CN112073414B - Industrial Internet equipment secure access method, device, equipment and storage medium - Google Patents
Industrial Internet equipment secure access method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112073414B CN112073414B CN202010936063.3A CN202010936063A CN112073414B CN 112073414 B CN112073414 B CN 112073414B CN 202010936063 A CN202010936063 A CN 202010936063A CN 112073414 B CN112073414 B CN 112073414B
- Authority
- CN
- China
- Prior art keywords
- equipment
- identifier
- user
- comparison
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioinformatics & Computational Biology (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Software Systems (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the application discloses a method, a device, equipment and a storage medium for the safe access of industrial internet equipment, wherein the method comprises the following steps: obtaining a evidence, a first device identification and a first user identification; acquiring a binding relationship corresponding to the certificate of authenticity; according to the second equipment identification in the binding relationship, performing first comparison on the first equipment identification; performing second comparison on the first user identification according to a second user identification in the binding relationship; and judging whether the user corresponding to the first user identification has the qualification of using the equipment corresponding to the first equipment identification or not according to the comparison result of the first comparison and the second comparison. Based on the method, the processing equipment can carry out double authentication on the user and the equipment through the binding relationship between the equipment and the user, thereby avoiding the problem that the equipment is stolen to a certain extent and improving the security of authentication.
Description
Technical Field
The present application relates to the field of internet authentication, and in particular, to a method, an apparatus, a device, and a storage medium for secure access to an industrial internet device.
Background
With the development of network technology, the internet is increasingly applied to various fields of modern life.
Among them, the industrial internet is one of important application modes of the internet technology in the industrial field. Through the industrial internet, technicians in related fields can manage the equipment accessed to the internet, so that the industrial management is more convenient and simpler.
However, the existing industrial internet authentication method cannot accurately monitor the use of the device accessing the internet, so that the device is easily stolen, and the authentication security is poor.
Disclosure of Invention
In order to solve the technical problem, the application provides a method, a device, equipment and a storage medium for secure access of industrial internet equipment, and a processing device can perform double authentication on a user and the equipment through a binding relationship between the equipment and the user, so that the problem that the equipment is stolen is avoided to a certain extent, and the authentication security is improved.
The embodiment of the application discloses the following technical scheme:
in a first aspect, an embodiment of the present application provides a secure access method for an industrial internet device, where the method includes:
obtaining a evidence, a first device identification and a first user identification;
acquiring a binding relationship corresponding to the certificate of authenticity;
according to the second equipment identification in the binding relationship, performing first comparison on the first equipment identification;
performing second comparison on the first user identification according to a second user identification in the binding relationship;
and judging whether the user corresponding to the first user identification has the qualification of using the equipment corresponding to the first equipment identification or not according to the comparison result of the first comparison and the second comparison.
Optionally, the method further includes:
acquiring a first public key corresponding to the first equipment identifier;
the obtaining of the binding relationship corresponding to the certificate of authenticity includes:
acquiring encryption information corresponding to the certificate of authenticity; the encrypted information is obtained by encrypting a first private key corresponding to the second equipment identifier;
decrypting the encrypted information by the first public key;
if the decryption fails, terminating the authentication;
and if the decryption is successful, obtaining the binding relation corresponding to the certificate of authenticity.
Optionally, the obtaining the evidence obtaining credential, the first device identifier, and the first user identifier includes:
acquiring the certificate of authenticity, the first equipment identifier and the first user identifier which are encrypted by a second public key;
decrypting the encrypted certificate of deposit certificate, the first equipment identification and the first user identification through a second private key corresponding to the second public key;
if the decryption fails, terminating the authentication;
and if the decryption is successful, obtaining the certificate of existence, the first equipment identifier and the first user identifier.
Optionally, the determining, according to the authentication result of the first comparison and the authentication result of the second comparison, whether the user corresponding to the first user identifier has a qualification for using the device corresponding to the first device identifier includes:
if the first comparison and the second comparison both pass, the user corresponding to the first user identifier has the qualification of using the device corresponding to the first device identifier;
if the first comparison and the second comparison have the condition of failed comparison, the user corresponding to the first user identifier does not have the qualification of using the device corresponding to the first device identifier.
Optionally, the method further includes:
acquiring a device type corresponding to the first device identifier;
determining an equipment safety state model corresponding to the first equipment identification according to the equipment type;
acquiring first historical behavior data corresponding to the first equipment identifier;
determining a first equipment safety state corresponding to the first equipment identification according to the first historical behavior data and the equipment safety state model;
and judging whether the equipment corresponding to the first equipment identification can pass authentication or not according to the safety state of the first equipment.
Optionally, the device security state model is obtained by the following method:
and taking the second historical behavior data corresponding to the equipment type as a training sample, and taking the second equipment safety state corresponding to the equipment type as a training label to obtain the equipment safety state model corresponding to the equipment type.
Optionally, the determining, according to the security status of the first device, whether the device corresponding to the first device identifier can pass authentication includes:
determining the device access authority corresponding to the first device identifier according to the security state of the first device;
and judging whether the equipment corresponding to the first equipment identification can pass authentication or not according to the equipment access authority.
Optionally, the method further includes:
and storing the comparison results of the first comparison and the second comparison.
Optionally, the device identifier is generated according to any one or a combination of multiple kinds of information, such as a device name, a device model, a device serial number, a manufacturer, and a factory date.
Optionally, the user identifier is generated according to any one or more combinations of information such as a user account, a user name, a user contact number, and the like.
Optionally, before obtaining the evidence obtaining credential, the first device identifier, and the first user identifier, the method further includes:
registering the first device identification and the first user identification;
generating a verification device identifier corresponding to the first device identifier and a verification user identifier corresponding to the first user identifier;
storing the verification device identification and the verification user identification;
and acquiring a first storage address corresponding to the verification device identifier and a second storage address corresponding to the verification user identifier.
Optionally, before the obtaining of the binding relationship corresponding to the credential, the method further includes:
acquiring the first storage address and the second storage address;
acquiring the verification equipment identifier according to the first storage address;
acquiring the verification user identification according to the second storage address;
according to the verification equipment identifier, performing first verification on the first equipment identifier;
performing second check on the first user identification according to the check user identification;
and if the first check and the second check pass, performing subsequent steps. Optionally, the method is implemented based on a blockchain.
