Network device management method and device, apparatus, and medium

By using asymmetric encryption for identity authentication and binding, the problem of low security in network device management in crowdsourced positioning networks is solved, enabling legitimate access and effective management of devices and improving network device security.

CN116781306BActive Publication Date: 2026-06-26TENCENT TECHNOLOGY (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TENCENT TECHNOLOGY (SHENZHEN) CO LTD
Filing Date
2022-03-11
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

In existing technologies, the security of network device management in crowdsourced positioning networks is low, and the storage of beacon credential systems in the cloud makes credentials easy to leak, leading to identity forgery and security issues.

Method used

Using asymmetric encryption, the second network device uses its private key to prove the data, and the server uses its public key to verify it, thus achieving identity authentication. After successful verification, the data is bound and managed to prevent the storage of private keys from being leaked.

Benefits of technology

It enhances the security of network devices in crowdsourced location networks, prevents identity impersonation and credential leakage, and ensures that legitimate devices can access and be effectively managed.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116781306B_ABST
    Figure CN116781306B_ABST
Patent Text Reader

Abstract

The application specifically discloses a network device management and control method and device, equipment and medium, which can be applied to various scenes with certain security requirements. The method comprises the following steps: receiving a management and control request carrying a device identifier sent by a first network device in a crowdsourcing positioning network; obtaining to-be-proved data based on the management and control request, and sending the to-be-proved data to a second network device matched with the device identifier, so that the second network device proves the to-be-proved data based on a private key of the second network device to generate proof data; receiving the proof data sent by the second network device, and verifying the proof data based on a public key of the second network device; if the verification of the proof data is passed, the second network device is bound with the first network device, so that the second network device accesses the crowdsourcing positioning network, and the second network device in the crowdsourcing positioning network is managed and controlled. The technical scheme of the application improves the security of network device management and control in the crowdsourcing positioning network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and more specifically, to a method for controlling network devices, a device for controlling network devices, an electronic device, and a computer-readable medium. Background Technology

[0002] In related technologies, the management of network devices in crowdsourced location networks is typically achieved through a beacon credential architecture that binds associated network devices, facilitating the control of network access by bound devices. However, this beacon credential architecture stores all credentials for related network devices in the cloud. If unauthorized access is granted by a worker or the cloud server is attacked, these credentials will be leaked, compromising the security of the entire beacon credential architecture and resulting in low security for network device management.

[0003] It is clear that improving the security of network device management is an urgent problem to be solved. Summary of the Invention

[0004] To address the aforementioned technical problems, embodiments of this application provide a method, apparatus, device, and medium for managing network devices, thereby improving the security of network device management to at least a certain extent.

[0005] According to one aspect of the embodiments of this application, an embodiment of this application provides a method for managing and controlling network devices. The method includes: receiving a management and control request sent by a first network device located in a crowdsourced positioning network, wherein the management and control request carries a device identifier that needs to be bound to the first network device; obtaining data to be proved based on the management and control request, and sending the data to be proved to a second network device that matches the device identifier, so that the second network device proves the data to be proved based on its own private key to generate proof data; receiving the proof data sent by the second network device, and verifying the proof data based on the public key of the second network device; if the verification of the proof data passes, binding the second network device to the first network device, so that the second network device accesses the crowdsourced positioning network, and managing the second network device accessing the crowdsourced positioning network.

[0006] According to one aspect of the embodiments of this application, an embodiment of this application provides a method for managing and controlling a network device. The method includes: receiving data to be verified sent by a server, the data to be verified being sent by the server after receiving a management and control request from a first network device located in a crowdsourced positioning network; verifying the data to be verified based on a private key to generate verification data; sending the verification data to the server so that the server verifies the verification data based on the public key of the generator of the verification data, and when the verification of the verification data passes, binding the generator of the verification data to the first network device; and managing the generator of the verification data after the generator of the verification data accesses the crowdsourced positioning network.

[0007] According to one aspect of the embodiments of this application, an embodiment of this application provides a network device management and control apparatus, the apparatus being configured on a server, the apparatus comprising: a first receiving module configured to receive a management and control request sent by a first network device located in a crowdsourced positioning network, wherein the management and control request carries a device identifier that needs to be bound to the first network device; an acquisition and sending module configured to acquire data to be proved based on the management and control request, and send the data to be proved to a second network device matching the device identifier, so that the second network device proves the data to be proved based on its own private key to generate proof data; a receiving and generating module configured to receive the proof data sent by the second network device, and verify the proof data based on the public key of the second network device; and a binding and management module configured to bind the second network device to the first network device if the verification of the proof data passes, so that the second network device accesses the crowdsourced positioning network, and manage the second network device accessing the crowdsourced positioning network.

[0008] In one embodiment of this application, based on the aforementioned scheme, the binding and control module includes: a detection module configured to detect the behavioral state of the second network device in the crowdsourced positioning network and obtain a detection result; and a control module configured to control the positioning function of the second network device in the crowdsourced positioning network based on the detection result.

[0009] In one embodiment of this application, based on the aforementioned scheme, the detection module includes: a first detection unit configured to detect whether the dynamic identifier broadcast by the second network device changes within a preset broadcast period, and obtain the change status of the dynamic identifier; and a first determination unit configured to determine the detection result based on the change status of the dynamic identifier.

[0010] In one embodiment of this application, based on the foregoing scheme, the second network device is further configured to broadcast a dynamic identifier, which changes periodically; the first determining unit is specifically configured to: if the dynamic identifier changes, determine the security score of the second network device as a first score;

[0011] If the dynamic identifier does not change, the security score of the second network device is determined to be the second score; wherein the first score is less than the second score; the security score of the second network device is used as the detection result.

[0012] In one embodiment of this application, based on the aforementioned scheme, the detection module includes: a second detection unit configured to detect the location change distance of the second network device within a preset time period; and a second determination unit configured to determine the detection result based on the relationship between the location change distance and a preset distance threshold.

[0013] In one embodiment of this application, based on the aforementioned scheme, the second determining unit is specifically configured as follows: if the location change distance is greater than the preset distance threshold, then the security score of the second network device is determined to be a third score; if the location change distance is less than or equal to the preset distance threshold, then the security score of the second network device is determined to be a fourth score; wherein the third score is less than the fourth score; and the security score of the second network device is used as the detection result.

[0014] In one embodiment of this application, based on the aforementioned scheme, the second detection unit is specifically configured to: receive multiple location information of the second network device within the preset time period sent by the third network device; and determine the location change distance of the second network device within the preset time period based on the multiple location information.

[0015] In one embodiment of this application, based on the aforementioned scheme, the detection result includes the security score of the second network device; the control module is specifically configured to: if the detection result indicates that the security score of the second network device is less than or equal to a first preset score threshold, then disable the positioning function of the second network device in the crowdsourced positioning network; if the detection result indicates that the security score of the second network device is greater than the first preset score threshold and less than or equal to a second preset score threshold, then reduce the accuracy of the positioning function of the second network device in the crowdsourced positioning network.

[0016] In one embodiment of this application, based on the foregoing scheme, the apparatus further includes: a first receiving module, further configured to receive signature data of the second network device for a dynamic identifier forwarded by a third network device; a verification module, configured to verify the signature data based on the public key of the second network device; and an acquisition and sending module, further configured to, if the signature data verification passes, acquire a location report matching the second network device and send the location report to the first network device; wherein the location report is used to characterize the location change of the second network device.

[0017] In one embodiment of this application, based on the aforementioned scheme, the verification module is specifically configured to: receive additional information of the second network device forwarded by the third network device; if the additional information includes the public key of the second network device, then verify the signature data based on the public key of the second network device; if the additional information includes the device identifier, then obtain the public key of the second network device based on a preset mapping relationship between the device identifier and the public key, and verify the signature data based on the public key of the second network device.

[0018] In one embodiment of this application, based on the foregoing scheme, the first receiving module is further configured to receive hash information of the second network device for the dynamic identifier sent by the first network device; the acquisition and sending module is further configured to acquire a location report matching the second network device based on the hash information, and send the location report to the first network device; wherein, the location report is used to characterize the location change of the second network device.

[0019] In one embodiment of this application, based on the foregoing scheme, the device further includes: a receiving and detecting module configured to receive a device identifier and public key corresponding to the second network device forwarded by a fourth network device, and detect whether the device identifier and the public key are occupied; and a generating and sending module configured to generate a write instruction if neither is occupied, and send the write instruction to the fourth network device, so that the fourth network device writes the device identifier and a private key matching the public key into the second network device according to the write instruction.

[0020] According to one aspect of the embodiments of this application, an embodiment of this application provides a network device management and control apparatus. The apparatus is configured to be used by a provider of proof data. The apparatus includes: a second receiving module configured to receive data to be proven sent by a server, the data to be proven being sent by the server after receiving a management and control request from a first network device located in a crowdsourced positioning network; a generating module configured to prove the data to be proven based on a private key to generate proof data; and a sending module configured to send the proof data to the server, so that the server verifies the proof data based on the public key of the provider of the proof data, and binds the provider of the proof data to the first network device when the verification of the proof data passes, and manages the provider of the proof data after the provider of the proof data accesses the crowdsourced positioning network.

