文档目录
Chapter 01 — Introduction 简介 |
Chapter 02 — Architecture 架构 |
Chapter 03 — Cryptographic Primitives 密码学 |
Chapter 04 — Secure Channel 安全通道 |
Chapter 05 — Commissioning 配置 |
Chapter 06 — Device Attestation 设备认证 |
Chapter 07 — Data Model 数据模型 |
Chapter 08 — Interaction Model 交互模型 |
Chapter 09 — System Model 系统模型 |
Chapter 10 — Interaction Encoding 交互编码 |
Chapter 11 — Device Management 设备管理 |
Chapter 12 — Multiple Fabrics 多Fabrics |
Chapter 13 — Security Requirements 安全要求 |
关键术语:
ACL-Access Control List 访问控制列表
CA - Certificate Authority 证书办法机构
CASE - Certificate Authenticated Session Establishment - 证书认证会话建立。commission之后,跟设备通讯时候建立。
DAC - Device Attestation Certificate 设备认证证书,设备出厂唯一
IP - Identity Protection Key (a Universal Group key shared across a Fabric)
NOC - Node Operational Certificate 设备操作证书
PAA - Product Attestation Authority
PAI - Product Attestation Intermediate
PAKE - Password-Authenticated Key Exchange (from SPAKE2+)
PASE Passcode-Authenticated Session Establishment BLE连接后发起PASE过程 pincode验证
关键概念:
Fabric - A logical collection of communicating Nodes, sharing a common root of trust, and a common distributed configuration state.
多设备的逻辑集合,共享信任根和分布式配置状态。我理解就是域的概念。
Cluster-A specification defining one or more attributes, commands, behaviors and dependencies, that supports an independent utility or application function. The term may also be used for an implementation or instance of such a specification on an endpoint.
我理解为功能集,定义了属性、命令、行为和依赖
Client - A Cluster interface that typically sends commands that manipulate the attributes on the corresponding server cluster. A client cluster communicates with a corresponding remote server cluster with the same cluster identifier.
Cluster的接口,通常是发送commands 或者操作属性到对应的server cluster。与有同样cluster标识符的Server通信
Server - A Cluster interface that typically supports all or most of the attributes of the Cluster. A Server Cluster communicates with a corresponding remote Client Cluster with the same Cluster identifier.
Cluster的接口,通常是支持所有或者大部分这个cluster的属性。与有同样cluster标识符的Client通信。
Binding - A persistent attachment between an instance on one Node to one-or-more corresponding instances on another (or the same) Node.
一个node与对应的一个/多个其他(自身)节点的持续通信。
Commission - To bring a Node into a Fabric.
让Node加入Fabric
Commissioner - A Role of a Node that performs Commissioning.
执行Commissioning的角色
Commissionee - An entity that is being Commissioned to become a Node.
被Commissioned称为Node的实体。
Commissioning - Sequence of operations to bring a Node into a Fabric by assigning an Operational Node ID and Node Operational credentials.
通过分配节点操作Id(Operational)和节点操作证书(Node Operational credentials NOC)的连续的操作,把Node带入Fabric。
Controller - A Role of a Node that has permissions to enable it to control one or more Nodes.
能控制一个或多个Node。
Controlee - A Role of a Node that has permissions defined to enable it to be controlled by one or more Nodes.
有权限定义被一个或多个Node控制的Node
Device - A piece of equipment containing one or more Nodes.
有一个或多个Node的设备
Endpoint - A particular component within a Node that is individually addressable.