In a second aspect, an embodiment of the present application provides an industrial internet device security access apparatus, where the apparatus includes a first obtaining unit, a second obtaining unit, a first comparing unit, a second comparing unit, and a first determining unit:
the first obtaining unit is used for obtaining a evidence certificate, a first device identifier and a first user identifier;
the second obtaining unit is used for obtaining the binding relationship corresponding to the certificate of deposit certificate;
the first comparing unit is configured to perform first comparison on the first device identifier according to the second device identifier in the binding relationship;
the second comparison unit is used for performing second comparison on the first user identifier according to a second user identifier in the binding relationship;
the first judging unit is configured to judge whether the user corresponding to the first user identifier is qualified to use the device corresponding to the first device identifier according to the authentication results of the first comparison and the second comparison.
Optionally, the apparatus further includes a third obtaining unit:
the third obtaining unit is configured to obtain a first public key corresponding to the first device identifier;
the second obtaining unit is specifically configured to:
acquiring encryption information corresponding to the certificate of authenticity; the encrypted information is obtained by encrypting a first private key corresponding to the second equipment identifier;
decrypting the encrypted information by the first public key;
if the decryption fails, terminating the authentication;
and if the decryption is successful, obtaining the binding relation corresponding to the certificate of authenticity.
Optionally, the first obtaining unit is specifically configured to:
acquiring the certificate of authenticity, the first equipment identifier and the first user identifier which are encrypted by a second public key;
decrypting the encrypted certificate of deposit certificate, the first equipment identification and the first user identification through a second private key corresponding to the second public key;
if the decryption fails, terminating the authentication;
and if the decryption is successful, obtaining the certificate of existence, the first equipment identifier and the first user identifier.
Optionally, the first determining unit is specifically configured to:
if the first comparison and the second comparison both pass, the user corresponding to the first user identifier has the qualification of using the device corresponding to the first device identifier;
if the first comparison and the second comparison have the condition of failed comparison, the user corresponding to the first user identifier does not have the qualification of using the device corresponding to the first device identifier.
Optionally, the apparatus further includes a fourth obtaining unit, a first determining unit, a fifth obtaining unit, a second determining unit, and a second determining unit:
the fourth obtaining unit is configured to obtain a device type corresponding to the first device identifier;
the first determining unit is configured to determine, according to the device type, a device security state model corresponding to the first device identifier;
the fifth obtaining unit is configured to obtain first historical behavior data corresponding to the first device identifier;
the second determining unit is configured to determine, according to the first historical behavior data and the device security state model, a first device security state corresponding to the first device identifier;
and the second judging unit is configured to judge whether the device corresponding to the first device identifier can pass authentication according to the security status of the first device.
Optionally, the device security state model is obtained by the following method:
and taking the second historical behavior data corresponding to the equipment type as a training sample, and taking the second equipment safety state corresponding to the equipment type as a training label to obtain the equipment safety state model corresponding to the equipment type.
Optionally, the second judging unit is specifically configured to:
determining the device access authority corresponding to the first device identifier according to the security state of the first device;
and judging whether the equipment corresponding to the first equipment identification can pass authentication or not according to the equipment access authority.
Optionally, the apparatus further includes a first storage unit:
the first storage unit is used for storing comparison results of the first comparison and the second comparison.
Optionally, the device identifier is generated according to any one or a combination of multiple kinds of information, such as a device name, a device model, a device serial number, a manufacturer, and a factory date.
Optionally, the user identifier is generated according to any one or more combinations of information such as a user account, a user name, a user contact number, and the like.
Optionally, the apparatus further includes a registration unit, a generation unit, a second storage unit, and a sixth acquisition unit:
a registration unit, configured to register the first device identifier and the first user identifier;
a generating unit, configured to generate a verification device identifier corresponding to the first device identifier and a verification user identifier corresponding to the first user identifier;
the second storage unit is used for storing the verification device identification and the verification user identification;
a sixth obtaining unit, configured to obtain a first storage address corresponding to the verification device identifier and a second storage address corresponding to the verification user identifier.
Optionally, the apparatus further includes a seventh obtaining unit, an eighth obtaining unit, a first verifying unit, a second verifying unit, and an executing unit:
a seventh obtaining unit, configured to obtain the first storage address and the second storage address;
an eighth obtaining unit, configured to obtain the check device identifier according to the first storage address;
acquiring the verification user identification according to the second storage address;
the first checking unit is used for carrying out first checking on the first equipment identifier according to the checking equipment identifier;
the second checking unit is used for carrying out second checking on the first user identification according to the checking user identification;
and the execution unit is used for performing subsequent steps if the first check and the second check pass.
Optionally, the apparatus is established based on a blockchain.
In a third aspect, an embodiment of the present application provides an apparatus for authentication, where the apparatus includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute the secure access method for industrial internet equipment according to the instructions in the program code.
In a fourth aspect, the present application provides a computer-readable storage medium for storing a computer program for executing the secure access method for an industrial internet device in the first aspect.
According to the technical scheme, the processing equipment can obtain the certificate of deposit corresponding to the authentication, then the corresponding binding relationship is determined through the certificate of deposit, and the obtained equipment identification and the obtained user identification are compared through the corresponding equipment identification and the user identification in the binding relationship, so that whether the user corresponding to the user identification has the qualification for using the equipment corresponding to the equipment identification can be determined, the condition that the equipment is stolen is avoided to a certain extent, and the authentication safety is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a flowchart of a secure access method for an industrial internet device according to an embodiment of the present disclosure;
fig. 2a is a block diagram of a secure access apparatus for an industrial internet device according to an embodiment of the present disclosure;
fig. 2b is a block diagram of a secure access apparatus for an industrial internet device according to an embodiment of the present disclosure;
fig. 2c is a block diagram of a secure access apparatus for an industrial internet device according to an embodiment of the present disclosure;
fig. 2d is a block diagram of a secure access apparatus for an industrial internet device according to an embodiment of the present disclosure;
fig. 3 is a block diagram of a device for secure access to an industrial internet device according to an embodiment of the present disclosure;
fig. 4 is a block diagram of a server according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described below with reference to the accompanying drawings.
Industrial internet is a development trend in the current industrial field, and its security has been a major issue studied by the related technical personnel. In the related art, the authentication on the industrial internet is only to authenticate a device accessing the industrial internet, and does not authenticate a user using the device, so that the device may not be used by a worker corresponding to the device, that is, the device may be stolen. When the equipment is stolen, a series of problems that industrial information is leaked, an industrial chain is maliciously damaged and the like can be caused.
