KR20140006755A - Method for authorizing access to resource in m2m communications - Google Patents

Abstract

A method for authorizing access to a resource in M2M communications is disclosed. According to an embodiment of the present invention, an object which intends to access a resource in a M2M service provider domain uses a temporary access token issued by a M2M authentication server (MAS) as an authentication key to access the corresponding resource; and as a result, multiple objects can share information, other objects which are not authorized to access the information are prevented from accessing information, and security risks related to resource data sharing between objects can be prevented. [Reference numerals] (AA) M2M service provider # 1 domain; (BB) M2M service provider # 2 domain; (HH) Select a resource owner corresponding to the resource URI; (KK) Generate/update access authorization; (LL) Generate/update the access authorization resource; (NN) Generate an authorization code; (OO) Issue the authorization code; (PP) Request an access token; (QQ) Generate the access token (check the authorization code); (S310,CC,DD) Client registration; (S320) Search for a service/resource; (S330,GG,II) Authorization request; (S340,JJ) Client verification; (S350,MM) Approve authorization; (S360) (Optional step) Issue an authorization code and request an access token; (S370,RR,SS,UU) Issue the access token; (S380) Access the resource; (TT) Matching (access authorization, access token); (VV) Access the protected resource based on the access token

Description

METHOD FOR AUTHENTICATING ACCESS TO RESOURCE ACCESS IN M2M COMMUNICATIONS

The present invention relates to a method for setting a resource access right in M2M (Machine-to-Machine) communication. More particularly, the present invention relates to a resource access authority setting method for setting access rights of respective entities for a corresponding resource when an entity accesses a resource located on another entity (D / GSCL) in the M2M communication.

The contents described in this section merely provide background information on the present embodiment and do not constitute the prior art.

In general, M2M communication is a technology that enables a variety of communication services by a wireless communication module installed in various machines without human intervention or minimal human intervention, This is a technology that enables a communication service between a device and a device. This M2M technology combines communication and IT technology to merely gather information from various devices, process it as useful information, and provide necessary information in a customized manner. The solution is expanding in scope.

An ongoing M2M standard defines information data managed by M2M terminal, M2M gateway and M2M server as resource data. From the viewpoint of the data information processing, the data collected from the M2M terminal and the M2M gateway are transmitted to the M2M server, and the network application (NA Application) of the M2M service provider is transmitted to the owner The M2M server accesses the resource data of the M2M server according to the policy of the service provider and inquires the information. The standardization of M2M technology does not specifically specify how to set the right to access resource data as an initial step, and is trying to find out how to set these permissions.

The main purpose of this embodiment is to provide a method of setting a right to access a resource so that its own resource data can be shared with other objects among entities in various M2M communication environments.

According to an aspect of the present embodiment, any one of a terminal, a gateway, and an end-user (hereinafter, referred to as a 'client') belonging to the first M2M service provider domain is located at a terminal or gateway of the second M2M service provider domain. In the case of accessing (Resource), the client performs a client registration procedure on the NSCL of the first M2M service provider domain to refer to a M2M Authentication Sever (MAS1) hereinafter of the first M2M service provider domain. Client registration process, wherein the client is assigned with client credentials, the NSCL of the second M2M service provider domain based on the Universal Resource Identifier (URI) information of the resource (hereinafter referred to as 'NSCL2') Granting access to the resource to the resource owner of the resource via Auth Authorization request process for requesting orization, client verification process for the resource owner to verify the client through the MAS1, authorization approval process for the resource owner to approve access authorization to the client, and the The MAS of the second M2M service provider domain (hereinafter referred to as 'MAS2') provides a method for setting resource access rights in M2M communication including an access token issuing process for issuing an access token to the client.

According to another aspect of this embodiment, any one of a terminal, a gateway, or an end-user (hereinafter referred to as a 'client') belonging to the first M2M service provider domain is located at a terminal or gateway of the second M2M service provider domain. In the method for accessing the client, a client registration procedure is performed on an NSCL (hereinafter referred to as 'NSCL1') of the first M2M service provider domain to perform a client from a MAS (hereinafter referred to as 'MAS1') of the first M2M service provider domain. A process of receiving a credential, an authorization request process of requesting the resource owner of the resource to grant access to the resource based on the URI information of the resource, and a MAS belonging to the second M2M service provider domain; Process of issuing an access token from the MAS2 " On the basis of the access token, and provides the client's resources approach in the M2M communication, it characterized in that it comprises the step of accessing the resource.

According to another aspect of the present embodiment, a resource owner owning a resource located at a terminal or a gateway of a first M2M service provider domain may include an entity (any one of a terminal, a gateway, and an end-user belonging to a second M2M service provider domain). In the method for granting access right to the resource of the 'client', receiving the authorization request for the client, MAS (hereinafter referred to as 'MAS2' belonging to the second M2M service provider domain) Verifying the client and granting access authorization to the client to the entity where the resource is located and the MAS belonging to the first M2M service provider domain (hereinafter referred to as 'MAS1'). Characterized in that, a method for granting access rights to resources of the client in M2M communication Provided.

According to another aspect of the present embodiment, when an entity (hereinafter referred to as a "client") that does not belong to any M2M service provider domain wants to access a resource located in a terminal or gateway of an M2M service provider domain, the client may Client registration process of performing client registration procedure on NSCL of M2M service provider domain and assigning client credentials from MAS of M2M service provider domain; NSCL of M2M service provider domain based on the URI information of the resource by the client Authorization request process for requesting the resource owner of the resource to grant access to the resource through a client verification process in which the resource owner verifies the client through the MAS of the M2M service provider domain, Provides a method for setting resource access rights in M2M communication including an authorization approval process in which a license owner grants an access authorization to the client to the MAS and an access token issuance process in which the MAS issues an access token to the client. .

According to another aspect of the present embodiment, in a method of accessing a resource located at a terminal or gateway of an M2M service provider domain, an entity (hereinafter referred to as a 'client') which does not belong to any M2M service provider domain, may be located in the M2M service provider domain. Receiving client credentials from the MAS of the M2M service provider domain by performing a client registration procedure in the NSCL of the requesting server, requesting a resource owner of the resource to grant access to the resource based on the URI information of the resource And a process of receiving an access token from the MAS, and accessing the resource on the basis of the issued access token.