[0021] In one embodiment of this application, based on the foregoing scheme, the generation module is specifically configured to: obtain a zero-knowledge proof algorithm; and, based on the private key, prove the data to be proved using the zero-knowledge proof algorithm to generate the proof data.

[0022] In one embodiment of this application, based on the foregoing scheme, the device further includes: an acquisition module configured to acquire current time information and confidential information, wherein the confidential information is determined by the generator of the proof data and the first network device; a calculation module configured to calculate the current time information and the confidential information to obtain a dynamic identifier; a signature module configured to sign the dynamic identifier based on the private key to obtain signature data of the dynamic identifier; and a broadcast module configured to generate broadcast information based on the dynamic identifier and the signature data of the dynamic identifier, and broadcast the broadcast information.

[0023] In one embodiment of this application, based on the foregoing scheme, the signature module is specifically configured to: obtain additional information and encrypt the additional information to obtain encrypted additional information; wherein, the additional information includes at least one of the public key of the second network device and the device identifier; and generate the broadcast information based on the dynamic identifier, the signature data of the dynamic identifier and the encrypted additional information.

[0024] According to one aspect of the embodiments of this application, an electronic device is provided, including one or more processors; and a storage device for storing one or more programs, which, when executed by the one or more processors, cause the electronic device to implement the network device control method as described above.

[0025] According to one aspect of the embodiments of this application, the embodiments of this application provide a computer-readable medium having a computer program stored thereon, which, when executed by a processor, causes the computer to perform the network device control method as described above.

[0026] According to one aspect of the embodiments of this application, the embodiments of this application provide a computer program product, including computer instructions that, when executed by a processor, implement the network device management and control method described above.

[0027] In the technical solution provided by the embodiments of this application: the second network device proves the data to be proved based on its own private key, and then the server verifies the data based on its public key. After the verification is successful, the first and second network devices are bound together. In this way, the second network device and the server complete the authentication of the second network device through asymmetric encryption. Since the server only stores the public key of the second network device and does not store all the credentials of the second network device (such as private key credentials), even if the relevant worker oversteps their authority or the server is attacked, the public key alone is not enough to impersonate or forge an identity. This avoids the phenomenon that the leakage of all the credentials of the second network device stored on the server side will affect the security of the entire beacon credential system architecture, thus ensuring the security of the beacon credential system architecture. This allows the second network device to be bound to the legitimate first network device, allowing the legitimate first network device to access the crowdsourced positioning network, and further allows for the control of the second network device accessing the crowdsourced positioning network, greatly improving the security of network device control in the crowdsourced positioning network.

[0028] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not limit this application. Attached Figure Description

[0029] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application. It is obvious that the drawings described below are merely some embodiments of this application, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.

[0030] Figure 1 This is a schematic diagram illustrating an exemplary implementation environment in which the technical solutions of the embodiments of this application can be applied.

[0031] Figure 2 This is a flowchart illustrating a network device management method in an exemplary embodiment of this application.

[0032] Figure 3This is a flowchart illustrating a network device management method in an exemplary embodiment of this application.

[0033] Figure 4 This is a schematic diagram of an exemplary beacon credential system architecture that can apply the technical solutions of the embodiments of this application.

[0034] Figure 5 This is a flowchart illustrating a network device management method in an exemplary embodiment of this application.

[0035] Figure 6 This is a flowchart illustrating a network device management method in an exemplary embodiment of this application.

[0036] Figure 7 This is a block diagram illustrating a network device control apparatus as shown in an exemplary embodiment of this application.

[0037] Figure 8 This is a block diagram illustrating a network device control apparatus as shown in an exemplary embodiment of this application.

[0038] Figure 9 This is a schematic diagram of the structure of a computer system suitable for implementing the electronic devices of the present application embodiments. Detailed Implementation

[0039] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments identical to those of this application. Rather, they are merely examples of apparatuses and methods identical to some aspects of this application as detailed in the appended claims.

[0040] The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities can be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.

[0041] The flowcharts shown in the accompanying drawings are merely illustrative and do not necessarily include all content and operations / steps, nor do they necessarily have to be performed in the described order. For example, some operations / steps can be broken down, while others can be combined or partially combined; therefore, the actual execution order may change depending on the specific circumstances.

[0042] It should be noted that "multiple" as mentioned in this application refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects have an "or" relationship.

[0043] Before introducing the technical solutions of the embodiments of this application, the nouns and terms involved in the embodiments of this application will be explained first. The nouns and terms involved in the embodiments of this application are subject to the following interpretations.

[0044] Artificial intelligence (AI) is the theory, methods, technology, and application systems that use digital computers or machines controlled by digital computers to simulate, extend, and expand human intelligence, perceive the environment, acquire knowledge, and use that knowledge to achieve optimal results. In other words, AI is a comprehensive technology within computer science that attempts to understand the essence of intelligence and produce a new kind of intelligent machine that can react in a way similar to human intelligence. AI studies the design principles and implementation methods of various intelligent machines, enabling them to possess the functions of perception, reasoning, and decision-making.

[0045] Artificial intelligence (AI) is a comprehensive discipline encompassing a wide range of fields, including both hardware and software technologies. Fundamental AI technologies generally include sensors, dedicated AI chips, cloud computing, distributed storage, big data processing, operating / interactive systems, and mechatronics. AI software technologies primarily include computer vision, speech processing, natural language processing, as well as machine learning / deep learning, autonomous driving, and intelligent transportation.

[0046] Machine learning (ML) in artificial intelligence is a multidisciplinary field involving probability theory, statistics, approximation theory, convex analysis, and algorithm complexity theory. It specifically studies how computers can simulate or implement human learning behavior to acquire new knowledge or skills and reorganize existing knowledge structures to continuously improve their performance. Machine learning is the core of artificial intelligence and the fundamental way to endow computers with intelligence; its applications span all areas of artificial intelligence. Machine learning and deep learning typically include techniques such as neural networks, belief networks, reinforcement learning, transfer learning, inductive learning, and instruction-based learning.

[0047] ZKP (Zero Knowledge Proof): A proof allows one party (the prover) to demonstrate to another party (the verifier) ​​that a statement is true without revealing any information beyond the validity of the statement itself; for example, given the hash of a random number, the prover can convince the verifier that a number with that hash value does exist without revealing what it is.

[0048] Crowdsourced Location Network (CLORN) is a common device location technology. The entire network typically consists of three types of devices: beacon devices, discovery devices, and management devices. In essence, beacon devices continuously broadcast signals; discovery devices, upon receiving the broadcast signals, send their location information to the cloud; and management devices can bind to a certain number of beacon devices and query their location reports from the cloud, thereby enabling the location of the beacon devices.

[0049] The beacon and management devices are typically owned by the user. Optionally, the management device can be a smartphone, and the beacon device can be a headset, smart wearable device (such as a watch or bracelet), etc.

[0050] The cloud includes servers, which can be cloud servers that provide basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms.

[0051] In related technologies, the management of network devices in crowdsourced location networks typically relies on a beacon credential architecture to bind associated network devices, facilitating control over network access after binding. This beacon credential architecture stores all credentials for related network devices in the cloud. If unauthorized access is granted by a worker or the cloud server is attacked, these credentials will be leaked, compromising the security of the entire beacon credential architecture and resulting in low security for network device management. Specifically, while the beacon credential architecture binds beacon devices to management devices, unauthorized access or attacks on the cloud server can lead to the leakage of all beacon device credentials (such as private key credentials) stored in the cloud. This allows for the forgery of beacon device identities, introducing a series of security problems and significantly reducing the security of network device management in crowdsourced location networks.

[0052] Therefore, in the scenario of network device management based on crowdsourced positioning networks, this application proposes a network device management scheme. Please refer to... Figure 1 , Figure 1This is a schematic diagram of an exemplary implementation environment of this application. The implementation environment includes a first network device 101, a second network device 102, a third network device 103, and a server 104. The first network device 101, the second network device 102, the third network device 103, and the server 104 communicate with each other via wired or wireless networks. Simultaneously, the first network device 101, the third network device 103, and the server 104 are all located in a crowdsourcing location network. After the second network device 102 is successfully bound to the first network device 101, it can access the crowdsourcing location network. Subsequently, the server 104 can manage and control the second network device 102 that has accessed the crowdsourcing location network.

[0053] It should be understood that Figure 1 The number of the first network device 101, the second network device 102, the third network device 103, and the server 104 is merely illustrative. Depending on actual needs, any number of network devices 101 to 103 and servers 104 can be included.

[0054] The first network device 101, the second network device 102, and the third network device 103 can be any electronic device with a user input interface, including but not limited to smartphones, tablets, laptops, computers, smart voice interaction devices, smart home appliances, vehicle terminals, aircraft, etc. The user input interface includes, but is not limited to, touchscreens, keyboards, physical buttons, and audio pickup devices. Optionally, in the application scenario of a crowdsourced positioning network, the first network device 101 can be a management device, the second network device 102 can be a beacon device, and the third network device 103 can be a discovery device.

[0055] Server 104 can be a server that provides various services. It can be an independent physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms. This section does not impose any restrictions on this.