In order to solve the technical problem, the application provides a method for safely accessing industrial internet equipment, and a processing device can perform double authentication on a user and the equipment through a binding relationship between the equipment and the user, so that the problem that the equipment is stolen is avoided to a certain extent, and the authentication safety is improved.
It is understood that the method may be applied to a processing device having an authentication function, for example, a terminal device or a server having an authentication function. The method can be independently executed through the terminal equipment or the server, can also be applied to a network scene of communication between the terminal equipment and the server, and is executed through the cooperation of the terminal equipment and the server. The terminal device may be a computer, a Personal Digital Assistant (PDA), a tablet computer, or the like. The server may be understood as an application server or a Web server, and in actual deployment, the server may be an independent server or a cluster server. Meanwhile, in a hardware environment, the technology has been implemented in the following environments: an ARM architecture processor, an X86 architecture processor; in a software environment, the technology has been implemented in the following environments: android platform, Windows xp and operating systems or Linux operating systems.
Example one
Next, a method for securely accessing an industrial internet device according to an embodiment of the present application will be described with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart of a method for securely accessing an industrial internet device according to an embodiment of the present application, where the method includes:
s101: a forensic credential, a first device identification, and a first user identification are obtained.
In the operation of the industrial internet, when a user wants to use a device accessing the industrial internet, the processing device may receive an authentication request transmitted by the user through the device. The processing device may be configured to determine whether the user corresponding to the first user identifier is a user capable of using the device corresponding to the first device identifier, in order to authenticate the user of the used device.
The processing device first needs to obtain a first user identifier, a first device identifier, and a credential corresponding to the authentication. The first user identifier is a user identifier corresponding to the user who triggers the authentication, the first device identifier is a device identifier of a device which the user wants to use, and the evidence storing certificate is an evidence storing certificate corresponding to the first user identifier. The processing device can determine the binding relationship corresponding to the authentication from the pre-stored binding relationship through the certificate storing voucher.
It can be understood that, in order to prevent an error from occurring between information acquired by the processing device and information actually sent by the device due to data abnormality occurring in the acquisition process, in a possible implementation manner, the credential, the first device identifier, and the first user identifier may be encrypted by the second public key and then sent to the processing device. The second public key may be of various types, for example, a public key corresponding to the processing device.
The processing device may obtain the certificate of authenticity, the first device identifier and the first user identifier encrypted by the second public key, and then decrypt the encrypted certificate of authenticity, the first device identifier and the first user identifier by the second private key corresponding to the second public key. The processing device may respond differently depending on the different decryption results. For example, if the decryption fails, it indicates that an abnormal condition occurs in the process of information transmission, which results in an information error, and at this time, the processing device may terminate the authentication for the security of the industrial internet; if the decryption is successful, the certificate of authenticity, the first device identifier and the first user identifier can be obtained for subsequent authentication.
S102: and acquiring the binding relationship corresponding to the evidence certificate.
After obtaining the credential, the processing device may obtain a corresponding binding relationship according to the credential, where the binding relationship is capable of identifying a device bound to the user, in order to authenticate whether the user is a user capable of using the device. It can be understood that, in order to make the authentication more efficient, in a possible implementation manner, when storing the binding relationship, the first private key corresponding to the second device identifier corresponding to the binding relationship may be first used for encrypting, so as to obtain the encrypted information corresponding to the binding relationship. The processing device may obtain a first public key corresponding to the first device identifier, then obtain encrypted information corresponding to the certificate of authenticity, and decrypt the encrypted information through the first public key.
If the decryption fails, directly indicating that the first device identifier and the second device identifier are different device identifiers, that is, the device identifier bound with the first user identifier is not the first device identifier, and at this time, the processing device may directly terminate the authentication; if the decryption is successful, the processing equipment can obtain the binding relationship corresponding to the evidence-storing certificate, so that the next authentication is carried out.
S203: and performing first comparison on the first equipment identifier according to the second equipment identifier in the binding relationship.
After the binding relationship is obtained, the processing device may compare the obtained device identifier and the user identifier with each other through the binding relationship. The processing device may determine a second device identifier and a second user identifier corresponding to the binding relationship, where the second device identifier and the second user identifier are binding identifiers. The processing device may determine whether the first device identifier passes the comparison check by comparing whether the second device identifier is the same as the first device identifier.
S204: and performing second comparison on the first user identification according to the second user identification in the binding relationship.
Similarly, the processing device may further compare whether the first user identifier is the same as the second user identifier according to the second user identifier corresponding to the binding relationship, so as to determine whether the first user identifier passes the comparison check.
S205: and judging whether the user corresponding to the first user identifier has the qualification of using the equipment corresponding to the first equipment identifier or not according to the comparison result of the first comparison and the second comparison.
After the processing device performs the first comparison and the second comparison, a comparison result of the first comparison and the second comparison can be obtained. The first comparison result can show whether the first equipment identifier and the second equipment identifier are the same, and the second comparison result can show whether the first user identifier and the second user identifier are the same.
It will be appreciated that the processing device may respond differently to the authentication based on the different comparison results. For example, in a possible implementation manner, if the first comparison and the second comparison both pass, it is indicated that the first user identifier and the first device identifier have a binding relationship, and at this time, the processing device may determine that the user corresponding to the first user identifier has a qualification for using the device corresponding to the first device identifier; if the first comparison and the second comparison have the condition of failed comparison, the first user identifier and the first equipment identifier do not have the binding relationship, namely the user steals the equipment. At this point, the processing device may determine that the user corresponding to the first user identification is not qualified to use the device corresponding to the first device identification.
According to the technical scheme, the processing equipment can obtain the certificate of deposit corresponding to the authentication, then the corresponding binding relationship is determined through the certificate of deposit, and the obtained equipment identification and the obtained user identification are compared through the corresponding equipment identification and the user identification in the binding relationship, so that whether the user corresponding to the user identification has the qualification for using the equipment corresponding to the equipment identification can be determined, the condition that the equipment is stolen is avoided to a certain extent, and the authentication safety is improved.