According to another aspect of the present embodiment, a resource owner owning a resource located at a terminal or gateway of an M2M service provider domain has access to the resource of an entity (hereinafter referred to as a 'client') that does not belong to any M2M service provider domain. A method for granting authority, the method comprising: receiving an authorization request for the client, verifying the client through a MAS belonging to the M2M service provider domain (hereinafter referred to as 'MAS'), and an entity in which the resource is located. And granting access authorization to the client to the MAS. The method provides a method of granting access authority to a client resource in M2M communication.

According to another aspect of the present embodiment, a terminal, a gateway, or an end-user (hereinafter referred to as a 'client') belonging to one M2M service provider domain wants to access a resource located at a terminal or gateway in the same M2M service provider domain. A client registration process in which the client performs a client registration procedure in the NSCL of the M2M service provider domain and is assigned client credentials from the MAS of the M2M service provider domain, wherein the client is based on the URI information of the resource. Authorization request process for requesting the resource owner of the resource to authorize access to the resource through the NSCL of the M2M service provider domain, the resource owner to verify the client through the MAS of the M2M service provider domain A method of setting a resource access right in M2M communication includes a client verification process, an authorization approval process in which the resource owner approves an access authorization for the client, and an access token issuance process in which the MAS issues an access token to the client. to provide.

According to another aspect of the present embodiment, a resource located at a terminal or a gateway of a terminal, a gateway, or an end-user (hereinafter referred to as a 'client') belonging to one M2M service provider domain is located in the same M2M service provider domain. In the method of accessing, the step of receiving a client credentials from the MAS of the M2M service provider domain by performing a client registration procedure to the NSCL of the M2M service provider domain, based on the URI information of the resource to the resource owner of the resource Requesting an access right to the resource, issuing an access token from the MAS of the M2M service provider domain, and accessing the resource based on the issued access token. Client in M2M Communication Provides access to resources.

According to another aspect of the present embodiment, a resource owner owning a resource located at a terminal or a gateway of an M2M service provider domain may be an entity of any one of a terminal, a gateway, or an end-user belonging to the M2M service provider domain (hereinafter referred to as 'client'). A method for granting access to the resource, the method comprising: receiving an authorization request for the client, verifying the client through a MAS belonging to the M2M service provider domain, and where the resource is located It provides a method for granting access rights to the resources of the client in the M2M communication comprising the step of granting the object and the MAS granting the access authorization to the client.

According to yet another aspect of the present invention, in a method in which a terminal or a gateway having a resource on a DSCL or GSCL allows a client access to the resource, a request for setting access authority for the client from a resource owner of the resource Receiving an access token, setting an access right for the resource of the client, receiving an access token issued to the client from a server providing an AAA service, and receiving an access token from the server providing the AAA service; And determining whether to allow the client to access the resource based on whether the access token presented by the client matches.

As described above, according to the present embodiment, an access token (Access Token) for temporary access from an MAS (M2M Authentication Server) as an authentication key for an entity to access a resource on the M2M service provider domain to access the resource By issuing and using it, it is possible to share information among a large number of objects, prevent unauthorized objects from accessing information of other objects, and prevent a security threat that may occur in sharing resource data between objects There is an effect.

1 is a block diagram schematically illustrating a relationship between M2M service entities.
2 is a block diagram schematically illustrating a relationship between M2M service entities when a client and a resource owner are in different M2M service provider domains.
3 is a schematic flowchart of a resource access authority setting process according to an embodiment of the present invention when a client and a resource owner are in different M2M service provider domains and the resource owner is NA2.
4 is a schematic flowchart of a resource access authority setting process according to an embodiment of the present invention when a client and a resource owner are in different M2M service provider domains and the resource owner is D / G2.
5 is a block diagram schematically illustrating a relationship between M2M service entities when a client is not subscribed to the M2M service.
6 is a schematic flowchart of a resource access authority setting process according to an embodiment of the present invention when the client is not subscribed to the M2M service and the resource owner is NA.
7 is a schematic flowchart of a resource access authority setting process according to an embodiment of the present invention when the client is not subscribed to the M2M service and the resource owner is D / G1.
8 is a block diagram schematically illustrating a relationship between M2M service entities when a client and a resource owner belong to the same M2M service provider domain.
9 is a schematic flowchart of a resource access right setting process according to an embodiment of the present invention when the client and the resource owner belong to the same M2M service provider domain and the resource owner is NA.
10 is a schematic flowchart of a resource access right setting process according to an embodiment of the present invention when the client and the resource owner belong to the same M2M service provider domain and the resource owner is D / G2.

Hereinafter, a method for setting a resource access right in the M2M communication according to the present embodiment will be described in detail. In order to clearly illustrate the present invention in the drawings, portions not related to the description in the drawings are omitted, and the same portions are denoted by the same reference numerals throughout the specification.

Throughout the specification, when an element is referred to as including an element, it is understood that it may include other elements as well, without departing from the other elements unless specifically stated otherwise. The 'resource owner' used below may be an entity that can determine whether or not to grant a resource access right to a client who wants to access the resource, and an access range thereof, and may be an M2M terminal, an M2M gateway, or an M2M application. The 'client' is an entity that wants to access resources containing collected information collected or generated by other M2M terminals, M2M gateways, or M2M applications. It can be used not only for M2M terminals, M2M gateways and M2M applications in the M2M service provider domain, And may be an end-user or a third application that does not belong to the M2M service provider domain. Also, a 'resource' is a bucket holding information collected or generated by the M2M application and is accessed using a resource URI (Resource_URI) which is a universal resource identifier (URI). Also, 'D / G' means M2M terminal (Device: D) and M2M gateway (Gateway: G). On the other hand, the terms or abbreviations stated in the specification should be interpreted to comply with M2M technical standards such as M2M communication technology field and ETSI (European Telecommunications Standards Institute) unless otherwise specified in the specification. For example, the NSCL used throughout the specification refers to the M2M Service Capabilities Layer in the network domain. M2M applications also include NA, GA, and DA as applications that execute service logic and use service capabilities that are accessible through an open interface. NA also refers to applications located in networks and application domains that use service functions that execute service logic and are accessible through an open interface. A GA is also an application located on an M2M gateway that executes service logic and uses service features accessible through an open interface. DA is also an application located on an M2M terminal that executes service logic and uses service functions accessible through an open interface. In the meantime, a server that performs verification, authorization code and access token issuance of a client is described as 'MAS (M2M Authentication Sever)' defined in the ETSI M2M standard field throughout the specification, but according to an embodiment, ), Authorization, and accounting, or a server of a third M2M service provider domain that provides authentication, authorization, and accounting services.