[0056] In some embodiments of this application, the network device management method can be executed by server 104, and correspondingly, the network device management device is configured in server 104. Optionally, server 104 can

[0057] The system receives a control request from a first network device located in the crowdsourced location network. This control request carries a device identifier that needs to be bound to the first network device. Then, based on the control request, it obtains the data to be verified and sends this data to a second network device matching the device identifier. This allows the second network device to verify the data using its private key, generating verification data. The system then receives the verification data from the second network device and verifies it using its public key. If the verification passes, the system binds the second network device to the first network device, enabling the second network device to access the crowdsourced location network, and then manages and controls the second network device connected to the network.

[0058] In some embodiments of this application, the terminal device may also have functions similar to those of server 104, thereby realizing the network device management and control method provided in the embodiments of this application.

[0059] By implementing the technical solution of this application embodiment, the second network device and the server complete the identity authentication of the second network device through asymmetric encryption. Since the server only stores the public key of the second network device and does not store all the credentials of the second network device (such as private key credentials), even if the relevant worker oversteps his / her authority or the server is attacked, the public key alone is not enough to impersonate or forge the identity. This allows the second network device to be bound to the legitimate first network device, so as to allow the legitimate first network device to access the crowdsourced positioning network. Furthermore, it can further control the second network device accessing the crowdsourced positioning network, which greatly improves the security of network device control in the crowdsourced positioning network.

[0060] It should be noted that in the specific implementation of this application, user-related data is involved. When the embodiments of this application are applied to specific products or technologies, user permission or consent is required, and the collection, use and processing of related data must comply with the relevant laws, regulations and standards of the relevant countries and regions.

[0061] The following details the various implementation details of the technical solutions in the embodiments of this application:

[0062] Please see Figure 2 , Figure 2 This is a flowchart illustrating a method in one embodiment of this application. The network device control method can be... Figure 1 The server 104 shown is used to execute this. Figure 2 As shown, the network device management method includes at least steps S201 to S204, which are described in detail below:

[0063] Step S201: Receive a control request sent by a first network device located in the crowdsourced positioning network, wherein the control request carries a device identifier that needs to be bound to the first network device.

[0064] In this embodiment, the control request is issued by the first network device. The control request carries a device identifier, indicating to the server its need to control a network device (i.e., the second network device) that matches the device identifier. It is understood that the control request initiated by the first network device involves two processes: first, the binding process between the first and second network devices; and second, after successful binding, allowing the second network device to access the crowdsourced location network and controlling the second network device within the network. Details are provided below.

[0065] It is understood that in the embodiments of this application, the device identifier refers to the fixed identifier of the second network device, which is used to characterize the uniqueness of the second network device. It includes, but is not limited to, the generation timestamp, production number, and universally unique identifier (UUID) of the second network device.

[0066] In one embodiment of this application, prior to receiving the control request sent by the first network device located in the crowdsourced location network in step S201, the method may further include the following steps, detailed below:

[0067] Receive the device identifier and public key of the second network device forwarded by the fourth network device, and check whether the device identifier and public key are occupied;

[0068] If none of them are occupied, a write command is generated and sent to the fourth network device, so that the fourth network device writes the device identifier and the private key that matches the public key into the second network device according to the write command.

[0069] In one optional embodiment, the server stores device identifiers and public keys of multiple second network devices. Specifically, this can be done using associative storage. Therefore, in this optional embodiment, if the server receives the device identifier and public key corresponding to a second network device forwarded by a fourth network device, it needs to check whether the received device identifier and public key are already in use. Specifically, it checks whether the received device identifier and public key are duplicates of the stored device identifiers and public keys. If there is no duplication, it indicates that the received device identifier and public key are not in use, and a write command can be generated and sent to the fourth network device. The fourth network device can then write the device identifier and the private key matching the public key into the second network device according to the write command. Thus, each second network device possesses a matching device identifier and private key; that is, each second network device has a unique device identifier and private key to distinguish it from other second network devices.

[0070] Thus, by implementing the optional embodiment, the fourth network device is only allowed to write the device identifier and the private key matching the public key into the second network device when the server detects that the device identifier and the public key are not occupied. This ensures the uniqueness of the second network device and provides support for the subsequent management and control of the second network device in the crowdsourced location network.

[0071] Step S202: Obtain the data to be proved based on the control request, and send the data to be proved to the second network device that matches the device identifier, so that the second network device can prove the data to be proved based on its own private key and generate proof data.

[0072] In this embodiment, the server receives a control request from the first network device, can obtain the data to be proved based on the control request, and send the data to be proved to the second network device that matches the device identifier; in this way, the second network device can prove the data to be proved based on its own private key according to the received data to be proved, and generate proof data.

[0073] In one embodiment of this application, obtaining data to be proved based on a control request includes: generating data to be proved in real time based on the control request to obtain the data to be proved, wherein the data to be proved may be random data.

[0074] In one embodiment of this application, obtaining data to be proved based on a control request includes: obtaining pre-generated data to be proved based on the control request to obtain the data to be proved, wherein the data to be proved may be random data.

[0075] Step S203: Receive the proof data sent by the second network device, and verify the proof data based on the public key of the second network device.

[0076] In this embodiment of the application, the server receives the proof data sent by the second network device and can verify the proof data based on the public key of the second network device, thereby realizing the identity authentication of the second network device.

[0077] It is understood that the second network device has a pair of keys, namely a private key and a public key. The public key can be deduced from the private key, but the private key cannot be deduced from the public key. Therefore, in this embodiment, storing the public key on the server side does not affect the privacy of the private key. However, if the private key is stored, it will affect the privacy of the private key once the server is attacked, thereby affecting the security of the management and control of the relevant network devices.

[0078] In step S204, if the verification of the proof data passes, the second network device is bound to the first network device so that the second network device can access the crowdsourced positioning network, and the second network device accessing the crowdsourced positioning network is managed.

[0079] In this embodiment of the application, if the server verifies the proof data, it indicates that the identity authentication of the second network device is successful. At this time, the second network device can be bound to the first network device, and after successful binding, the second network device can be controlled to access the crowdsourced positioning network, and the second network device accessing the crowdsourced positioning network can be further managed.

[0080] In this embodiment of the application, if the server fails to verify the proof data, it indicates that the identity authentication of the second network device has failed. In this case, the second network device will not be bound to the first network device to ensure the security of the first network device.

[0081] In this embodiment, the second network device and the server authenticate the second network device through asymmetric encryption. Since the server only stores the public key of the second network device and not all of its credentials (such as private key credentials), even if an unauthorized worker or the server is attacked, the public key alone is not sufficient to impersonate or forge an identity. This allows the second network device to be bound to the legitimate first network device, improving the security of network device management.

[0082] In one embodiment of this application, the process of managing the second network device in the crowdsourced positioning network in step S204 may include the following steps, which are described in detail below:

[0083] The behavior of the second network device in the crowdsourced positioning network is detected, and the detection results are obtained.

[0084] Based on the test results, the positioning function of the second network device in the crowdsourced positioning network is controlled.

[0085] That is, in the optional embodiment, if the second network device is connected to the crowdsourced location network, the server can detect the behavior status of the second network device in the crowdsourced location network and obtain the detection result, and then manage the location function of the second network device in the crowdsourced location network based on the detection result.

[0086] In one of the optional embodiments, if the second network device broadcasts relevant broadcast information, indicating that the second network device has accessed the crowdsourced location network, then the behavior status of the second network device in the crowdsourced location network can be detected, and the location function of the second network device can be controlled based on the detection results.

[0087] Thus, by implementing the optional embodiment, since the network behavior of the second network device in the crowdsourced positioning network is detected, the positioning function of the second network device in the crowdsourced positioning network can be adjusted in real time according to the detection results, which is more flexible and provides more comprehensive control over the network device.

[0088] In one embodiment of this application, the behavioral state of the second network device in the crowdsourced location network is detected to obtain the detection result, including at least two of the following methods:

[0089] Method 1:

[0090] Detect whether the dynamic identifier broadcast by the second network device changes within a preset broadcast period, and obtain the change status of the dynamic identifier;

[0091] The detection result is determined based on the changes in the dynamic identifier.

[0092] It is understood that, in the optional embodiment, the second network device is also used to broadcast a dynamic identifier, which changes periodically. The dynamic identifier corresponding to the second network device refers to a temporary identifier, which is an identifier temporarily calculated by the second network device. For example, it can be calculated by the second network device using current time information and confidential information, where the confidential information is determined by the second network device and the first network device. This temporary identifier changes dynamically according to a certain broadcast period, thereby preventing someone from recording a consistently unchanged temporary identifier and locating the first network device by scanning the signal corresponding to the temporary identifier.

[0093] For example, if the broadcast period is 24 hours, then the dynamic identifier is A1 in broadcast period T1, A2 in broadcast period T2, A3 in broadcast period T3, A1 in broadcast period T4, A2 in broadcast period T5, A3 in broadcast period T6, and so on.