节点内可单独寻址的特定组件。
比如一个硬件设备灯,有多个灯泡,对应on/off属性,就定义到多个不同的endpoint。
另外很多设备基本的cluster都在endpoint 0 上,比如BasicInfo 、ACL等。
定义了一些条件
MAY - flexibility可选
SHALL - mandatory 必须
SHOULD - recommended 比较被推荐
应用分层
Application Layer:应用层,专注于较高层的业务逻辑,例如灯的开关、颜色的逻辑。
Data Model:数据模型层,包含数据和动作元素,应用程序使用这些数据接口与设备交互。定义数据标准化。
例如:
-灯
--1.basic
----1.1.basicInfo
----1.2.权限管理
----1.3.网络管理
----1.4.OTA
--2.Endpoint1
----2.1.OnOff cluster
----2.2.Level cluster
----2.3.Color cluster
--3.Endpoint2
----2.1.OnOff cluster
----2.2.Level cluster
Interaction Model:交互模型层,定义了Client和Server之间的交互,例如client读取或写入对应server上的属性。(Endpoint:属性、命令、事件)
Action Framing:处理交互层的action,序列化为二进制以便进行传输(反序列化)
Security Layer:安全层,对上一步的帧加密并附加authentication code(serialized, encrypted, and signed) PASE、CASE、AES-CCM(104位nonce、128位密钥、128位MIC tag)
Message Framing + Routing:构建具有必需和可选标头字段的payload(序号Seq、消息类型),指定消息的属性以及逻辑路由信息(选择不同底层连接,发送消息到指定Node;广播消息用于发现设备;组播。消息分片)。
IP Framing + Transport Managment :传输层,TCP或者Matter实现的可靠传输协议
IPv6 over Ethernet、IPv6 over BLE、Thread。
其他重要概念:
CASE - see Section 4.13.2, “Certificate Authenticated Session Establishment “ 基于认证证书的会话,用于配网后的设备通信阶段,使用X509证书(secp256r1),在配网阶段设置到设备中。
PASE - see Section 4.13.1, “Passcode-Authenticated Session Establishment ” 基于密码的会话
用于设备配网阶段,使用SPAKE2+算法,密码由扫码或者用户手动输入(参见QRCode或者PairingCode)
Group Communication - see Section 4.14
fabricID -Fabric ID 是一个 64 位数字,它在特定根 CA 的范围内唯一标识 Fabric,理论上完整的FabricID包含public key of the root certificate authority, and the Fabric ID
Fabric ID 0 作为保留,不得作为fabric 标识符
A Vendor Identifier (Vendor ID or VID) is a 16-bit number
Group Identifier (GID) 16-bit number 消息层标识fabric的一组节点。
A Node Identifier (Node ID) is a 64-bit number
Range | Type |
---|---|
0xFFFF_FFFF_FFFF_xxxx |
Group Node ID |
0xFFFF_FFFF_0000_0000 to 0xFFFF_FFFF_FFFE_FFFF |
Reserved for future use |
0xFFFF_FFFE_xxxx_xxxx |
Temporary Local Node ID |
0xFFFF_FFFD_xxxx_xxxx |
CASE Authenticated Tag |
0xFFFF_FFFC_xxxx_xxxx to 0xFFFF_FFFC_FFFF_FFFF |
Reserved for future use |
0xFFFF_FFFB_xxxx_xxxx |
PAKE key identifiers |
0xFFFF_FFF0_0000_0000 to 0xFFFF_FFFA_FFFF_FFFF |
Reserved for future use |
0x0000_0000_0000_0001 to 0xFFFF_FFEF_FFFF_FFFF |
Operational Node ID |
0x0000_0000_0000_0000 |
Unspecified Node ID |
2.5.6 IPv6寻址
单播地址: global unicast address (GUA), a link-local address (LLA), or a unique local address (ULA).
1.发现设备 discriminator
发现:
BLE Beacon:0xFFF6
WIFI:4A:19:1B
IP:DNS-SD:_matterd.udp/tcp
2.建立Commissioning channel
3.使用passCode建立PASE
通过SPAKE2+协商得到128位通信密钥
4.所有通讯消息被加密(PASE产生的加密keys),Administer privilege
5.从commissionee获取fail-safe timer
6.配置UTC time、时区等
7.从设备获取证书,进行设备认证。
PAA(证书签发机构)通过从DCL(分布式账本)中获取
8.进行CSR交换
9.配置NOC(操作证书)到设备中
10.配置ACL到设备中
11.配置网络
12.触发Commissionee加入网路
Commission步骤就完成了,接下步骤是Administrator与Commissionee进行,Administrator也可以是Commissioner。
接下来的消息传输就通过 配置的网络
1.在网络中发现设备 dns-sd
2.安全步骤通过CASE
3.下面的消息通过CASSE产生的密钥加密
4.与设备确认Commissioning 成功消息
Commissioning结束