Now, a method of setting a resource access right in the M2M communication according to the present invention will be described in detail with reference to the drawings.

1 is a block diagram schematically illustrating a relationship between M2M service entities.

FIG. 1 assumes that there are various M2M service providers (M2M service providers) that provide separate services in the M2M communication. As shown in FIG. 1, each of the M2M service provider domains (# 1, # 2) includes a network application 115, 125, a Network Service Capabilities Layer (NSCL) 113, an MAS , An M2M gateway (Gateway) 111 and 122 including a gateway application (GA), an M2M terminal (Device 110, 112, 120 and 121) including a DA (Device Application) user terminals 116 and 126 are present. The M2M terminals may either directly connect to the network domain (112, 121) or connect to the network domain (110, 120) via one or more gateways acting as a proxy for the network domain. There may also be an end-user terminal 130 accessing the M2M service provider domain from the outside via the Internet without joining any M2M service provider. In FIG. 1, a separate MAS exists in each M2M service provider domain. However, in some embodiments, there may be a MAS in which a plurality of M2M service provider domains share the function.

The resources may be located on the SCLs of the UEs 110, 112, 120 and 121 and the gateways 111 and 122 as well as the NSCLs 113 and 123. However, in the embodiment of the present invention, We will discuss how to set up an authorization for the case where a resource is located in a resource. The resource owner may be a terminal, a gateway and an NA, and a client may be a terminal, a gateway, an NA, and an end-user.

The method by which the client obtains the right to access the protected resource data existing on the M2M service provider domain can be classified into the following three types according to whether or not the client and the M2M service provider domain to which the resource owner belongs are the same . First, the resource owner and client belong to different M2M service provider domains. This is an example of a convergence between vertical service domains that provide specialized services tailored to specific industries. For example, there is a case where an optimal environment for a patient is created by exchanging mutual information between e_Health terminal device and home network device or Home Energy device. This is the case when these devices are more efficient in communicating directly with each other than exchanging information via a server. In order to do this, it will be necessary to set up access rights to each other's data among devices included in each M2M service domain in advance. Second, the client is outside the M2M service provider domain. For example, by using an application of a cellular phone terminal not previously registered in any M2M service, the cellular phone terminal directly communicates with a weather measurement device related to a weather information providing service to inquire weather information such as temperature and humidity around the company Or if the mobile terminal directly communicates with the digital tachograph (DTG) of the bus to inquire the GPS data of the bus, it is necessary to obtain the access right to inquire the corresponding data. Third, both the client and the resource owner belong to the same M2M service provider domain. For example, in the case of performing data communication between vehicles using Car_to_Car communication or exchanging patient status information data between various e_Health terminal devices, even if the device is subscribed to the same M2M service, To access them will be problematic and will require a process of gaining access.

Hereinafter, a method for granting a resource access right according to an embodiment of the present invention in a first case where a client and a resource owner are in different M2M service provider domains will be described with reference to FIG. 2 and FIG.

2 is a block diagram schematically illustrating a relationship between M2M service entities when a client and a resource owner are in different M2M service provider domains.

2 shows an example in which the D / G1 200, the NA1 230 or the end-user 240 belonging to the M2M service provider # 1 domain accesses the resource located on the D / G2 260 belonging to the M2M service provider # And the like.

The entity determining whether to allow access of the D / G1 200 to the resource located in the D / G2 260 and the scope of access is the D / G2 280 that has generated or collected the information contained in the resource, May be NA2 290 on the M2M server. Therefore, the client is D / G1 200, NA1 230 or end-user 240 belonging to the M2M service provider # 1 domain and the resource owner is NA2 290 of the M2M service provider # 2 domain.

As described above, in FIG. 2, a separate MAS 210 and MAS 210 exist in each M2M service provider domain, but according to an embodiment, a third M2M service providing an authentication, authorization, The server of the service provider domain may replace the functions of the MAS 210 and 270. [

3 is a schematic flowchart of a resource access authority setting process according to an embodiment of the present invention when a client and a resource owner are in different M2M service provider domains and the resource owner is NA2.

Although the mechanism of FIG. 3 illustrates a resource access authority setting mechanism according to an embodiment of the present invention when the client is D / G1, even when the client is the NA 230 and the end-user 240, It should be noted that the authority setting mechanism may be applied.

STEP 00 is a preliminary step according to the ETSI M2M standard. As a preliminary step, the client completes the M2M service bootstrap, the M2M service connection, and the SCL registration procedure. It may also be assumed that the D / G1 200 performs the registration procedure of DA and GA1 in relation to the D / GSCL.

Step 01 is a client registration step (S310). The D / G1 200 performs a client registration process to the NSCL1 210 and receives a client_id (Client_ID) and a client_secret (Client_Secret) as client credentials. Upon receiving the client registration message from the D / G 1 200, the NSCL 210 transmits a client registration message to the MAS 1 210. The MAS1 210 receiving the client registration message generates a client_identifier and a client_secret for the D / G1 200 and allocates the client_identifier and the client_secret to the D / G1 200 through the NSCL1 210. For example, the MAS1 210 includes a client application identifier (App_ID), a node identifier (Node_ID), a service connection identifier (Service Connection_ID), an SCL identifier (SCL_ID (ID) defined in the ETSI M2M standard, such as an application key, a root key, a connection key, and the like, are assigned to the client_identifier, ) May be combined to assign the generated value to the client_id. The client_secret may also be created in a variety of ways using at least one of these identifiers and keys.