[0094] It is understandable that if the dynamic identifier broadcast by the second network device changes within the preset broadcast period, it indicates that it has not followed the standard preset broadcast period after joining the network, and it is likely that it is trying to evade location detection. Therefore, in the optional embodiment, the change of the dynamic identifier can be obtained by detecting whether the dynamic identifier broadcast by the second network device changes within the preset broadcast period, and the detection result can be determined based on the change of the dynamic identifier.

[0095] Thus, by implementing optional embodiments and considering the dynamic identification dimension, the detection of the behavioral state of the second network device in the crowdsourced location network can be achieved quickly and easily.

[0096] In one embodiment of this application, the detection may involve checking whether the dynamic identifier broadcast by the second network device changes within a preset broadcast period over a certain time period; wherein, this time period is typically much longer than the preset broadcast period. For example, if the time period is 720 hours and the broadcast period is 24 hours, then the detection may involve checking whether the dynamic identifier broadcast by the second network device changes within 30 broadcast periods. It is understood that in practical applications, the time period and broadcast period can be flexibly chosen according to actual needs.

[0097] In one embodiment of this application, determining the detection result based on changes in dynamic identifiers includes: determining the detection result by a scoring method based on changes in dynamic identifiers.

[0098] In one optional embodiment, if the dynamic identifier changes, the security score of the second network device is determined to be a first score; if the dynamic identifier does not change, the security score of the second network device is determined to be a second score; the first score is less than the second score. It can be understood that the security score of the second network device obtained for the dynamic identifier dimension is the detection result of the second network device.

[0099] For example, let S1 represent the current security score of the second network device for the dynamic identifier dimension, and S2 represent the previous security score of the second network device for the dynamic identifier dimension. Then, if a change is detected in the dynamic identifier broadcast by the second network device within a preset broadcast period, then S1 = S2 - 1; if no change is detected in the dynamic identifier broadcast by the second network device within the preset broadcast period, then S1 = S2 + 1. Furthermore, the security score can also be determined based on the number of times the dynamic identifier broadcast by the second network device changes within the preset broadcast period; for example, if the number of times the dynamic identifier changes within the preset broadcast period is 10, then S1 = S2 - 10.

[0100] In this way, by implementing the optional embodiment, the security score of the second network device whose dynamic identifier has changed is determined to be lower than the security score of the second network device whose dynamic identifier has not changed. This can provide support for subsequent management and control of the second network device based on its security score.

[0101] Method 2:

[0102] Detect the distance of the second network device's location change within a preset time period;

[0103] The detection result is determined based on the relationship between the distance of the position change and the preset distance threshold.

[0104] It is understood that if the location change distance of the second network device within a preset time period is greater than a preset distance threshold, it indicates that the second network device is dispersed in various distant locations and is likely to be copied. Therefore, in the optional embodiment, the detection result can be determined by detecting the location change distance of the second network device within a preset time period and based on the relationship between the location change distance and the preset distance threshold.

[0105] In the optional embodiment, the preset time period can be 24 hours, 48 ​​hours, etc., and can be flexibly selected according to actual needs.

[0106] In one embodiment of this application, detecting the location change distance of a second network device within a preset time period includes: receiving multiple location information of the second network device within the preset time period sent by a third network device; and determining the location change distance of the second network device within the preset time period based on the multiple location information.

[0107] In other words, in an optional embodiment, the server detects the distance of location changes of the second network device within a preset time period by receiving multiple location information of the second network device sent by the third network device within that preset time period. Optionally, each location information corresponds to a timestamp, and the location information corresponding to adjacent timestamps can be compared to detect whether the distance of the location change is greater than a preset distance threshold.

[0108] In the optional embodiment, the preset distance threshold can be set to 1000 kilometers, 1500 kilometers, etc., and can be flexibly set according to actual needs.

[0109] Thus, by implementing optional embodiments and considering the location dimension, the detection of the behavioral state of the second network device in the crowdsourced location network can be achieved quickly and easily.

[0110] In one embodiment of this application, determining the detection result based on the relationship between the location change distance and a preset distance threshold includes: determining the detection result by a scoring method based on the relationship between the location change distance and the preset distance threshold.

[0111] In one optional embodiment, if the location change distance is greater than a preset distance threshold, the detection result score is determined to be the third score; if the location change distance is less than or equal to the preset distance threshold, the detection result score is determined to be the fourth score; the third score is less than the fourth score. It can be understood that the security score of the second network device obtained for the location dimension is the detection result of the second network device.

[0112] For example, let S3 represent the current security score of the second network device in terms of location, and S4 represent its previous security score in terms of location. Then, if the detected location change distance of the second network device within a preset time period is greater than a preset distance threshold, then S3 = S4 - 1; if the detected location change distance of the second network device within a preset time period is less than or equal to the preset distance threshold, then S3 = S4 + 1. Furthermore, the security score can also be determined based on the number of times the detected location change distance of the second network device within a preset time period exceeds the preset distance threshold; for example, if the detected number of times the second network device's location change distance exceeds the preset distance threshold within a preset time period is 3, then S3 = S4 - 3.

[0113] In this way, by implementing the optional embodiment, the security score corresponding to the second network device whose distance is greater than the preset distance threshold and the security score corresponding to the second network device whose distance is less than or equal to the preset distance threshold can be determined, which can provide support for subsequent management and control of the second network device based on the security score of the second network device.

[0114] It should be noted that the two methods described above can be combined to determine the detection result of the second network device from two aspects; for example, if the total security score of the second network device is represented by S0, the security score of the second network device for the dynamic identification dimension is represented by S1, and the security score of the second network device for the location dimension is represented by S3, then S0 = S1 + S3.

[0115] In one embodiment of this application, the behavior status of the second network device in the crowdsourced location network can also be detected in other ways; for example, the first network device can detect whether there is a second network device that is always near it. If a second network device is detected that it is always near it, it indicates that the second network device is locating itself. At this time, the second network device can be recorded and reported to the server. In this way, the server also realizes the detection of the behavior status of the second network device in the crowdsourced location network.

[0116] In one embodiment of this application, the detection result includes a security score of the second network device; based on the detection result, the positioning function of the second network device in the crowdsourced positioning network is controlled, including:

[0117] If the detection result indicates that the security score of the second network device is less than or equal to the first preset score threshold, then the positioning function of the second network device in the crowdsourced positioning network is disabled.

[0118] If the detection result indicates that the security score of the second network device is greater than the first preset score threshold and less than or equal to the second preset score threshold, then the accuracy of the positioning function of the second network device in the crowdsourced positioning network will be reduced.

[0119] In one of the optional embodiments, if the detection result indicates that the security score of the second network device is less than or equal to the first preset score threshold, then the security level of the second network device is relatively low. Therefore, the second network device can be controlled by disabling its positioning function in the crowdsourced positioning network. If the detection result indicates that the security score of the second network device is greater than the first preset score threshold and less than or equal to the second preset score threshold, then the security level of the second network device is relatively medium. Therefore, the second network device can be controlled by reducing the accuracy of its positioning function in the crowdsourced positioning network. If the detection result indicates that the security score of the second network device is greater than the second preset score threshold, then the security level of the second network device is relatively high. Therefore, no restrictions can be placed on the positioning function of the second network device in the crowdsourced positioning network.

[0120] Thus, by implementing the optional embodiments, the security score of the second network device included in the detection results, and the relationship between the security score and the preset score threshold, can quickly and easily control the positioning function of the second network device in the crowdsourced positioning network.

[0121] In one embodiment of this application, reducing the accuracy of the positioning function of the second network device can be achieved from both temporal and spatial perspectives; wherein:

[0122] In terms of timing, this includes, but is not limited to: the server can slow down the update frequency of location reports, for example, changing from updating once every 1 minute to updating once every 3-5 minutes; the server can also disable the location function of the second network device during specific time periods, for example, from 2:00 AM to 6:00 AM, the server will not receive any information reported by the second network device. It should be noted that disabling the location function of the second network device mentioned here is different from disabling the location function of the second network device when the detection result indicates that the security score of the second network device is less than or equal to the first preset score threshold. Here, it is disabled in stages, while the aforementioned method is to disable it directly (and then enable it after the security of the second network device is determined).

[0123] Spatially, this includes, but is not limited to: the server instructing relevant network devices (such as third network devices) to reduce positioning quality and add random interference during the reporting process of the second device network; the server may also instruct relevant network devices (such as third network devices) to check the surrounding area and determine whether the area should provide services. For example, after entering a residential area, the server may not provide positioning services to the second network device, or after entering a restricted area, the server should ignore any broadcast information broadcast by the second network device in the surrounding area.

[0124] Thus, by implementing optional embodiments, the accuracy of the positioning function of the second network device can be reduced from a temporal and / or spatial perspective, resulting in greater flexibility.

[0125] In one embodiment of this application, after binding the second network device to the first network device in step S204, the method may further include the following steps, detailed below:

[0126] Receive the signature data of the second network device for the dynamic identifier forwarded by the third network device;

[0127] The signature data is verified based on the public key of the second network device;

[0128] If the signature data verification passes, a location report matching the second network device is obtained and sent to the first network device; wherein, the location report is used to characterize the location change of the second network device.