It is understood that, in addition to authenticating the user, the processing device may also authenticate the device security status corresponding to the device in order to further improve the security of the authentication. Wherein, the device security state can measure whether the current state of the device is safe. In a possible implementation manner, the processing device may obtain a device type of a device corresponding to the first device identifier, and then determine, according to the device type, a device security state model of the device corresponding to the first device identifier, where the device security state model may be used to determine a device security state of the device type. The processing device may obtain first historical behavior data of a device corresponding to the first device identifier, where the historical behavior data may reflect a usage situation of the device corresponding to the first device identifier in a historical time. Therefore, the processing device may determine the first device security status of the device corresponding to the first device identifier according to the first historical behavior data and the device security status model, and then determine whether the device corresponding to the first device identifier can pass authentication according to the first device security status.
In addition, the processing device may further perform a periodic security check on the device corresponding to the first device identifier through the device security state model, so as to dynamically adjust the device security state corresponding to the device, thereby further improving the security of the authentication.
The method for generating the device security state model may be various. In a possible implementation manner, the processing device may use the second historical behavior data corresponding to the device type as a training sample, and use the second device security state corresponding to the device type as a training label, to obtain a device security state model corresponding to the device type. The second historical behavior data may be historical behavior data corresponding to all devices of the device type, and the second device security status may be device security status corresponding to all devices of the device type. The processing equipment can perform model training in a machine learning mode and the like, so that a corresponding equipment safety state model is obtained.
In addition, the data types of the historical behavior data may also include a variety of types. In one possible implementation, the historical behavior data may include login location information, login time information, and access behavior information. In model training, the processing device may train separately for these three types of information.
For the login location information, security state levels corresponding to different login location information in historical behavior data can be manually marked. The most common login location information can be marked as 1, which indicates that the equipment has higher safety when the equipment logs in at the login location; the occasionally used login place is marked as 0, which indicates that the safety of the equipment is general when the equipment logs in at the login place; the rest login sites are marked as-1, which indicates that the equipment has poor safety when the equipment logs in at the login site.
After the labeling is finished, the processing device can use the login place information as a training sample, and train the labeled security state grade as a training label, and in the training process, the geographic distance of the login place can be used as a classification measurement, so that the security state grade of the login place information can be judged by the device security state model according to the geographic distance of the login place.
For the login time information, the security state levels corresponding to different login time information in the historical behavior data can be manually marked. The most common login time is marked as 1, which indicates that the equipment has higher safety when the equipment logs in at the login time; the occasionally used login time is marked as 0, which indicates that the safety of the equipment is general when the equipment logs in at the login time; the rest of the login time is marked as-1, which indicates that the equipment has poor safety when the equipment logs in at the login time.
After the labeling is finished, the processing device may use the login time information as a training sample, and train the labeled security state level as a training label, and in the training process, the time interval of the login time may be used as a classification metric, so that the security state model of the device can determine the security state level of the login location information according to the time interval of the login time.
For the access behavior information, security state levels corresponding to different access behavior information in historical behavior data can be artificially marked. The behavior information of the most common function is marked as 1, which indicates that the equipment has higher safety when the equipment performs the access behavior; the behavior information for accessing a small number of infrequent functions is marked as 0, which indicates that the security of the equipment is general when the equipment performs the access behavior; the access behavior of frequently accessing the infrequent function or frequently accessing the unauthorized function is marked as-1, which indicates that the security of the device is poor when the device performs the access behavior.
After the labeling is finished, the processing device may use the access behavior information as a training sample, use the labeled security state level as a training label for training, and use the accessed function and the access frequency as a classification metric during the training process, so that the security state model of the device can determine the security state level of the access behavior information according to the accessed function and the access frequency.
When the device security state model is used to determine the security state, the processing device may determine the final security state level corresponding to the device by integrating the security state levels of the three types of information. For example, possible judgment results are as follows:
the equipment state is high safety: (1,1, 1);
the equipment state is safe: (1,1,0), (1,0,1), (1,0,0), (0,1,1), (0,1,0), (0,0,1), (0,0, 0);
the device status is abnormal: (-1,1,1), (-1,1,0), (-1,0,1), (-1,0,0), (1, -1,1), (1, -1,0), (0, -1,1), (0, -1,0), (1,1, -1), (1,0, -1), (0,1, -1), (0,0, -1);
the device status is a severe anomaly: (-1, -1, -1), (0, -1, -1), (-1, -1,0), (-1,1, -1), (-1,0, -1). It is understood that the manner of determining whether the device can be authenticated according to the security status of the device may include various manners. In one possible implementation, to further improve the security of the authentication, the processing device may set different device access rights for different device security states. For example, when the device security state is high, the processing device may identify higher device access rights to the device. Based on this, the processing device may determine, according to the security status of the first device, a device access right corresponding to the first device identifier, and then determine, according to the device access right, whether the device corresponding to the first device identifier is authenticated.
In addition, in order to track the service condition of the equipment and facilitate the relevant personnel to monitor and analyze the state of the equipment in time, in a possible implementation mode, the processing equipment can store the comparison result of the first comparison and the second comparison after obtaining the comparison result of the first comparison and the second comparison, so that the service condition of the equipment can be determined according to the comparison result, and further protection and analysis are carried out on the safety of the equipment and the safety of the industrial internet.
It can be understood that, in order to make the method for secure access to the industrial internet device more flexible, the method for generating the device identifier and the user identifier may also include multiple methods. In one possible implementation, the device identifier may be generated according to any one or a combination of multiple kinds of information, such as a device name, a device model, a device serial number, a manufacturer, a factory date, and the like; the user identification is generated according to any one or combination of a plurality of information of user account number, user name, user contact number and the like.
In addition, when the authentication is performed, in order to further improve the accuracy of the authentication, the processing device may further perform the authentication in combination with a registration process of the device identifier and the user identifier. In one possible implementation, the processing device may first register the first device identification and the first user identification for the user and the device. The registration process may include various processes, and in this embodiment, the registration process may be performed based on the cryptographic algorithm SM 9.
In order to verify the registered identifier, the processing device may generate a verification device identifier corresponding to the first device identifier and a verification user identifier corresponding to the first user identifier, respectively, where the verification device identifier and the verification user identifier are used to verify the first device identifier and the first user identifier. For example, the verification device identifier and the verification user identifier may be the same as the first device identifier and the first user identifier, or may be feature identifiers generated based on the first device identifier and the first user identifier.