Step 02 is a service / resource search step (S320). In order for the client to initiate the authorization process, there is a need to provide a service that the client needs or to find the resource owner with the resource information. Through the above service / resource search step, the client knows information (ID or URI) about the resource owner and the location of the resource server (D / GSCL) where the resource is located. For this, a method of acquiring information on the location (ID or URI) of the resource owner and the location of the resource server (D / GSCL) where the resource is located can be considered through the NSCL2 220 where the resource is located. For example, the service / resource search step S320 may include a process in which the D / G1 200 sends a search message including a discovery filter criterion (Discovery Filter Criteria) about the type of information desired by the D / G1 200 to the NSCL 220. The process of delivering the search message to the NSCL2 260 having the discovery resource 220, the NSCL2 220 uses the search resource to match the search filter criteria suggested by the D / G1 200. The _URI list may be retrieved and the result may be transmitted to the D / G1 200. In the service / resource search step S320, the D / G2 280 and NA2 290, which are the resource owners, notify the D / G1 200 that the client is at least one of the URI and the resource_URI thereof . On the other hand, if the client already knows the resource owner or the resource_URI, or if the location of the resource owner and the resource is preset, the above service / resource search step may be omitted. That is, the client can obtain the resource_URI information before the authorization request step (S330), which can be obtained in the service / resource search step (S320), or can be obtained in advance by the setting or policy of the service provider, You can get it from the owner.

STEP 03 is an authorization request step (S330). In the authorization request step (S330), the client performs an authorization request to the resource owner. The D / G 1 200 transmits an authorization request message to the NSCL 2 260 via the NSCL 1 220. On the other hand, one or more of parameters such as authorization_type, resource_uri, client_id, client_secret, access_scope, callback_uri, and state may be used for the authorization request message. Here, authorization_type means authorization type, client_id and client_secret means a client credential, resource_uri means location information of a resource, and state means an arbitrary value . Also, access_scope is a parameter about what kind of information is required in the request access range, ie, Creature / Retrieve / Update / Delete request scope or access authority. NSCL2 260 retrieves at the SCL or application resource level who is the resource owner corresponding to resource_URI. NSCL2 260 delivers an authorization request message to NA2 290, the retrieved resource owner.

Step 04 is a client verification step (S340). The resource owner performs validation on the client for the authorization request message. A method for verifying a client includes a method of requesting a client to verify the MAS1 210, an end-user verifying method connected to the resource owner, a verification request to the M2M service provider (NSCL2 / NA2, 260/290) There may be a method of verifying according to the granting policy of the provider. As a method for requesting the MAS1 210 to verify the client, a process in which the NA2 290 requests the MAS1 210 registered with the D / G1 200 to verify the client, And a process of transmitting a client verification response message to a resource owner based on a verification performing process and a verification result of determining whether the D / G1 200 is normally registered in the MAS1 210 based on the credential can do. Meanwhile, the verification request message may include a parameter such as a client credential (client_identifier, client_secret), and the client verification response message may include a client credential, a certificate, and the like.

STEP 05 is an authorization granting step (S350). When the client authentication is normally completed, the NA2 (290) requests the D / G2 (280) via the NSCL2 (260) to set the access right so that the D / G1 (200) can access the resource. The message requesting the access authority setting may include at least one parameter of the client_id, client_secret, access_scope, and resource_location parameters. Where client_id and client_secret are the parameters for the client credential and access_scope is the parameter for the access scope that the resource owner wants to allow. resource_location is a parameter related to a location where a resource is stored, and can provide, for example, resource_URI information. The D / G 2 280 generates an access right resource for the resource according to the request of the NA 2 290, or updates the attribute if the resource that has already been accessed exists. Here, the access right resource is a resource that stores information on access rights to the protected resource, that is, information about which entity can do with the protected resource. NA2 290 sends an authorization grant message to MAS2 270 via NSCL2 260 indicating that authorization to D / G1 200 has been granted. The authorization grant message may include information about the storage location of the resource, including the client_id, such as whether it is stored in the NSCL or in the D / G2.

STEP 06 is an optional procedure, issuing an authorization code and requesting an access token (step S360). The MAS2 270 generates an authorization code and issues the authorization code to the D / G1 200 via the NSCL1 and the NSCL2 as evidence that the authorization request of the D / G1 200 is approved. The D / G 1 200 requests the MAS 2 270 via NSCL 1 and NSCL 2 to issue an access token (Access Token) required for inquiring resource information, using the issued authorization code. On the other hand, one or more of parameters such as authorization_type, code, callback_uri, client_id, and client_secret may be used in the access token issuance request message. Here, authorization_type is an authorization type, code is an authorization code, callback_uri is an ID or URI of a client that requested authorization, and client_id and client_secret are parameters indicating client credential information.

Step 07 is an access token issue step (S370). The MAS2 270 checks the authorization code of the D / G1 200, generates an access token when it is confirmed, transfers the access token to the D / G2 280 where the resource is located, / G1 (200). The MAS2 270 may also transmit the generated access token to the NSCL2 260. The NSCL2 260 sends a request message when the D / G1 200 accesses a resource located in the D / You can use the received access token to verify that it is a client. The NSCL 260 may transmit the access token received by the NSCL 260 on behalf of the MAS2 270 to the D / G 1 200 on behalf of the MAS2 270 with the allowed access range. If SETP 06 is omitted, MAS2 270 does not check the authorization code, but generates an access token after receiving an authorization grant message from the resource owner in STEP 05. The D / G2 280 manages the received access token by mapping the access right resource. MAS2 270 may issue an update token with an access token for updating the access token. On the other hand, the message including the issued access token may include one or more parameters such as token_type, expiration_time, access_scope, state, client_id, client_secret, and resource_location. token_type is a parameter indicating by which method the token value is generated, for example, information such as which encryption method the token value was generated. expiration_time is a parameter related to the expiration time of access_token, and access_scope is a parameter regarding a range of allowed access rights or a range of individual resources that can be accessed during Create / Retrieve / Update / Delete for the entire resource owned by the resource owner. state is a parameter relating to an arbitrary value used in message exchange between a client and an authorization server, and client_id and client_secret are parameters representing client credential information. resource_location is a parameter that contains information about whether the resource is stored in the NSCL or the resource owner such as DA.

