This mutually the process of certification and step 401 similar to 406, do not repeat them here.
503: when mutual certification is passed through, main equipment notice home network device generates a pair PKI and private key, and to home network device transmission group announcement message;
504: PKI is sent to main equipment by home network device;
505: main equipment receives PKI, and generate First Certificate according to the PKI of described home network device and the signing messages of described main equipment, First Certificate, the second certificate are sent to home network device;
In the present embodiment, home network device possesses the equipment generating PKI and private key ability, therefore a pair PKI and private key is generated by home network device, and in another embodiment, home network equipment is when not possessing the equipment generating PKI and private key ability, PKI and private key can be generated by main equipment, main equipment generates First Certificate according to the signing messages of the PKI of described home network device and described main equipment, and First Certificate, private key and the second certificate are sent to home network device.
506: home network device adds equipment group.
This step and step 412 similar, do not repeat them here.
The difference of the embodiment shown in this embodiment and Fig. 4 is, the main equipment in the present embodiment contains the function at control point, therefore, in the present embodiment, without the need to carrying out certification by between control point and home network device, but is undertaken by main equipment.
By home network device and main equipment mutually certification add equipment group with the relation of breaking the wall of mistrust, be the main equipment certificate that home network device issues for certification by main equipment, between follow-up main equipment and this home network device, home network device and other organize in the mutual certificate all using main equipment to issue between equipment to ensure safety, because the certificate from equipment is all that main equipment is issued, then when this home network device communicates with the equipment in equipment group, certificate by using main equipment to issue carries out verifying the relation of breaking the wall of mistrust, in this process, do not need the participation again of user, do not need between the equipment in home network device and this equipment group, to utilize the contents such as facility information to carry out complicated mutual certification yet, simplify the reciprocal process between equipment.
Fig. 6 is the structural representation of a kind of control appliance that the embodiment of the present invention provides.See Fig. 6, this control appliance comprises:
Authentication module 601, for carrying out mutual certification with home network device;
Receiver module 602, for after described mutual certification is passed through, receive First Certificate and second certificate of the transmission of described main equipment, described First Certificate is generated by the signing messages of described main equipment according to the PKI of described home network device and described main equipment, and described second certificate is the certificate of described main equipment;
Sending module 603, for described First Certificate and described second certificate are sent to described home network device, make described home network device use First Certificate and described second certificate to add the equipment group at described main equipment place, and use described First Certificate to communicate with the equipment in described equipment group with described second certificate.
See Fig. 7, described authentication module 601 comprises:
First receiving element 601a, the equipment for receiving described home network device is reached the standard grade notice;
First transmitting element 601b, for sending PIN code or keeper's account information of described home network device to described home network device, described home network device and described control appliance is made to carry out mutual certification according to the PIN code of described home network device or keeper's account information.
See Fig. 8, described control appliance also comprises:
Acquisition module 604, after passing through for described mutual certification, described control appliance obtain described home network device generate a pair PKI and private key in PKI;
Described sending module 603 is also for sending to described main equipment by described PKI;
The First Certificate that described receiver module 602 generates according to the signing messages of described PKI and described main equipment specifically for receiving described main equipment, and receive described second certificate.
Described receiver module 602 is the private key in a pair PKI generating of described home network device and private key specifically for First Certificate, the second certificate and the described main equipment receiving described main equipment and send; Described First Certificate is generated by the signing messages of described main equipment according to the PKI of described home network device and described main equipment;
Described sending module 603 specifically for by described First Certificate, the second certificate and described main equipment be described home network device generate private key send to described home network device.
The control appliance that the present embodiment provides, is specifically as follows the control point of equipment group, belongs to same design with embodiment of the method, and its specific implementation process refers to embodiment of the method, repeats no more here.
Fig. 9 is the structural representation of a kind of control appliance that the embodiment of the present invention provides.See Fig. 9, this control appliance comprises:
Authentication module 901, for carrying out mutual certification with home network device;
Sending module 902, for after described mutual certification is passed through, First Certificate and the second certificate are sent to described home network device, make described home network device use described First Certificate and described second certificate to add the equipment group at main equipment place, and use described First Certificate to communicate with the equipment in described equipment group with described second certificate; Described First Certificate is generated by the signing messages of described main equipment according to the PKI of described home network device and described main equipment, and described second certificate is the certificate of described main equipment.