Subsequently, the processing device may store the checking device identification and the checking user identification, for example, may store the checking device identification and the checking user identification in the block chain. In order to obtain the verification identifier in the subsequent verification process, the processing device may obtain a first storage address corresponding to the verification device identifier and a second storage address corresponding to the verification user identifier.
In the verification process, before obtaining the binding relationship corresponding to the certificate of authenticity, the processing device may further obtain the first storage address and the second storage address. Subsequently, the processing device may obtain the verification device identifier according to the first storage address, and obtain the verification user identifier according to the second storage address.
The processing device can perform a first check on the first device identifier through the check device identifier, and perform a second check on the first user identifier according to the check user identifier. The verification is mainly divided into two verification processes. Firstly, the processing device may first determine whether the check device identifier exists at the first storage address, if so, it indicates that the device corresponding to the first device identifier is a registered device, and if not, it indicates that the device has not been registered, and the first check fails; subsequently, the processing device may determine whether the device identifier corresponding to the verified device identifier is the first device identifier, and if so, the first device identifier passes the first verification; if not, the result is failed.
Similarly, the processing device may determine whether the verified user identifier exists at the second storage address, and if so, the user is a registered user; if the user does not exist, the user is not registered, and the second check fails; subsequently, the processing device may determine whether the user identifier corresponding to the verified user identifier is the first user identifier, and if so, the first user identifier passes a second verification; if not, the result is failed.
In addition, in order to further improve the security of the information and avoid the situation that the information is tampered, when the processing device performs the check mark storage, the processing device may further perform encryption by using a private key corresponding to the cryptographic algorithm SM 9. When the processing device obtains the check mark, the public key corresponding to the SM9 algorithm needs to be decrypted first, and the check mark can be obtained only after the decryption is successful.
In addition, to further ensure security during information transfer, the processing device may further encrypt the memory address. For example, before the memory address is obtained, the memory address may be encrypted by the second public key to obtain the encryption information of the memory address. The second public key may be various, for example, when the processing device is a kind of authentication server, the second public key may be a public key of the authentication server.
And after the processing equipment acquires the encrypted information of the storage address, the processing equipment can decrypt the encrypted information through a second private key corresponding to the second public key to obtain the decrypted storage address. Meanwhile, it is noted that the method provided by the embodiment of the present application can be performed under various architectures. For example, to improve the security of the access, in one possible implementation, the method may be implemented based on a block chain. For example, information such as the binding relationship can be stored through the blockchain, so that the safety of the information can be improved by using the characteristic that the blockchain data is not easily tampered.
Example two
Next, a method for secure access to an industrial internet device provided in the embodiment of the present application will be introduced in combination with an actual application scenario. In this practical application scenario, the processing device is an authentication server for authentication. When the device to be authenticated is accessed to the industrial internet, the identifier resolution system of the industrial internet can generate the device identifier of the device according to the device name, the device model, the device serial number and other information of the device to be authenticated, and send the device identifier to the device to be authenticated for storage.
Meanwhile, in the network access process, the equipment to be authenticated can also send the user information which can be used to the identification analysis system, so that the identification analysis system generates the user identification of the user. Subsequently, the authentication server can establish the binding relationship between the user identifier and the device identifier, and store the encrypted user identifier and device identifier in the server after the encrypted user identifier and device identifier are encrypted by the private key of the device to be authenticated.
Various information may be stored in the server in the form of a hash value.
When a user wants to use the device to be authenticated, the device to be authenticated can encrypt the user identifier of the user, the certificate of deposit corresponding to the user identifier and the device identifier of the device to be authenticated through a public key of the authentication server and then send the encrypted user identifier, the certificate of deposit corresponding to the user identifier and the device identifier of the device to be authenticated to the authentication server. The authentication server can decrypt through a private key of the authentication server to obtain decrypted information, then obtains corresponding encrypted information in the information stored in the authentication server according to the certificate of deposit in the information, and then decrypts through a public key of the equipment to be authenticated to obtain a corresponding binding relationship.
The authentication server can compare the obtained user identifier with the obtained equipment identifier according to the equipment identifier and the user identifier in the binding relationship, and when the two identifiers are compared, the authentication server indicates that the user is the user bound to the equipment and has the qualification of using the equipment; if one item does not correspond to the other item, the user is not the user to which the device is bound and does not have the qualification of using the device.
EXAMPLE III
Based on the method for the secure access of the industrial internet equipment provided by the embodiment, the embodiment of the application further provides a device 200 for the secure access of the industrial internet equipment. Referring to fig. 2a, fig. 2a is a block diagram of a secure access apparatus 200 for industrial internet equipment, where the apparatus 200 includes a first obtaining unit 201, a second obtaining unit 202, a first comparing unit 203, a second comparing unit 204, and a first determining unit 205:
a first obtaining unit 201, configured to obtain a evidence obtaining credential, a first device identifier, and a first user identifier;
a second obtaining unit 202, configured to obtain a binding relationship corresponding to the evidence-based certificate;
a first comparing unit 203, configured to perform a first comparison on the first device identifier according to the second device identifier in the binding relationship;
a second comparing unit 204, configured to perform a second comparison on the first user identifier according to the second user identifier in the binding relationship;
the first determining unit 205 is configured to determine whether the user corresponding to the first user identifier has a qualification for using the device corresponding to the first device identifier according to a comparison result of the first comparison and the second comparison.
In one possible implementation, referring to fig. 2b, the apparatus 200 further includes a third obtaining unit 206:
a third obtaining unit 206, configured to obtain a first public key corresponding to the first device identifier;
the second obtaining unit 202 is specifically configured to:
acquiring encrypted information corresponding to the evidence certificate; the encrypted information is obtained by encrypting a first private key corresponding to the second equipment identifier;
decrypting the encrypted information through the first public key;
if the decryption fails, terminating the authentication;
and if the decryption is successful, obtaining the binding relation corresponding to the certificate of authenticity.
In a possible implementation manner, the first obtaining unit 201 is specifically configured to:
acquiring a certificate of deposit, a first device identifier and a first user identifier which are encrypted by a second public key;
decrypting the encrypted certificate of deposit certificate, the first equipment identification and the first user identification through a second private key corresponding to the second public key;
if the decryption fails, terminating the authentication;
and if the decryption is successful, obtaining the certificate of existence, the first equipment identifier and the first user identifier.