STEP 08 is a step of accessing the protected resource (S380). The D / G 1 200 accesses the resource located in the D / G 2 280 based on the access token and inquires the information. The D / G2 280 checks whether the access token received from the D / G1 200 and the access token received from the MAS2 270 match, and checks the access right resource to match the corresponding access token. Allow access of the D / G1 200 to the resource within the range of access rights.

4 is a schematic flowchart of a resource access right setting process according to an embodiment of the present invention when the client and the resource owner are in different M2M service provider domains and the resource owner is D / G2.

4 illustrates a resource access authority setting mechanism according to an embodiment of the present invention when the client is D / G1. However, even if the client is the NA 230 and the end-user 240, It should be noted that a setting mechanism can be applied.

3 are performed in STEP 01 (S410), STEP 02 (S420), STEP 06 (S460), STEP 07 (S470) and STEP 08 (S480) 03, STEP 04, and STEP 05 will be described.

Step 03 is an authorization request step (S430). In the authorization request step (S430), the client performs an authorization request to the resource owner. The D / G 1 200 transmits an authorization request message to the NSCL 2 260 via the NSCL 1 220. NSCL2 260 retrieves at the SCL or application resource level who is the resource owner corresponding to resource_URI. The NSCL2 260 transmits an authorization request message to the D / G2 280, which is the searched resource owner. Meanwhile, parameters that can be included in the authorization request message are the same as those in STEP 03 of FIG. 3, and thus description thereof will be omitted.

Step 04 is a client verification step (S440). The resource owner performs validation on the client for the authorization request message. A method for verifying a client includes a method of requesting a client to verify the MAS1 210, an end-user verifying method connected to the resource owner, a verification request to the M2M service provider (NSCL2 / NA2, 260/290) There may be a method of verifying according to the granting policy of the provider. A method of requesting the MAS1 210 to verify the client may be performed by the D / G2 280 via the NSCL2 260 and the NSCL1 220 and with the MAS1 210 registered with the D / Based on the verification process and verification result of determining whether the MAS1 210 determines whether the D / G1 200 is normally registered in the MAS1 210 based on the client credential The MAS1 210 may transmit the client verification response message to the D / G2 280 via the NSCL1 220 and the NSCL2 260. [ Meanwhile, the verification request message may include a parameter such as a client credential (client_identifier, client_secret), and the client verification response message may include a client credential, a certificate, and the like.

Step 05 is an authorization granting step (S450). When the client authentication is normally completed, the D / G 2 280 generates an accessRight resource for the resource so that the D / G 1 200 can access the resource, Update the attribute. Here, the access right resource is a resource that stores information on access rights to the protected resource, that is, information about which entity can do with the protected resource. The D / G2 280 transmits an authorization grant message to the MAS2 270 via the NSCL2 260 indicating that granting of access authorization to the D / G1 200 is approved. The authorization grant message may include information about the storage location of the resource, including the client_id, such as whether it is stored in the NSCL or in the resource owner, such as DA.

Hereinafter, a method of setting an access right to a resource on an M2M service provider domain in the case where a client is not subscribed to the M2M service will be described with reference to FIG. 5 to FIG.

5 is a block diagram schematically illustrating a relationship between M2M service entities when a client is not subscribed to the M2M service.

As shown in FIG. 5, the end-user 510 or the third-party application 515, which does not belong to any M2M service provider domain, is located on the SCL of the D / G 530 of the M2M service provider domain Suppose you want to access a resource.

In this case, the end-user 510 and the third application become clients, and after the end user 510 or the third application 515 registers or subscribes to the NA 520, only the resources required during the M2M service are selectively It needs to be configured to gain access rights.

Although the resource access authority setting mechanism according to an embodiment of the present invention is described with reference to FIGS. 6 and 7 and the client is an end-user 510 application, the same resource access It should be noted that a privilege setting mechanism may be applied.

6 is a schematic flowchart of a resource access right setting process according to an embodiment of the present invention when the client is not subscribed to the M2M service and the resource owner is NA.

Referring to FIG. 6, an end-user application (EUA) 510 is independent of the M2M service provider domain, and the EUA 510 is a client , The NA 520 corresponds to the resource owner. Here, the D / G 550 is not particularly involved in the resource access authority setting process.

STEP 00 is a preliminary step according to the ETSI M2M standard. As a preliminary step, the client completes the M2M service bootstrap, the M2M service connection, and the SCL registration procedure.

Step 01 is a client registration step (S610). The EUA 510 performs the client registration process through the NA 520 and receives the client_id (Client_ID) and the client_secret (Client_Secret) as the client credentials. That is, it is distinguished from STEP 01 in FIG. 3 in that an end-user application outside the M2M service provider domain performs the client registration procedure with the NA 520 as the contact point, rather than the NSCL 530. Upon receiving the client registration message from the EUA 510, the NA 520 delivers a client registration message to the MAS 540. The MAS 540 receiving the client registration message generates the client_identifier and the client_secret for the EUA 510 and allocates the client_identifier and the client_secret to the EUA 510 via the NA 520. On the other hand, the method of generating the client_identifier and the client_secret is the same as that in STEP 01 of FIG. 3, and thus the description thereof will be omitted.