See Figure 10, described authentication module 901 specifically comprises:
Second receiving element 901a, the equipment for receiving described home network device is reached the standard grade notice;
Second transmitting element 901b, for sending PIN code or keeper's account information of described home network device to described home network device, described home network device and described main equipment is made to carry out mutual certification according to the PIN code of described home network device or keeper's account information.
See Figure 11, described control appliance also comprises:
Acquisition module 903, for obtain described home network device generate a pair PKI and private key in PKI;
The First Certificate of described sending module 902 specifically for described main equipment is generated according to the signing messages of the PKI of described home network device and described main equipment, and described second certificate sends to described home network device.
Described private key, the second certificate and First Certificate specifically for generating PKI and private key for described home network device, and are sent to described home network device by described sending module 902; Described First Certificate generates according to the signing messages of the PKI of described home network device and described main equipment.
See Figure 12, described control appliance also comprises:
Equipment group authentication module 904, for receive when described main equipment described home network device send add described equipment group request time, use described second certificate and described home network device to carry out certification, after certification is passed through, described home network device is joined described equipment group.
The control appliance that the present embodiment provides, is specifically as follows the main equipment of equipment group, belongs to same design with embodiment of the method, and its specific implementation process refers to embodiment of the method, repeats no more here.
Figure 13 is the structural representation of a kind of home network device that the embodiment of the present invention provides.Control appliance is the main equipment of control point or equipment group, and see Figure 13, this home network device comprises:
Authentication module 1301, for carrying out mutual certification with control appliance;
Receiver module 1302, for after described mutual certification is passed through, receives the First Certificate from described control appliance and the second certificate;
Add equipment group module 1303, for the equipment group using described First Certificate and described second certificate to add described main equipment place;
Communication module 1304, communicates with the equipment in described equipment group with the second certificate for using described First Certificate; Described First Certificate generates according to the signing messages of the PKI of described home network device and described main equipment; Described second certificate is the certificate of described main equipment;
Described control appliance is described main equipment or control point.
See Figure 14, described authentication module 1301 comprises:
3rd transmitting element 1301a, for notice of reaching the standard grade to described control appliance transmitting apparatus;
3rd receiving element 1301b, for receiving the PIN code or keeper's account information that described control appliance returns, makes described home network device and described control appliance carry out mutual certification according to the PIN code of described home network device or keeper's account information.
See Figure 15, described home network device also comprises:
Sending module 1305, for send to described control appliance described home network device generate a pair PKI and private key in PKI;
Described receiver module 1302 specifically for receiving from described control appliance, the described First Certificate generated according to the signing messages of the PKI of described home network device and described main equipment by described main equipment; And receive described second certificate.
Described receiver module 1302 also for receiving First Certificate that described control appliance sends, the second certificate and main equipment be described home network device generate in a pair PKI and private key private key; Described First Certificate is generated by the signing messages of described main equipment according to the PKI of described home network device and described main equipment.
See Figure 16, described in add equipment group module 1303 and comprise:
Secure connection sets up unit 1303a, sets up secure connection for using First Certificate and described main equipment;
Add unit 1303b, for being sent the request adding described main equipment place equipment group to described main equipment by described secure connection, described main equipment is made to use home network device described in described second certificate verification, when certification is passed through, receive the response adding described equipment group that described main equipment sends.
Described communication module 1304, specifically for when with devices communicating in described equipment group, using the equipment in described First Certificate and the second certificate and described equipment group to verify, when being verified, communicating with the equipment in described equipment group.
The First Certificate of described communication module 1304 specifically for using described First Certificate to verify the equipment in described equipment group, when the First Certificate of the equipment in described equipment group is consistent with the signing messages in described First Certificate, is then verified.
The home network device that the present embodiment provides, belongs to same design with embodiment of the method, and its specific implementation process refers to embodiment of the method, repeats no more here.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can have been come by hardware, the hardware that also can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.