In a possible implementation manner, the first determining unit 205 is specifically configured to:
if the first comparison and the second comparison both pass, the user corresponding to the first user identifier has the qualification of using the equipment corresponding to the first equipment identifier;
if the comparison fails in the first comparison and the second comparison, the user corresponding to the first user identifier does not have the qualification of using the device corresponding to the first device identifier.
In one possible implementation manner, referring to fig. 2c, the apparatus 200 further includes a fourth obtaining unit 207, a first determining unit 208, a fifth obtaining unit 209, a second determining unit 210, and a second judging unit 211:
a fourth obtaining unit 207, configured to obtain a device type corresponding to the first device identifier;
a first determining unit 208, configured to determine, according to the device type, a device security state model corresponding to the first device identifier;
a fifth obtaining unit 209, configured to obtain first historical behavior data corresponding to the first device identifier;
a second determining unit 210, configured to determine, according to the first historical behavior data and the device security state model, a first device security state corresponding to the first device identifier;
the second determining unit 211 is configured to determine whether the device corresponding to the first device identifier can pass authentication according to the security status of the first device.
In one possible implementation, the device security state model is obtained by:
and taking the second historical behavior data corresponding to the equipment type as a training sample, and taking the second equipment safety state corresponding to the equipment type as a training label to obtain an equipment safety state model corresponding to the equipment type.
In a possible implementation manner, the second determining unit 211 is specifically configured to:
determining equipment access authority corresponding to the first equipment identification according to the safety state of the first equipment;
and judging whether the equipment corresponding to the first equipment identification can pass authentication or not according to the equipment access authority.
In one possible implementation, referring to fig. 2d, the apparatus 200 further includes a first storage unit 212:
the first storage unit 212 is configured to store comparison results of the first comparison and the second comparison.
In one possible implementation, the device identifier is generated according to any one or more of a device name, a device model, a device serial number, a manufacturer, a factory date, and the like.
In one possible implementation, the user identification is generated according to any one or more of a user account number, a user name, a user contact number and the like.
In a possible implementation manner, the apparatus 200 further includes a registering unit 213, a generating unit 214, a second storing unit 215, and a sixth obtaining unit 216:
a registering unit 213, configured to register the first device identifier and the first user identifier;
a generating unit 214, configured to generate a verification device identifier corresponding to the first device identifier and a verification user identifier corresponding to the first user identifier;
a second storage unit 215, configured to store the verification device identifier and the verification user identifier;
a sixth obtaining unit 216, configured to obtain a first storage address corresponding to the verification device identifier and a second storage address corresponding to the verification user identifier.
In one possible implementation manner, the apparatus 200 further includes a seventh obtaining unit 217, an eighth obtaining unit 218, a first checking unit 219, a second checking unit 220, and an executing unit 221:
a seventh obtaining unit 217, configured to obtain the first storage address and the second storage address;
an eighth obtaining unit 218, configured to obtain the check device identifier according to the first storage address;
acquiring the verification user identification according to the second storage address;
a first checking unit 219, configured to perform a first check on the first device identifier according to the checking device identifier;
a second checking unit 220, configured to perform a second check on the first user identifier according to the checked user identifier;
an execution unit 221, configured to perform subsequent steps if the first checksum and the second checksum pass. In one possible implementation, the apparatus 200 is established based on a blockchain.
Example four
The embodiment of the present application further provides an apparatus for authentication, which is described below with reference to the accompanying drawings. Referring to fig. 3, an embodiment of the present application provides a device 300, where the device 300 may also be a terminal device, and the terminal device may be any intelligent terminal including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a Point of Sales (POS), a vehicle-mounted computer, and the like, where the terminal device is a mobile phone:
fig. 3 is a block diagram illustrating a partial structure of a mobile phone related to a terminal device provided in an embodiment of the present application. Referring to fig. 3, the cellular phone includes: a Radio Frequency (RF) circuit 310, a memory 320, an input unit 330, a display unit 340, a sensor 350, an audio circuit 360, a wireless fidelity (WiFi) module 370, a processor 380, and a power supply 390. Those skilled in the art will appreciate that the handset configuration shown in fig. 3 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
The following describes each component of the mobile phone in detail with reference to fig. 3:
the RF circuit 310 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, receives downlink information of a base station and then processes the received downlink information to the processor 380; in addition, the data for designing uplink is transmitted to the base station. In general, RF circuit 310 includes, but is not limited to, an antenna, at least one Amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, RF circuit 310 may also communicate with networks and other devices via wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Message Service (SMS), and the like.
The memory 320 may be used to store software programs and modules, and the processor 380 executes various functional applications and data processing of the mobile phone by operating the software programs and modules stored in the memory 320. The memory 320 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store 3 data created according to the use of the cellular phone (such as audio data, a phonebook, etc.), and the like. Further, the memory 320 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
The input unit 330 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the cellular phone. Specifically, the input unit 330 may include a touch panel 331 and other input devices 332. The touch panel 331, also referred to as a touch screen, can collect touch operations of a user (e.g., operations of the user on the touch panel 331 or near the touch panel 331 using any suitable object or accessory such as a finger, a stylus, etc.) on or near the touch panel 331, and drive the corresponding connection device according to a preset program. Alternatively, the touch panel 331 may include two parts, a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device and converts it to touch point coordinates, which are provided to the processor 380 and can receive and execute commands from the processor 1480. In addition, the touch panel 331 may be implemented in various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 330 may include other input devices 332 in addition to the touch panel 331. In particular, other input devices 332 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 340 may be used to display information input by the user or information provided to the user and various menus of the mobile phone. The Display unit 340 may include a Display panel 341, and optionally, the Display panel 341 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, the touch panel 331 can cover the display panel 341, and when the touch panel 331 detects a touch operation on or near the touch panel 331, the touch panel is transmitted to the processor 380 to determine the type of the touch event, and then the processor 380 provides a corresponding visual output on the display panel 341 according to the type of the touch event. Although in fig. 3, the touch panel 331 and the display panel 341 are two independent components to implement the input and output functions of the mobile phone, in some embodiments, the touch panel 331 and the display panel 341 may be integrated to implement the input and output functions of the mobile phone.
The handset may also include at least one sensor 350, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel 341 according to the brightness of ambient light, and a proximity sensor that turns off the display panel 341 and/or the backlight when the mobile phone is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing the posture of a mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone, further description is omitted here.