Step 02 is a service / resource search step (S620). In order for the client to initiate the authorization process, there is a need to provide a service that the client needs or to find the resource owner with the resource information. Through the above service / resource search step, the client knows information (ID or URI) about the resource owner and the location of the resource server where the resource is located. As a means for this, a method of acquiring information on the location (ID or URI) of the resource owner and the location of the resource server where the resource is located may be considered through the NSCL 530 where the resource is located. For example, the service / resource search step (S520) is a process in which the EUA 510 sends a search message including a discovery filter criterion (Discovery Filter Criteria) about the type of information desired to the NA 520, and the NA 520. Delivers a search message to the NSCL 530 having a discovery resource, and the NSCL 530 uses the search resource to obtain a list of resource_URIs that match the search filter criteria provided by the EUA 510. Retrieving and transmitting the result to the EUA 510. In the service / resource search step (S520), the D / G 550, which collects or creates the information stored in the resource, or the NA 520, which is the resource owner, informs the EUA 510 as a client of its own URI, You can also consider ways to tell more than one. On the other hand, if the client already knows the resource owner or the resource_URI, or if the location of the resource owner and the resource are preset, the service / resource search step S620 may be omitted. That is, the client can obtain the resource_URI information before the authorization request step (S630), which may be obtained in the service / resource search step (S620), or may be obtained in advance by the service provider's setting, You can get it from the owner.

STEP 03 is an authorization request step (S630). The EUA 510 performs an authorization request to the NSCL 530. NSCL 530 retrieves at the SCL or application resource level who the resource owner corresponds to resource_URI. The NSCL 530 delivers an authorization request message to the retrieved resource owner NA 520. On the other hand, the parameters of the authorization request message are the same as those used in STEP 03 of FIG. 3, and thus description thereof is omitted.

Step 04 is a client verification step (S640). The NA 520, which is the resource owner, verifies the client for the authorization request message. The method for verifying the client may include a method of requesting the MAS 540 to verify the client, a method of requesting verification from the M2M service provider (NSCL), and a verification method according to the service provider's access authorization policy. Exemplarily, a method of requesting the MAS 540 to verify the EUA 510 includes the steps of the NA 520, which is the resource owner, requesting the MAS 540 to verify the client via the NSCL 430, To the NA 520 via the NSCL 530 based on the verification execution process and the verification execution result that determine whether the EUA 510 is normally registered in the MAS 540 based on the client credentials, And transmitting a verification response message. Meanwhile, the verification request message may include a parameter such as a client credential (Client_ID and Client_Secret), and the client verification response message may include a client credential and a certificate.

Step 05 is authorization authorization step (S650). When the client authentication is normally completed, the NA 520 requests the NSCL 530 to set access authority so that the EUA 510 can access the resource. The D / G 550 generates an access right resource for the resource in response to the request of the NA 520, or updates the attribute if the already accessed resource exists. Here, the access right resource is a resource that stores information on access rights to the protected resource, that is, information about which entity can do with the protected resource. The NA 520 transmits an authorization grant message to the MAS 540 via the NSCL 530 indicating that granting of the access right to the EUA 510 has been approved. Meanwhile, the parameters that can be included in the message for requesting the setting of the access authority and the authorization grant message are the same as those in STEP 05 of FIG. 3, so that the description is omitted.

STEP 06 is an optional procedure, issuing an authorization code and requesting an access token (S660). The MAS 540 generates an authorization code and issues it to the EUA 510 as evidence that the authorization request of the EUA 510 has been approved. The EUA 510 uses the issued authorization code to request the MAS 540 to issue an access token (Access Token) required to inquire resource information. On the other hand, the parameters that can be included in the access token issue request message are the same as those in STEP 06 of FIG. 3, and thus description thereof is omitted.

Step 07 is an access token issuing step (S670). The MAS 540 checks the authorization code of the EUA 510 and if it is verified it generates an access token and passes it to the D / G 550 where the resource is located and sends the access token to the EUA 510 ). If SETP 06 is omitted, the MAS 540 does not check the authorization code, but generates an access token after receiving the authorization grant message from the resource owner in STEP 05. The D / G 550 manages the access token and the access right resource by mapping the received access token. The MAS 540 may issue an update token with an access token for updating the access token. On the other hand, the parameters that can be included in the message including the issued access token are the same as those in STEP 07 of FIG. 3, and thus the description thereof will be omitted.

Step 08 is a step of accessing the protected resource (S680). The EUA 510 accesses resources located in the NSCL 530 based on the access token and queries the information. The NSCL 530 checks whether the access token received from the EUA 510 and the access token issued from the MAS 540 coincide with each other, and checks the access right resource to be within an access right range matching the corresponding access token. Allows EUA 510 access to the resource.

7 is a schematic flowchart of a resource access right setting process according to an embodiment of the present invention when the client is not subscribed to the M2M service and the resource owner is the D / G.

7, the end-user application (EUA) 510 is in an independent relationship with the M2M service provider domain, and the EUA 510 is a client and the D / G 550 is a resource owner do.

6 are performed in STEP 01 (S710), STEP 02 (S720), STEP 06 (S760), STEP 07 (S770) and STEP 08 (S780) 03, STEP 04, and STEP 05 will be described.

STEP 03 is an authorization request step (S730). The EUA 510 performs an authorization request to the NSCL 530. NSCL 530 retrieves at the SCL or application resource level who the resource owner corresponds to resource_URI. The NSCL 530 delivers an authorization request message to the D / G 550, which is the searched resource owner. On the other hand, the parameters of the authorization request message are the same as those used in STEP 03 of FIG. 3, and thus description thereof is omitted.

Step 04 is a client verification step (S740). The D / G 520 verifies the client for the authorization request message transmitted from the NSCL 430. The method for verifying the client may include a method of requesting the MAS 540 to verify the client, a method of requesting verification from the M2M service provider (NSCL), and a verification method according to the service provider's access authorization policy. Exemplarily, a method for requesting the MAS 540 to verify the EUA 510 is to allow the D / G 550 to request the verification of the client to the MAS 540 with which the EUA 510 is registered via the NSCL 530 The MAS 540 determines whether or not the EUA 510 is normally registered in the MAS 540 based on the client credentials, and the MAS 540 transmits the NSCL And transmitting the client verification response message to the D / G 550 via the network 530. Meanwhile, the verification request message may include a parameter such as a client credential (Client_ID and Client_Secret), and the client verification response message may include a client credential and a certificate.