[0129] That is, in an optional embodiment, the server triggers the acquisition of a location report matching the second network device when it receives the signature data of the second network device for the dynamic identifier forwarded by the third network device. Specifically, after receiving the signature data of the second network device for the dynamic identifier forwarded by the third network device, it is necessary to verify the signature data based on the public key of the second network device, and determine whether to acquire a location report matching the second network device based on the verification result.

[0130] In one of the optional embodiments, if the verification status indicates that the signature data verification is successful, it indicates that the identity authentication of the second network device after network access is successful. The location report matching the second network device can be obtained and sent to the first network device. In this way, the first network device can determine the location change of the second network device based on the received location report and perform corresponding operations.

[0131] In one optional embodiment, if the verification result indicates that the signature data verification failed, it indicates that the identity authentication of the second network device after network access failed. In this case, it is not necessary to obtain a location report matching the second network device. Optionally, the verification failure can also be recorded to determine the detection result of the second network device.

[0132] It is understood that in the optional embodiment, the server actively sends a location report matching the second network device to the corresponding first network device, that is, the first network device passively obtains the corresponding location report.

[0133] Thus, by implementing the optional embodiment, the location report is sent to the first network device only after the signature data of the second network device for the dynamic identifier has been verified, ensuring the security of the location report.

[0134] In one embodiment of this application, verifying the signature data based on the public key includes:

[0135] Receive additional information from the second network device forwarded by the third network device;

[0136] If the additional information includes the public key of the second network device, the signature data is verified based on the public key of the second network device.

[0137] If the additional information includes a device identifier, the public key of the second network device is obtained based on the preset device identifier and public key mapping relationship, and the signature data is verified based on the public key of the second network device.

[0138] In other words, in an optional embodiment, the server receives additional information from the second network device forwarded by the third network device, and then verifies the signature data based on the information contained in the additional information. It is understood that if the additional information contains the public key of the second network device, then the signature data can be directly verified based on the public key of the second network device contained in the additional information; if the additional information contains a device identifier, then the device identifier can be used to find a preset mapping relationship between the device identifier and the public key, thereby obtaining the public key of the second network device, and verifying the signature data based on the public key of the second network device.

[0139] Thus, by implementing the optional embodiment, the second network device broadcasts additional information, and the server can quickly and easily verify the signature data based on the information contained in the additional information.

[0140] In one embodiment of this application, after binding the second network device to the first network device in step S204, the method may further include the following steps, detailed below:

[0141] Receive the hash information of the second network device for the dynamic identifier sent by the first network device;

[0142] The location report matching the second network device is obtained based on the hash information, and the location report is sent to the first network device; wherein, the location report is used to characterize the location change of the second network device.

[0143] That is, in an optional embodiment, the server triggers the acquisition of a location report matching the second network device after receiving the hash information of the second network device for the dynamic identifier sent by the first network device; specifically, after receiving the hash information of the second network device for the dynamic identifier sent by the first network device, the server acquires a location report matching the second network device based on the hash information and sends the location report to the first network device.

[0144] It is understood that in an optional embodiment, the first network device actively instructs the server to send a location report that matches the second network device, thereby obtaining the corresponding location report.

[0145] Thus, by implementing the optional embodiment, upon receiving an instruction from the first network device, the corresponding location report is sent to the first network device, thereby satisfying the usage requirements of the first network device.

[0146] Figure 2 The illustrated embodiment is a description from the server's perspective. The following is combined with... Figure 3 The implementation details of the technical solutions in the embodiments of this application are described in detail from the perspective of the data generator (such as a second network device):

[0147] Please see Figure 3 , Figure 3 This is a flowchart illustrating a network device management method according to an embodiment of this application. The network device management method can be implemented by... Figure 1 The second network device 102 shown is used to perform this. Figure 3 As shown, the network device management method includes at least steps S301 to S303, which are described in detail below:

[0148] Step S301: Receive the data to be verified sent by the server. The data to be verified is sent by the server after receiving the control request from the first network device located in the crowdsourced positioning network.

[0149] It should be noted that in this application embodiment, the generator of the proof data can be a second network device or an authoritative third-party network device (with extremely high security), etc. For ease of understanding, this application embodiment takes the generator of the proof data as a second network device as an example.

[0150] In this embodiment, the server receives a control request from a first network device carrying a device identifier that needs to be bound to the first network device. Based on the control request, the server obtains the data to be verified and sends the data to be verified to a second network device that matches the device identifier. Correspondingly, the second network device receives the data to be verified sent by the server.

[0151] Step S302: Prove the data to be proven based on the private key to generate proof data.

[0152] In this embodiment of the application, the second network device receives the data to be proved sent by the server, and then can prove the data to be proved based on the private key to generate proof data, thereby proving that it is the owner of the private key.

[0153] In one embodiment of this application, step S302, which involves proving the data to be proven based on the private key and generating proof data, may include the following steps, detailed below:

[0154] Obtain zero-knowledge proof algorithms;

[0155] Based on the private key, a zero-knowledge proof algorithm is used to prove the data to be proved, generating proof data.

[0156] That is, in the optional embodiment, the second network device uses a zero-knowledge proof algorithm to prove the data to be proved using a private key, and generates proof data.

[0157] In the optional embodiments, the zero-knowledge proof algorithms include, but are not limited to, the zero-knowledge concise non-interactive knowledge proof algorithm (zk-SNARK), elliptic curve cryptography, and RSA algorithm. In practical applications, the zero-knowledge proof algorithm can be flexibly adjusted according to the specific application scenario.

[0158] For example, `Proof = Prove(input1, input2)`; where `Prove` represents a zero-knowledge proof algorithm. The input to this algorithm is the data to be proven, `input1`, and the private key, `input2`. The output is the proof data, `Proof`. Similarly, `zkVerifier = zkVerify(Proof, input3)`; where `zkVerify` represents the verification algorithm for the zkSNARK zero-knowledge proof algorithm. The input to this verification algorithm is the proof data, `Proof`, and the public key, `input3`. The output is the verification result, `zkVerifier`, which indicates whether the verification of the proof data passed.

[0159] Thus, by implementing the optional embodiment, the identity authentication of the second network device is achieved using a zero-knowledge proof algorithm. This authentication process does not disclose the private key, thereby further ensuring the privacy of the private key and improving the security of network device management.

[0160] Step S303: The proof data is sent to the server so that the server can verify the proof data based on the public key of the second network device that generated the proof data. When the proof data is verified, the server binds the second network device that generated the proof data to the first network device. The server also manages the generator of the proof data after the generator accesses the crowdsourced positioning network.

[0161] In this embodiment, the second network device uses its private key to prove the data to be proved, generates proof data, and then sends the proof data to the server. In this way, the server can verify the proof data based on the public key of the data generator, and bind the data generator to the first network device when the verification is successful, and manage the data generator after it accesses the crowdsourced positioning network.

[0162] In one embodiment of this application, after sending the proof data to the server in step S303, the method may further include the following steps, detailed below:

[0163] Obtain current time information and confidential information, wherein the confidential information is determined by the data generator and the first network device;

[0164] A dynamic identifier is obtained by calculating the current time information and confidential information;

[0165] The dynamic identifier is signed using the private key to obtain the signature data of the dynamic identifier;

[0166] Based on the dynamic identifier and its signature data, a broadcast message is generated and then broadcast.

[0167] That is, in the optional embodiment, the dynamic identifier of the second network device is calculated by the second network device based on the obtained current time information and confidential information, and the dynamic identifier is also signed based on the private key to obtain the signature data of the dynamic identifier. Then, the dynamic identifier and the signature data of the dynamic identifier are encapsulated to generate broadcast information, and then the broadcast information is broadcast.

[0168] In one optional embodiment, the confidential information is determined by the second network device and the first network device after they are bound together, meaning that the second network device and the first network device are the ones who know the confidential information.

[0169] Thus, by implementing the optional embodiment, the second network device generates broadcast information based on the dynamic identifier and the signature data of the dynamic identifier, and broadcasts the broadcast information, thereby ensuring the normal operation of the corresponding services.

[0170] In one embodiment of this application, broadcast information is generated based on a dynamic identifier and its signature data, including:

[0171] Obtain additional information and encrypt it to obtain encrypted additional information; wherein, the additional information includes at least one of the public key of the second network device and the device identifier;

[0172] Broadcast information is generated based on the dynamic identifier, the signature data of the dynamic identifier, and the encrypted additional information.

[0173] That is, in the optional embodiment, the second network device can obtain additional information and encrypt it to obtain encrypted additional information. Then, based on the dynamic identifier, the signature data of the dynamic identifier, and the encrypted additional information, it generates broadcast information. In this way, when the server receives the additional information, it can first decrypt the additional information, and then verify the signature data based on the information contained in the decrypted additional information. After the verification is successful, it sends a location report to the first network device.

[0174] In an optional embodiment, the additional information includes at least one of the public key of the second network device and the device identifier.

[0175] Thus, by implementing the optional embodiment, the second network device broadcasts additional information, and the server can quickly and easily verify the signature data based on the information contained in the additional information; furthermore, the second network device encrypts the additional information to ensure its security.