WiFi belongs to short-distance wireless transmission technology, and the mobile phone can help a user to receive and send e-mails, browse webpages, access streaming media and the like through the WiFi module 370, and provides wireless broadband internet access for the user. Although fig. 3 shows the WiFi module 370, it is understood that it does not belong to the essential constitution of the handset, and can be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 380 is a control center of the mobile phone, connects various parts of the whole mobile phone by using various interfaces and lines, and performs various functions of the mobile phone and processes data by operating or executing software programs and/or modules stored in the memory 320 and calling data stored in the memory 320, thereby performing overall monitoring of the mobile phone. Optionally, processor 380 may include one or more processing units; preferably, the processor 380 may integrate an application processor, which primarily handles operating systems, user interfaces, applications, etc., and a modem processor, which primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 380.
The handset also includes a power supply 390 (e.g., a battery) for powering the various components, which may preferably be logically connected to the processor 380 via a power management system to manage charging, discharging, and power consumption via the power management system.
Although not shown, the mobile phone may further include a camera, a bluetooth module, etc., which are not described herein.
In this embodiment, the processor 380 included in the terminal device further has the following functions:
obtaining a evidence, a first device identification and a first user identification;
acquiring a binding relationship corresponding to the certificate of authenticity;
according to the second equipment identification in the binding relationship, performing first comparison on the first equipment identification;
performing second comparison on the first user identification according to a second user identification in the binding relationship;
and judging whether the user corresponding to the first user identification has the qualification of using the equipment corresponding to the first equipment identification or not according to the comparison result of the first comparison and the second comparison.
EXAMPLE five
Referring to fig. 4, fig. 4 is a block diagram of a server 400 provided in this embodiment, and the server 400 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 422 (e.g., one or more processors) and a memory 432, and one or more storage media 430 (e.g., one or more mass storage devices) for storing applications 442 or data 444. Wherein the memory 432 and storage medium 430 may be transient or persistent storage. The program stored on the storage medium 430 may include one or more modules (not shown), each of which may include a series of instruction operations for the server. Still further, the central processor 422 may be arranged to communicate with the storage medium 430, and execute a series of instruction operations in the storage medium 430 on the server 400.
The server 400 may also include one or more power supplies 426, one or more wired or wireless network interfaces 450, one or more input-output interfaces 458, and/or one or more operating systems 441, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, and so forth.
The steps performed by the server in the above embodiments may be based on the server structure shown in fig. 4.
The embodiment of the present application further provides a computer-readable storage medium for storing a computer program, where the computer program is used to execute any one implementation manner of the secure access method for an industrial internet device described in the foregoing embodiments.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as read-only memory (ROM), RAM, magnetic disk, or optical disk.
It should be noted that, in the present specification, all the embodiments are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (14)
1. A method for secure access to industrial Internet equipment, the method comprising:
obtaining a evidence, a first device identification and a first user identification;
acquiring a binding relationship corresponding to the certificate of authenticity;
according to the second equipment identification in the binding relationship, performing first comparison on the first equipment identification;
performing second comparison on the first user identification according to a second user identification in the binding relationship;
judging whether a user corresponding to the first user identification has the qualification of using the equipment corresponding to the first equipment identification or not according to the comparison result of the first comparison and the second comparison;
the method further comprises the following steps: acquiring a first public key corresponding to the first equipment identifier; the obtaining of the binding relationship corresponding to the certificate of authenticity includes: acquiring encryption information corresponding to the certificate of authenticity; the encrypted information is obtained by encrypting a first private key corresponding to the second equipment identifier; decrypting the encrypted information by the first public key; if the decryption fails, terminating the authentication; and if the decryption is successful, obtaining the binding relation corresponding to the certificate of authenticity.
2. The method of claim 1, wherein obtaining the forensic credential, the first device identification, and the first user identification comprises:
acquiring the certificate of authenticity, the first equipment identifier and the first user identifier which are encrypted by a second public key;
decrypting the encrypted certificate of deposit certificate, the first equipment identification and the first user identification through a second private key corresponding to the second public key;
if the decryption fails, terminating the authentication;
and if the decryption is successful, obtaining the certificate of existence, the first equipment identifier and the first user identifier.
3. The method according to claim 1, wherein the determining whether the user corresponding to the first ue identifier is qualified to use the device corresponding to the first ue identifier according to the comparison result of the first comparison and the second comparison comprises:
if the first comparison and the second comparison both pass, the user corresponding to the first user identifier has the qualification of using the device corresponding to the first device identifier;
if the first comparison and the second comparison have the condition of failed comparison, the user corresponding to the first user identifier does not have the qualification of using the device corresponding to the first device identifier.
4. The method of claim 1, further comprising:
acquiring the equipment type of equipment corresponding to the first equipment identifier;
determining a safety state model of the equipment corresponding to the first equipment identification according to the equipment type;
acquiring first historical behavior data of equipment corresponding to the first equipment identifier;
determining a first equipment safety state corresponding to the first equipment identification according to the first historical behavior data and the equipment safety state model;
and judging whether the equipment corresponding to the first equipment identification can pass authentication or not according to the safety state of the first equipment.
5. The method of claim 4, wherein the device security state model is derived by:
and taking the second historical behavior data corresponding to the equipment type as a training sample, and taking the second equipment safety state corresponding to the equipment type as a training label to obtain the equipment safety state model corresponding to the equipment type.
6. The method according to claim 4, wherein the determining whether the device corresponding to the first device identifier is authenticated according to the security status of the first device includes:
determining the device access authority corresponding to the first device identifier according to the security state of the first device;
and judging whether the equipment corresponding to the first equipment identification can pass authentication or not according to the equipment access authority.
7. The method of claim 1, further comprising:
and storing the comparison results of the first comparison and the second comparison.
8. The method of claim 1, wherein the user identification is generated from any one or more of a user account number or a user name or a user contact number.
9. The method of claim 1, wherein prior to the obtaining the forensic credential, the first device identification, and the first user identification, the method further comprises:
registering the first device identification and the first user identification;
generating a verification device identifier corresponding to the first device identifier and a verification user identifier corresponding to the first user identifier;
storing the verification device identification and the verification user identification;
and acquiring a first storage address corresponding to the verification device identifier and a second storage address corresponding to the verification user identifier.