STEP 05 is an authorization granting step (S750). When the client authentication is normally completed, the D / G 550 generates an access resource resource for the resource so that the EUA 510 can access the resource, or if the already authorized resource exists, Update. Here, the access right resource is a resource that stores information on access rights to the protected resource, that is, information about which entity can do with the protected resource. The D / G 550 transmits an authorization grant message to the MAS 540 via the NSCL 530, informing that the granting of the access right to the EUA 510 has been approved. Meanwhile, the parameters that can be included in the message for requesting the setting of the access authority and the authorization grant message are the same as those in STEP 05 of FIG. 3, so that the description is omitted.

Hereinafter, a method for setting resource access authorization when a client and a resource owner belong to the same M2M service provider domain will be described with reference to FIG. 8 to FIG.

8 is a block diagram schematically illustrating a relationship between M2M service entities when a client and a resource owner belong to the same M2M service provider domain.

8 is a diagram illustrating an example of a case where an end-user 800 or a D / G 810 subscribed to the same M2M service provider domain in any one of the M2M service provider domains transmits information generated or collected by the other D / It is assumed that the user wishes to access the resource to be stored.

It is necessary to make a difference in the right to access the resource storing information generated or collected by any D / G belonging to the M2M service provider domain registered for each end-user among the end-users subscribed to the same M2M service provider . Also, in the case where a certain D / G wants to access a resource storing information generated or collected by another D / G in the same M2M service provider domain, the access right needs to be separately granted.

9 is a schematic flowchart of a resource access right setting process according to an embodiment of the present invention when the client and the resource owner belong to the same M2M service provider domain and the resource owner is NA.

9 shows that the D / G1 810 and the D / G2 850 are in the same M2M service provider domain, the D / G1 810 is a client, the NA 840 is a resource owner . The resource that the client desires to access is located on the SCL of D / G2 750.

It should be noted that although the D / G1 810 has been shown as a client in Fig. 9 and the following description, the same access authority setting mechanism can be applied even when the client is the end-user 800. [

The procedure of FIG. 9 is similar to the procedure of FIG. 3, except that the client, resource owner, is in the same M2M service provider domain.

STEP 00 is a preliminary step according to the ETSI M2M standard. As a preliminary step, the client completes the M2M service bootstrap, the M2M service connection, and the SCL registration procedure. It may also be assumed that the D / G1 200 performs the registration procedure of DA and GA1 in relation to the D / GSCL.

Step 01 is a client registration step (S910). The D / G 1 810 performs a client registration process in the NSCL 820 to receive a client_id (Client_ID) and a client_secret (Client_Secret) as client credentials. When the NSCL 820 receives the client registration message from the D / G 1 810, the NSCL 820 transmits a client registration message to the MAS 830. The MAS 830 receiving the client registration message generates a client_identifier and a client_secret for the D / G1 810 and allocates it to the D / G1 810 via the NSCL 820. [ On the other hand, the method of generating the client_identifier and the client_secret is the same as that in STEP 01 of FIG. 3, and thus the description thereof will be omitted.

STEP 02 is a service / resource search step (S920). In order for the client to initiate the authorization process, there is a need to provide a service that the client needs or to find the resource owner with the resource information. Through the above service / resource search step, the client knows information (ID or URI) about the resource owner and the location of the resource server (D / GSCL) where the resource is located. As a means for this, a method of acquiring information on the location (ID or URI) of the resource owner and the location of the resource server (D / GSCL) where the resource is located can be considered through the NSCL 820 where the resource is located. For example, the service / resource search step S920 may include a process in which the D / G1 810 sends a search message including a discovery filter criterion about the type of information desired to the NSCL 820, and the like. 820 may search for a resource_URI list that matches the search filter criterion suggested by the D / G1 810 using the search resource and transmit the result to the D / G1 810. Also, in the service / resource search step S920, a method of informing the D / G1 810 that the resource owner NA 840 is a client of at least one of its own URI and resource_URI may be considered. On the other hand, if the client already knows the resource owner or the resource_URI, or if the location of the resource owner and the resource is preset, the above service / resource search step may be omitted. That is, the client can obtain the resource_URI information prior to the authorization request step (S930), which may be obtained in the service / resource search step (S920), or may be obtained in advance by the service provider's setting, You can get it from the owner.

STEP 03 is an authorization request step (S930). In the authorization request step (S930), the client performs an authorization request to the resource owner. D / G 1 810 sends an authorization request message to NSCL 820. NSCL 820 retrieves at the SCL or application resource level who is the resource owner corresponding to resource_URI. The NSCL 820 delivers an authorization request message to the NA 840, which is the searched resource owner. Meanwhile, parameters that can be included in the authorization request message are the same as those in STEP 03 of FIG. 3, and thus description thereof will be omitted.

Step 04 is a client verification step (S940). The resource owner performs verification on the requesting client for the authorization request message. A method for verifying a client includes a method of requesting a client's verification to the MAS 830, an end-user verifying method connected to the resource owner, a verification request to the M2M service provider (NSCL / NA, 820/840) There may be a method of verifying according to the granting policy of the provider. Illustratively, a method of requesting the MAS 830 to verify the client is a process in which the NA 840, which is the resource owner, requests verification of the client to the MAS 830 for which the D / G 1 810 is registered, Based on the client credentials, determines whether the D / G 1 810 is normally registered in the MAS 830 or not, and transmits a client verification response message to the NA 840 based on the verification result and the verification result And the like. Meanwhile, the verification request message may include a parameter such as a client credential (Client_ID and Client_Secret), and the client verification response message may include a client credential, a certificate, and the like.

STEP 05 is an authorization granting step (S950). When the client authentication is normally completed, the NA 840 requests the D / G 2 850 to set an access right so that the D / G 1 810 can access the resource. The D / G 2 850 generates an access right resource for the resource according to the request of the NA 840 or updates the attribute if the already accessed resource exists. The attribute of the resource to be accessed may include an expiration time, and the D / G 2 850 may set an expiration time in the access right of the D / G 1 810. The NA 840 sends an authorization grant message to the MAS 830 via the NSCL 820 indicating that the authorization request of the D / G 1 810 has been approved. The parameters and information that can be included in the message for requesting the setting of the access authority and in the authorization grant message are the same as those in STEP 03 of FIG.