[0176] In this embodiment, the second network device and the server authenticate the second network device through asymmetric encryption. Since the server only stores the public key of the second network device and not all of its credentials (such as private key credentials), even if an unauthorized worker or the server is attacked, the public key alone is insufficient to impersonate or forge an identity. This allows the second network device to be bound to a legitimate first network device, enabling the legitimate first network device to access the crowdsourced location network. Furthermore, it allows for the control of the second network device accessing the crowdsourced location network, greatly improving the security of network device control within the crowdsourced location network.

[0177] The technical solutions of the embodiments of this application have been described above from the perspectives of the server and the generator of the proof data (such as the second network device). The following is a detailed description of a specific application scenario of the embodiments of this application:

[0178] Please see Figure 4 , Figure 4 This is a schematic diagram of an exemplary beacon credential architecture according to this application. The beacon credential architecture includes a management device 401 (i.e., the aforementioned first network device), a beacon device 402 (i.e., the aforementioned second network device), a discovery device 403 (i.e., the aforementioned third network device), a writing device 404 (i.e., the aforementioned fourth network device), and a server 405. The management device 401, discovery device 403, and server 405 are located in a crowdsourced location network. The beacon device 402 can access the crowdsourced location network after successfully binding with the management device 401. The writing device 404 may or may not be located in the crowdsourced location network.

[0179] First, the binding process between management device 401 and beacon device 402 will be introduced.

[0180] Please see Figure 5 , Figure 5 This is a flowchart illustrating a network device management method according to an embodiment of this application. Figure 5 As shown, the network device management method includes at least steps S501 to S510, which are described in detail below:

[0181] Step S501: Write the device identifier of the beacon device and a pair of keys (public key + private key) into the device generated by the device, and send the device identifier and public key of the beacon device to the server.

[0182] Optionally, the device identifier for the beacon device generated by the writing device can be the production timestamp, generation number, or random UUID of the beacon device, as long as it is ensured that different beacon devices do not have the same identifier. Optionally, the writing device generates a key pair, which can be generated using any asymmetric encryption algorithm, such as RSA, elliptic curve cryptography, or lattice ciphers.

[0183] In step S502, the server receives the device identifier and public key of the beacon device and checks whether the device identifier and public key are occupied.

[0184] In step S503, when the server detects that neither the device identifier nor the public key is occupied, it generates a write command and sends the write command to the writing device.

[0185] Optionally, when the server detects that neither the device identifier nor the public key is occupied, it associates and stores the device identifier with the public key to facilitate subsequent business interactions.

[0186] In step S504, the writing device receives the writing instruction and writes the device identifier and the private key matching the public key into the beacon device based on the writing instruction.

[0187] Optionally, the writing device can also erase / delete information related to the private key that remains during the production process to prevent the leakage of private key-related information.

[0188] It is understandable that steps S501 to S504 involve the writing process of beacon device related credentials (such as the beacon device's device identifier and private key), which occurs before the management device initiates a control request.

[0189] Optionally, the specific implementation process of steps S501 to S504 can be found in the technical solution of the foregoing embodiment, and will not be repeated here.

[0190] Step S505: The management device sends a control request to the server; wherein the control request carries the device identifier that needs to be bound to the management device.

[0191] In step S506, the server receives the control request, obtains the data to be verified based on the control request, and sends the beacon device whose data to be verified matches the device identifier.

[0192] Optionally, the server generates a piece of random data based on the control request, and uses the random data as the data to be proven.

[0193] Optionally, for ease of understanding, the writing of relevant credentials and their binding with the management device in this application embodiment are both for the same beacon device.

[0194] In step S507, the beacon device receives the data to be proved, proves the data to be proved based on its own private key, generates proof data, and sends the proof data to the server.

[0195] Optionally, the beacon device uses its own private key to prove random data using a zero-knowledge proof algorithm to generate proof data.

[0196] Step S508: The server receives the proof data and verifies the proof data based on the public key of the beacon device;

[0197] Optionally, the server verifies the proof data using its own public key and a verification algorithm corresponding to the zero-knowledge proof algorithm, and generates verification data.

[0198] In step S509, if the server verifies the proof data and it passes the verification, the beacon device will be bound to the management device.

[0199] Optionally, when the server verifies the proof data, it registers the beacon device under the username corresponding to the management device, thus binding the beacon device to the management device. The server can also restrict each management device to only query beacon devices it has bound, and can limit the maximum number of devices each management device can bind. This forces third parties using crowdsourced positioning networks that do not comply with regulations to maintain a large number of accounts to manage beacon devices in bulk, increasing their costs.

[0200] It is understandable that steps S505 to S509 involve the binding process between the management device and the beacon device.

[0201] In step S510, the management device and the beacon device determine confidential information for use in the calculation of the dynamic identifier.

[0202] Optionally, after the server completes the binding between the beacon device and the management device, the server can notify the management device. The management device can then proactively establish a communication connection with the beacon device via Bluetooth or other means and confirm confidential information. Alternatively, the beacon device can proactively establish a communication connection with the management device via Bluetooth or other means and confirm confidential information. The confidential information is used to calculate the dynamic identifier broadcast by the beacon device in each preset broadcast cycle.

[0203] Optionally, the specific implementation process of steps S505 to S510 can be found in the technical solution of the foregoing embodiment, and will not be repeated here.

[0204] In this embodiment, the identity authentication of beacon devices is achieved by combining asymmetric encryption and zero-knowledge proof algorithms, and the binding between management devices and beacon devices is completed based on this. On the one hand, since the server does not store the private key, the privacy of the private key is guaranteed. On the other hand, the private key is not leaked during the authentication process, further guaranteeing the privacy of the private key and ensuring the security of beacon devices accessing the crowdsourced positioning network, thereby improving the security of beacon device management in the crowdsourced positioning network.

[0205] Secondly, the process of managing the beacon device 402 after it is bound to the management device 401, connecting the beacon device 402 to the crowdsourced positioning network, and controlling the beacon device 402 is described.

[0206] Please see Figure 6 , Figure 6 This is a flowchart illustrating a network device management method according to an embodiment of this application. Figure 6 As shown, the network device management method includes at least steps S601 to S610, which are described in detail below:

[0207] In step S601, the beacon device acquires the current time information and confidential information, and calculates the current time and confidential information to obtain a dynamic identifier.

[0208] In step S602, the beacon device signs the dynamic identifier based on the private key to obtain the signature data of the dynamic identifier.

[0209] In step S603, the beacon device acquires additional information and encrypts the additional information to obtain encrypted additional information.

[0210] Optionally, the additional information includes at least one of the beacon device's public key and device identifier.

[0211] Alternatively, the beacon device may not acquire additional information; instead, the management device may directly send the hash information of the beacon device for the dynamic identifier to the server to match the corresponding location report.

[0212] In step S604, the beacon device generates broadcast information based on the dynamic identifier, the signature data of the dynamic identifier, and the encrypted additional information, and broadcasts the broadcast information.

[0213] Alternatively, the beacon device can broadcast via a Bluetooth channel so that nearby detection devices can detect it.

[0214] Step S605: The device parses the broadcast information and finds the dynamic identifier, the signature data of the dynamic identifier, and the encrypted additional information contained therein.

[0215] Step S606: The device discovers the current location information and sends the signature data of the dynamic identifier, the encrypted additional information, the hash information of the dynamic identifier, and the location information to the server.

[0216] In step S607, the server verifies the signature data based on the beacon device's public key.

[0217] Optionally, if the additional information includes the beacon device's public key, the server verifies the signature data based on the beacon device's public key; if the additional information includes a device identifier, the server obtains the beacon device's public key based on a preset mapping relationship between the device identifier and the public key, and verifies the signature data based on the beacon device's public key.

[0218] In step S608, if the server verifies the signature data and it passes the verification, it obtains the location report that matches the beacon device and sends the location report to the management device.

[0219] In step S609, the server detects whether the dynamic identifier broadcast by the beacon device has changed within a preset broadcast period based on the hash information of the dynamic identifier, obtains the change status of the dynamic identifier, and determines the detection result based on the change status of the dynamic identifier.

[0220] Optionally, if the dynamic identifier changes, the security score of the beacon device is determined to be the first score; if the dynamic identifier does not change, the security score of the beacon device is determined to be the second score; wherein the first score is less than the second score; in this case, the security score of the beacon device is taken as the detection result.

[0221] Optionally, the server uses hash information based on dynamic identifiers, which determines whether the beacon device has changed the dynamic identifier within a preset broadcast period without knowing the specific content of the dynamic identifier, thus providing higher security.

[0222] In step S610, the server can detect the location change distance of the beacon device within a preset time period based on the location information, and determine the detection result based on the relationship between the location change distance and the preset distance threshold.

[0223] Optionally, if the distance of the position change is greater than a preset distance threshold, the security score of the beacon device is determined to be the third score; if the distance of the position change is less than or equal to the preset distance threshold, the security score of the beacon device is determined to be the fourth score; wherein the third score is less than the fourth score; in this case, the security score of the beacon device is taken as the detection result.

[0224] It should be noted that steps S607 to S608, S609 and S610 can be executed in any interactive order or in parallel.