10. The method according to claim 9, wherein before the obtaining the binding relationship corresponding to the credential, the method further comprises:
acquiring the first storage address and the second storage address;
acquiring the verification equipment identifier according to the first storage address;
acquiring the verification user identification according to the second storage address;
according to the verification equipment identifier, performing first verification on the first equipment identifier;
performing second check on the first user identification according to the check user identification;
and if the first check and the second check pass, performing subsequent steps.
11. The method according to claims 1-10, wherein the method is implemented based on blockchains.
12. The utility model provides an industry internet equipment safety access device which characterized in that, the device includes first acquisition unit, second acquisition unit, first comparison unit, second comparison unit and first judgement unit:
the first obtaining unit is used for obtaining a evidence certificate, a first device identifier and a first user identifier;
the second obtaining unit is used for obtaining the binding relationship corresponding to the certificate of deposit certificate;
the first comparing unit is configured to perform first comparison on the first device identifier according to the second device identifier in the binding relationship;
the second comparison unit is used for performing second comparison on the first user identifier according to a second user identifier in the binding relationship;
the first judging unit is configured to judge whether a user corresponding to the first user identifier qualifies to use a device corresponding to the first device identifier according to a comparison result of the first comparison and the second comparison;
the apparatus further comprises a third obtaining unit: the third obtaining unit is configured to obtain a first public key corresponding to the first device identifier; the second obtaining unit is specifically configured to: acquiring encryption information corresponding to the certificate of authenticity; the encrypted information is obtained by encrypting a first private key corresponding to the second equipment identifier; decrypting the encrypted information by the first public key; if the decryption fails, terminating the authentication; and if the decryption is successful, obtaining the binding relation corresponding to the certificate of authenticity.
13. An apparatus for secure access to an industrial internet device, the apparatus comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute the secure access method of the industrial internet device according to any one of claims 1 to 11 according to instructions in the program code.
14. A computer-readable storage medium for storing a computer program for executing the method for secure access to an industrial internet device according to any one of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010936063.3A CN112073414B (en) | 2020-09-08 | 2020-09-08 | Industrial Internet equipment secure access method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010936063.3A CN112073414B (en) | 2020-09-08 | 2020-09-08 | Industrial Internet equipment secure access method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112073414A CN112073414A (en) | 2020-12-11 |
| CN112073414B true CN112073414B (en) | 2021-12-21 |
Family
ID=73664371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010936063.3A Active CN112073414B (en) | 2020-09-08 | 2020-09-08 | Industrial Internet equipment secure access method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112073414B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112565304B (en) * | 2021-02-18 | 2021-06-25 | 北京声智科技有限公司 | Equipment management method and device and electronic equipment |
| CN114422873B (en) * | 2021-12-15 | 2023-12-08 | 浙江中控技术股份有限公司 | Method, device and equipment for dynamically accessing industrial Internet identification analysis platform |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104883346A (en) * | 2014-09-28 | 2015-09-02 | 北京匡恩网络科技有限责任公司 | Network equipment behavior analysis method and system |
| CN106559785B (en) * | 2015-09-30 | 2020-02-14 | 中国电信股份有限公司 | Authentication method, device and system, access device and terminal |
| CN107358419B (en) * | 2016-05-09 | 2020-12-11 | 阿里巴巴集团控股有限公司 | Airborne terminal payment authentication method, device and system |
| EP3662634B1 (en) * | 2017-09-18 | 2021-04-28 | Mastercard International Incorporated | Systems and methods for managing digital identities associated with mobile devices |
| KR102344930B1 (en) * | 2017-09-26 | 2021-12-30 | 주식회사 엘지유플러스 | Certification processing system without user identity module and method thereof |
| CN110995710B (en) * | 2019-12-05 | 2021-12-07 | 江苏恒宝智能系统技术有限公司 | Smart home authentication method based on eUICC |
-
2020
- 2020-09-08 CN CN202010936063.3A patent/CN112073414B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112073414A (en) | 2020-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109472166B (en) | Electronic signature method, device, equipment and medium | |
| CN112733107B (en) | Information verification method, related device, equipment and storage medium | |
| CN109600223B (en) | Verification method, activation method, device, equipment and storage medium | |
| CN107786504B (en) | ELF file release method, ELF file verification method, server and terminal | |
| CN103634109B (en) | Operation right authentication method and device | |
| CN104125216B (en) | A kind of method, system and terminal for lifting credible performing environment security | |
| CN110417543B (en) | Data encryption method, device and storage medium | |
| CN106912048B (en) | Access point information sharing method and device | |
| CN105721413A (en) | Service processing method and apparatus | |
| CN107154935B (en) | Service request method and device | |
| CN106255102B (en) | Terminal equipment identification method and related equipment | |
| CN111355707B (en) | Data processing method and related equipment | |
| CN104376353A (en) | Two-dimension code generating method, terminal and server and two-dimension code reading method, terminal and server | |
| CN107451813B (en) | Payment method, payment device and payment server | |
| CN106709282B (en) | resource file decryption method and device | |
| CN112073414B (en) | Industrial Internet equipment secure access method, device, equipment and storage medium | |
| CN111181909B (en) | Identity information acquisition method and related device | |
| CN107423099B (en) | Key code programming method, server, terminal, key code programming system and storage medium | |
| CN104993961A (en) | Equipment control methods, devices and system | |
| CN111598573B (en) | Equipment fingerprint verification method and device | |
| CN108460251B (en) | Method, device and system for running application program | |
| CN112350974A (en) | Safety monitoring method and device of Internet of things and electronic equipment | |
| CN111757320B (en) | Method for starting vehicle and related equipment | |
| CN108737341B (en) | Service processing method, terminal and server | |
| CN113923005B (en) | Method and system for writing data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100032 room 8018, 8 / F, building 7, Guangyi street, Xicheng District, Beijing Patentee after: State Grid Digital Technology Holdings Co.,Ltd. Patentee after: State Grid blockchain Technology (Beijing) Co.,Ltd. Patentee after: Guowang Xiongan Finance Technology Group Co.,Ltd. Address before: 311 guanganmennei street, Xicheng District, Beijing 100053 Patentee before: STATE GRID ELECTRONIC COMMERCE Co.,Ltd. Patentee before: State Grid blockchain Technology (Beijing) Co.,Ltd. Patentee before: Guowang Xiongan Finance Technology Group Co.,Ltd. |