STEP 06 is an optional procedure, an authorization code issue and an access token request step (S860). The MAS 830 generates an authorization code and issues it to the D / G 1 810 as proof that the authorization request of the D / G 1 810 is approved. The D / G1 810 requests the MAS 830 to issue an access token (Access Token) required to inquire the resource information using the issued authorization code. On the other hand, the parameters that can be included in the access token issue request message are the same as those in STEP 06 of FIG. 3, and thus description thereof is omitted.

Step 07 is an access token issuing step (S970). The MAS 830 checks the authorization code of the D / G 1 810, generates an access token when it is verified, sends it to the D / G 2 850 where the resource is located, To the D / G 1 810. If SETP 06 is omitted, the MAS 830 does not check the authorization code and generates an access token after receiving the authorization grant message from the resource owner in STEP 05. The D / G 1 810 manages the access token and the access right resource by mapping the received access token. MAS 830 may issue an update token with an access token for updating the access token. On the other hand, the parameters that can be included in the access token issuing message are the same as those in STEP 07 of FIG. 3, and thus the description thereof will be omitted.

Step 08 is a step of accessing the protected resource (S980). The D / G 1 810 accesses the resource located in the D / G 2 850 based on the access token and inquires the information. The D / G2 850 checks whether the access token received from the D / G1 810 and the access token received from the MAS 830 match, and checks the access right resource to match the corresponding access token. Allows D / G1 810 access to the resource within the scope of access rights.

10 is a schematic flowchart of a resource access right setting process according to an embodiment of the present invention when the client and the resource owner belong to the same M2M service provider domain and the resource owner is D / G2.

Referring to FIG. 10, the D / G 1 810 and the D / G 2 850 are in the same M2M service provider domain, the D / G 1 810 is a client, and the D / This corresponds to the resource owner. The resource that the client desires to access is located on the SCL of D / G2 750. The procedure of FIG. 10 is similar to the procedure of FIG. 4 except that the client, resource owner, is in the same M2M service provider domain.

It should be noted that although the D / G1 810 has been indicated by the client in Fig. 10 and the following description, the same access authority setting mechanism can be applied even when the client is the end-user 800. [

9 are performed in STEP 01 (S1010), STEP 02 (S1020), STEP 06 (S1060), STEP 07 (S1070), and STEP 08 (S1080) 03, STEP 04, and STEP 05 will be described.

Step 03 is an authorization request step (S1030). In the authorization request step (S1030), the client performs an authorization request to the resource owner. D / G 1 810 sends an authorization request message to NSCL 820. NSCL 820 retrieves at the SCL or application resource level who is the resource owner corresponding to resource_URI. The NSCL 820 sends an authorization request message to the D / G2 850, which is the searched resource owner. Meanwhile, parameters that can be included in the authorization request message are the same as those in STEP 03 of FIG. 3, and thus description thereof will be omitted.

Step 04 is a client verification step (S1040). The D / G2 850 verifies the corresponding client with respect to the authorization request message transmitted from the NSCL 820. A method of verifying a client may include a method of requesting the MAS 830 to verify the client, a method of verifying the M2M service provider (NSCL, NA), and a method of verifying according to a service provider's access authorization policy. Exemplarily, a method of requesting the MAS 830 to verify the D / G 1 810 is a process in which the D / G 2 850 requests the MAS 540 to verify the client via the NSCL 530, The MAS 830 determines whether the D / G 1 810 is a device registered in the MAS 830 based on the client credentials, And transmitting the client verification response message to the D / G 2 840 through the D / G 2 840. Meanwhile, the verification request message may include a parameter such as a client credential (Client_ID and Client_Secret), and the client verification response message may include a client credential, a certificate, and the like.

Step 05 is an authorization granting step (S1050). When the client authentication is normally completed, the D / G 2 850 generates an access resource resource for the resource so that the D / G 1 810 can access the resource, Update the attribute. Here, the access right resource is a resource that stores information on access rights to the protected resource, that is, information about which entity can do with the protected resource. The D / G2 850 sends an authorization grant message to the MAS 830 via the NSCL 820, informing that authorization to the D / G1 810 has been granted. The parameters that can be included in the message for requesting access authorization and in the authorization grant message are the same as those in STEP 05 in FIG.

The above description is made on the assumption that each step is performed sequentially in FIG. 3, FIG. 4, FIG. 6, FIG. 7, FIG. 9 and FIG. 10, but this is merely illustrative of the technical idea of the embodiment of the present invention It will be apparent to those skilled in the art that one embodiment of the present invention may be practiced with other embodiments without departing from the essential characteristics of one embodiment of the present invention. For example, as shown in FIGS. 3, 4, 6, 7, 9, 3, 4, 6, 7, 9, and 10 are time-series charts, and FIGS. 3, 4, 6, 7, 9, But is not limited to the order.

The foregoing description is merely illustrative of the technical idea of the present embodiment, and various modifications and changes may be made to those skilled in the art without departing from the essential characteristics of the embodiments. Therefore, the present embodiments are to be construed as illustrative rather than restrictive, and the scope of the technical idea of the present embodiment is not limited by these embodiments. The scope of protection of the present embodiment should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as being included in the scope of the present invention.

200: D / G1 210: MAS1
220: NSCL1 260: NSCL2
270: MAS2 280: D / G2
290: NA2 510: End-User
520: NA 530: NSCL
540: MAS 550: D / G
810: D / G1 820: NSCL
830: MAS 840: NA
850: D / G2

Claims (1)

A method for an entity (hereinafter referred to as a 'client') not belonging to any M2M service provider domain to access a resource located at a terminal or gateway of an M2M service provider domain,
Requesting the resource owner of the resource to grant access to the resource based on the URI information of the resource;
Receiving an access token from an M2M authentication server (MAS) of the M2M service provider domain; And
Accessing the resource based on the issued access token
Resource access method of the client in the M2M communication, including.

Images