[0225] Optionally, the specific implementation process of steps S601 to S610 can be found in the technical solution of the foregoing embodiment, and will not be repeated here.

[0226] In this embodiment, the server detects the network behavior of beacon devices in the crowdsourced positioning network. Based on the detection results, the server can adjust the positioning function of the beacon devices in the crowdsourced positioning network in real time, which is more flexible and provides more comprehensive control over the beacon devices in the crowdsourced positioning network.

[0227] Figure 7 This is a block diagram illustrating a network device control apparatus according to an embodiment of this application. Figure 7 As shown, the control device for this network device is configured in the server, and the control device for this network device includes:

[0228] The first receiving module 701 is configured to receive a control request sent by a first network device located in the crowdsourced positioning network, wherein the control request carries a device identifier that needs to be bound to the first network device;

[0229] The acquisition and transmission module 702 is configured to acquire the data to be proved based on a control request, and send the data to be proved to a second network device that matches the device identifier, so that the second network device can prove the data to be proved based on its own private key and generate proof data.

[0230] The receiving and generating module 703 is configured to receive the proof data sent by the second network device and verify the proof data based on the public key of the second network device.

[0231] The binding and management module 704 is configured to bind the second network device to the first network device if the verification of the proof data passes, so that the second network device can access the crowdsourced positioning network and manage the second network device accessing the crowdsourced positioning network.

[0232] In one embodiment of this application, the binding and control module includes:

[0233] The detection module is configured to detect the behavior status of the second network device in the crowdsourced location network if the second network device is connected to the crowdsourced location network, and obtain the detection result.

[0234] The control module is configured to manage the positioning function of the second network device in the crowdsourced positioning network based on the detection results.

[0235] In one embodiment of this application, the detection module includes:

[0236] The first detection unit is configured to detect whether the dynamic identifier broadcast by the second network device changes within a preset broadcast period, and obtain the change status of the dynamic identifier;

[0237] The first determining unit is configured to determine the detection result based on changes in the dynamic identifier.

[0238] In one embodiment of this application, the second network device is further configured to broadcast a dynamic identifier, which changes periodically; the first determining unit is specifically configured as follows:

[0239] If the dynamic identifier changes, the security score of the second network device is determined to be the first score;

[0240] If the dynamic identifier remains unchanged, the security score of the second network device is determined to be the second score; wherein the first score is less than the second score.

[0241] The security score of the second network device is used as the detection result.

[0242] In one embodiment of this application, the detection module includes:

[0243] The second detection unit is configured to detect the distance of the position change of the second network device within a preset time period;

[0244] The second determining unit is configured to determine the detection result based on the relationship between the distance of position change and a preset distance threshold.

[0245] In one embodiment of this application, the second determining unit is specifically configured as follows:

[0246] If the distance of the location change is greater than the preset distance threshold, the security score of the second network device is determined to be the third score;

[0247] If the distance of the location change is less than or equal to a preset distance threshold, the security score of the second network device is determined to be the fourth score; where the third score is less than the fourth score.

[0248] The security score of the second network device is used as the detection result.

[0249] In one embodiment of this application, the second detection unit is specifically configured as follows:

[0250] Receive multiple location information of the second network device within a preset time period sent by the third network device;

[0251] The location change distance of the second network device within a preset time period is determined based on multiple location information.

[0252] In one embodiment of this application, the detection result includes the security score of the second network device; the management module is specifically configured as follows:

[0253] If the detection result indicates that the security score of the second network device is less than or equal to the first preset score threshold, then the positioning function of the second network device in the crowdsourced positioning network is disabled.

[0254] If the detection result indicates that the security score of the second network device is greater than the first preset score threshold and less than or equal to the second preset score threshold, then the accuracy of the positioning function of the second network device in the crowdsourced positioning network will be reduced.

[0255] In one embodiment of this application, the apparatus further includes:

[0256] The first receiving module 701 is further configured to receive signature data of the second network device for the dynamic identifier forwarded by the third network device;

[0257] The verification module is configured to verify the signature data based on the public key of the second network device;

[0258] The acquisition and transmission module 702 is further configured to acquire a location report matching the second network device and send the location report to the first network device if the signature data verification passes; wherein the location report is used to characterize the location change of the second network device.

[0259] In one embodiment of this application, the verification module is specifically configured as follows:

[0260] Receive additional information from the second network device forwarded by the third network device;

[0261] If the additional information includes the public key of the second network device, the signature data is verified based on the public key of the second network device.

[0262] If the additional information includes a device identifier, the public key of the second network device is obtained based on the preset device identifier and public key mapping relationship, and the signature data is verified based on the public key of the second network device.

[0263] In one embodiment of this application,

[0264] The first receiving module 701 is further configured to receive hash information of the second network device for the dynamic identifier sent by the first network device located in the crowdsourced positioning network;

[0265] The acquisition and transmission module 702 is further configured to acquire a location report matching the second network device based on hash information and send the location report to the first network device; wherein the location report is used to characterize the location change of the second network device.

[0266] In one embodiment of this application, the apparatus further includes:

[0267] The receiving and detection module is configured to receive the device identifier and public key of the second network device forwarded by the fourth network device, and to detect whether the device identifier and public key are occupied.

[0268] The generation and sending module is configured to generate a write command and send the write command to the fourth network device if neither is occupied, so that the fourth network device writes the device identifier and the private key matching the public key into the second network device according to the write command.

[0269] Figure 8 This is a block diagram illustrating a network device control apparatus according to an embodiment of this application. Figure 8 As shown, the control device for the network device is configured in the party generating the proof data, and the control device for the network device includes:

[0270] The second receiving module 801 is configured to receive data to be verified sent by the server. The data to be verified is sent by the server after receiving a control request from the first network device located in the crowdsourced positioning network.

[0271] The generation module 802 is configured to prove the data to be proved based on the private key and generate proof data.

[0272] The sending module 803 is configured to send the proof data to the server so that the server can verify the proof data based on the public key of the proof data generator, and bind the proof data generator to the first network device when the proof data verification is successful, and manage the proof data generator after the proof data generator accesses the crowdsourced positioning network.

[0273] In one embodiment of this application, the generation module 802 is specifically configured as follows:

[0274] Obtain zero-knowledge proof algorithms;

[0275] Based on the private key, a zero-knowledge proof algorithm is used to prove the data to be proved, generating proof data.

[0276] In one embodiment of this application, the apparatus further includes:

[0277] The acquisition module is configured to acquire current time information and confidential information, wherein the confidential information is determined by the data generator and the first network device.

[0278] The calculation module is configured to calculate the current time information and confidential information to obtain a dynamic identifier;

[0279] The signature module is configured to sign the dynamic identifier based on the private key to obtain the signature data of the dynamic identifier;

[0280] The broadcast module is configured to generate and broadcast broadcast information based on a dynamic identifier and its signature data.

[0281] In one embodiment of this application, the signature module is specifically configured as follows:

[0282] Obtain additional information and encrypt it to obtain encrypted additional information; wherein, the additional information includes at least one of the public key of the second network device and the device identifier;

[0283] Broadcast information is generated based on the dynamic identifier, the signature data of the dynamic identifier, and the encrypted additional information.

[0284] It should be noted that the apparatus provided in the foregoing embodiments and the method provided in the foregoing embodiments belong to the same concept, and the specific ways in which each module and unit performs operations have been described in detail in the method embodiments, and will not be repeated here.

[0285] Embodiments of this application also provide an electronic device, including: one or more processors; and a storage device for storing one or more programs, which, when executed by one or more processors, enable the electronic device to implement the aforementioned network device control method.

[0286] Figure 9 This is a schematic diagram of the structure of a computer system suitable for implementing the electronic devices of the present application embodiments.

[0287] It should be noted that, Figure 9 The computer system 900 of the electronic device shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments of this application.

[0288] like Figure 9 As shown, the computer system 900 includes a Central Processing Unit (CPU) 901, which can perform various appropriate actions and processes, such as executing the methods described in the above embodiments, based on programs stored in Read-Only Memory (ROM) 902 or programs loaded from storage portion 908 into Random Access Memory (RAM) 903. The RAM 903 also stores various programs and data required for system operation. The CPU 901, ROM 902, and RAM 903 are interconnected via a bus 904. An Input / Output (I / O) interface 905 is also connected to the bus 904.

[0289] The following components are connected to I / O interface 905: an input section 906 including a keyboard, mouse, etc.; an output section 907 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers, etc.; a storage section 908 including a hard disk, etc.; and a communication section 909 including a network interface card such as a LAN (Local Area Network) card, modem, etc. The communication section 909 performs communication processing via a network such as the Internet. A drive 910 is also connected to I / O interface 905 as needed. Removable media 911, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 910 as needed so that computer programs read from them can be installed into storage section 908 as needed.

[0290] Specifically, according to embodiments of this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program including a computer program for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 909, and / or installed from removable medium 911. When the computer program is executed by central processing unit (CPU) 901, it performs various functions defined in the system of this application.

[0291] It should be noted that the computer-readable medium shown in the embodiments of this application can be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying a computer-readable computer program. The transmitted data signal can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. The computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to wireless, wired, etc., or any suitable combination thereof.

[0292] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. Each block in a flowchart or block diagram may represent a module, segment, or portion of code, which contains one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0293] The units described in the embodiments of this application can be implemented in software or hardware, and the described units can also be located in a processor. The names of these units do not necessarily limit the specific unit itself.

[0294] Another aspect of this application provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned network device control method. This computer-readable storage medium may be included in the electronic device described in the above embodiments, or it may exist independently and not incorporated into the electronic device.

[0295] Another aspect of this application provides a computer program product or computer program including computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform the network device control method provided in the various embodiments described above.

[0296] The above description is merely a preferred exemplary embodiment of this application and is not intended to limit the implementation of this application. Those skilled in the art can easily make corresponding modifications or alterations based on the main concept and spirit of this application. Therefore, the scope of protection of this application should be determined by the scope of protection claimed in the claims.

Claims

1. A method for controlling network devices, characterized in that, The method includes: Receive a control request sent by a first network device located in a crowdsourced location network, wherein the control request carries a device identifier that needs to be bound to the first network device; Based on the control request, the data to be proved is obtained, and the data to be proved is sent to a second network device that matches the device identifier, so that the second network device can prove the data to be proved based on its own private key and generate proof data; Receive the proof data sent by the second network device, and verify the proof data based on the public key of the second network device; If the verification of the proof data passes, the second network device will be bound to the first network device so that the second network device can access the crowdsourced positioning network. The behavior state of the second network device in the crowdsourced positioning network is detected to obtain a detection result, which includes the security score of the second network device. If the security score of the second network device is less than or equal to the first preset score threshold, then the positioning function of the second network device in the crowdsourced positioning network is disabled. If the security score of the second network device is greater than the first preset score threshold and less than or equal to the second preset score threshold, the accuracy of the positioning function of the second network device in the crowdsourced positioning network will be reduced.

2. The method as described in claim 1, characterized in that, The second network device is also used to broadcast dynamic identifiers, which change periodically; the step of detecting the behavioral state of the second network device in the crowdsourced positioning network and obtaining detection results includes: Detect whether the dynamic identifier broadcast by the second network device changes within a preset broadcast period, and obtain the change status of the dynamic identifier; The detection result is determined based on the changes in the dynamic identifier.

3. The method as described in claim 2, characterized in that, Determining the detection result based on the changes in the dynamic identifier includes: If the dynamic identifier changes, the security score of the second network device is determined to be the first score; If the dynamic identifier does not change, the security score of the second network device is determined to be the second score; wherein the first score is less than the second score; The security score of the second network device is used as the detection result.

4. The method as described in claim 1, characterized in that, The step of detecting the behavior state of the second network device in the crowdsourced positioning network and obtaining the detection result includes: Detect the distance of the location change of the second network device within a preset time period; The detection result is determined based on the relationship between the distance of the position change and the preset distance threshold.

5. The method as described in claim 4, characterized in that, The determination of the detection result based on the relationship between the location change distance and a preset distance threshold includes: If the distance of the location change is greater than the preset distance threshold, then the security score of the second network device is determined to be the third score; If the distance of the location change is less than or equal to the preset distance threshold, then the security score of the second network device is determined to be the fourth score; wherein the third score is less than the fourth score; The security score of the second network device is used as the detection result.

6. The method as described in claim 4, characterized in that, The detection of the distance of the location change of the second network device within a preset time period includes: Receive multiple location information of the second network device within the preset time period sent by the third network device; The location change distance of the second network device within the preset time period is determined based on the multiple location information.

7. The method according to any one of claims 1 to 6, characterized in that, After binding the second network device to the first network device, the method further includes: Receive the signature data of the second network device for the dynamic identifier forwarded by the third network device; The signature data is verified based on the public key of the second network device; If the signature data is verified, a location report matching the second network device is obtained and sent to the first network device; wherein the location report is used to characterize the location change of the second network device.

8. The method as described in claim 7, characterized in that, The verification of the signature data based on the public key includes: Receive additional information from the second network device forwarded by the third network device; If the additional information includes the public key of the second network device, then the signature data is verified based on the public key of the second network device; If the additional information includes the device identifier, the public key of the second network device is obtained based on the preset device identifier and public key mapping relationship, and the signature data is verified based on the public key of the second network device.

9. The method according to any one of claims 1 to 6, characterized in that, After binding the second network device to the first network device, the method further includes: Receive the hash information of the dynamic identifier sent by the second network device from the first network device; Based on the hash information, a location report matching the second network device is obtained, and the location report is sent to the first network device; wherein, the location report is used to characterize the location change of the second network device.

10. The method according to any one of claims 1 to 6, characterized in that, Before receiving the control request sent by the first network device located in the crowdsourced location network, the method further includes: Receive the device identifier and public key corresponding to the second network device forwarded by the fourth network device, and detect whether the device identifier and the public key are occupied; If none of them are occupied, a write instruction is generated and sent to the fourth network device, so that the fourth network device writes the device identifier and the private key matching the public key into the second network device according to the write instruction.

11. A method for controlling network devices, characterized in that, The method includes: The server receives data to be verified, which is sent by the server after receiving a control request from a first network device located in the crowdsourced positioning network. The data to be proved is verified based on the private key, and proof data is generated. The proof data is sent to the server, which verifies the proof data based on the public key of the second network device. Upon successful verification, the server binds the second network device to the first network device. After the second network device accesses the crowdsourced location network, the server detects its behavior within the network and obtains a detection result, including a security score for the second network device. If the security score is less than or equal to a first preset threshold, the device's location function in the crowdsourced location network is disabled. If the security score is greater than the first preset threshold and less than or equal to a second preset threshold, the accuracy of the device's location function in the crowdsourced location network is reduced.

12. The method as described in claim 11, characterized in that, The step of proving the data to be proven based on the private key to generate proof data includes: Obtain zero-knowledge proof algorithms; Based on the private key, the data to be proved is proved using a zero-knowledge proof algorithm to generate the proof data.

13. The method as described in claim 11 or 12, characterized in that, After sending the proof data to the server, the method further includes: Obtain current time information and confidential information, wherein the confidential information is determined by the second network device and the first network device; A dynamic identifier is obtained by calculating the current time information and the confidential information; The dynamic identifier is signed based on the private key to obtain the signature data of the dynamic identifier; Based on the dynamic identifier and its signature data, a broadcast message is generated and broadcast.

14. The method as described in claim 13, characterized in that, The step of generating broadcast information based on the dynamic identifier and its signature data includes: Obtain additional information and encrypt the additional information to obtain encrypted additional information; wherein, the additional information includes at least one of the public key of the second network device and the device identifier; The broadcast information is generated based on the dynamic identifier, the signature data of the dynamic identifier, and the encrypted additional information.

15. A control device for network equipment, characterized in that, Configured on a server, the device includes: The first receiving module is configured to receive a control request sent by a first network device located in a crowdsourced positioning network, wherein the control request carries a device identifier that needs to be bound to the first network device. The acquisition and transmission module is configured to acquire the data to be proved based on the control request, and send the data to be proved to a second network device that matches the device identifier, so that the second network device can prove the data to be proved based on its own private key and generate proof data; The receiving and generating module is configured to receive the proof data sent by the second network device and verify the proof data based on the public key of the second network device; The binding and control module is configured to bind the second network device to the first network device if the verification of the proof data passes, so that the second network device can access the crowdsourced positioning network; detect the behavior status of the second network device in the crowdsourced positioning network and obtain a detection result, the detection result including the security score of the second network device; if the security score of the second network device is less than or equal to a first preset score threshold, disable the positioning function of the second network device in the crowdsourced positioning network; if the security score of the second network device is greater than the first preset score threshold and less than or equal to a second preset score threshold, reduce the accuracy of the positioning function of the second network device in the crowdsourced positioning network.

16. A control device for network equipment, characterized in that, A second network device configured to provide proof data, the device comprising: The second receiving module is configured to receive data to be verified sent by the server. The data to be verified is sent by the server after receiving a control request from a first network device located in the crowdsourced positioning network. The generation module is configured to prove the data to be proved based on the private key and generate proof data; The sending module is configured to send the proof data to the server, so that the server verifies the proof data based on the public key of the second network device, and binds the second network device to the first network device when the proof data passes verification. After the second network device accesses the crowdsourced location network, the module detects the behavior status of the second network device in the crowdsourced location network and obtains a detection result, which includes a security score for the second network device. If the security score of the second network device is less than or equal to a first preset score threshold, the positioning function of the second network device in the crowdsourced location network is disabled. If the security score of the second network device is greater than the first preset score threshold and less than or equal to a second preset score threshold, the accuracy of the positioning function of the second network device in the crowdsourced location network is reduced.

17. An electronic device, characterized in that, include: One or more processors; A storage device for storing one or more programs, which, when executed by one or more processors, cause the electronic device to implement the control method for a network device as described in any one of claims 1 to 14.

18. A computer-readable medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the network device control method as described in any one of claims 1 to 14.

19. A computer program product comprising computer instructions, characterized in that, When the computer instructions are executed by the processor, they implement the network device control method as described in any one of claims 1 to 14.