CN114189380A - Zero-trust-based distributed authentication system and authorization method for Internet of things equipment - Google Patents
Zero-trust-based distributed authentication system and authorization method for Internet of things equipment Download PDFInfo
- Publication number
- CN114189380A CN114189380A CN202111500793.XA CN202111500793A CN114189380A CN 114189380 A CN114189380 A CN 114189380A CN 202111500793 A CN202111500793 A CN 202111500793A CN 114189380 A CN114189380 A CN 114189380A
- Authority
- CN
- China
- Prior art keywords
- resource
- authentication
- platform
- identity
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
Abstract
The invention discloses a zero-trust-based distributed authentication system and an authorization method for equipment of the Internet of things.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to a zero-trust-based Internet of things equipment distributed authentication system and an authorization method.
Background
With the rapid development of the internet of things technology, the number of internet of things devices in an access network is increased, and the number of energized scenes of the internet of things devices by cloud resource providers is increased, so that new requirements for security authentication and authorization of the devices are provided. At present, authentication schemes between equipment and equipment among different equipment manufacturers and between equipment and each resource provider are infinite, but the problems of difficult equipment authentication among manufacturers, cross-platform isolation of resources and the like generally exist. Meanwhile, the conventional access control model is generally based on a network security boundary, for example, access verification is performed based on information such as IP, host information, and geographic location. In the scene of the internet of things, cloud application and cloud computing are development trends, which causes the traditional network security boundary to be gradually broken down, so that the traditional authentication mode begins to show the limitations in the scene of the internet of things.
Disclosure of Invention
The invention aims to provide a zero-trust-based distributed authentication system and an authorization method for internet of things equipment, wherein all authentication and authorization are realized based on identity under a zero-trust framework, all internet of things equipment has uniform trusted identity identification, each equipment needs to perform identity authentication through the trusted identity to obtain an access Token when accessing cloud resources, and each resource end can verify the validity of the Token in a distributed mode to realize access control.
The invention realizes the purpose through the following technical scheme:
a zero trust-based Internet of things equipment distributed authentication system comprises an equipment end, a zero trust architecture authentication platform, an Internet of things unified identity identification platform and a resource end;
the unified identity platform is composed of multiple nodes, and by adopting a distributed trusted account book technology, the issuing, the trusted verification and the trusted storage of the identity are realized, so that an identity authentication basis is provided for an upper-layer authorization system;
the device end consists of a device entity or an edge gateway, and an SDK (software development kit) at the device end is loaded when leaving a factory, and the SDK mainly has the functions of communicating with an authentication platform and a resource end and registering, authenticating and acquiring an identity Token;
the SDK of the resource end is integrated through each resource provider: resource provider identity registration, resource authorization strategy configuration, resource authorization rule management, untrusted request redirection and resource access credential Token verification;
the zero trust architecture authentication platform consists of a data channel and a control channel; the control channel dynamically controls the real-time session in the data channel according to the authorization condition, and adopts the operations of establishing, interrupting and permitting; when the data channel receives an untrusted resource access request redirected from the equipment side or the resource side, identity authentication is carried out on the equipment through the unified identity identification platform, and authority verification is carried out through the control channel, so that safe access to resources is realized.
Further, the identity type in the unified identity platform comprises resource platform identity, internet of things equipment identity authentication and resource authentication.
The method is characterized in that for the equipment of the Internet of things which has limited resources, does not have the direct communication capability with the block chain and cannot store the certificate, the related functions in the authentication and authorization processes are realized through the edge computing gateway.
The zero trust architecture authentication platform further comprises the functions of equipment identity verification, permission verification, access certificate Token issuance and access certificate Token verification.
The application also provides an authorization method of the zero-trust-based Internet of things equipment distributed authentication system, which comprises the following steps:
step 1, a resource provider locally generates a public and private key pair, uploads a public key to a unified identity platform through an SDK (software development kit) for registration, and obtains a service provider ID (SPID for short);
step 2, the resource side encrypts the SPID by using a private key and uploads the SPID to a unified identity authentication platform for identity authentication;
step 3, the authenticated resource party can register the resource to the unified identity platform to obtain each resource identifier ID (SID for short);
step 4, the authenticated identity platform carries out configuration (or update) of the related resource access strategy;
step 5, the SDK (including the edge computing device) at the device end locally generates a public and private key pair, and uploads a public key to a unified identity platform for registration to obtain a device ID;
step 6, the equipment encrypts the equipment ID through a private key and uploads the equipment ID to a unified identity authentication platform for identity authentication;
step 7, the authenticated device initiates a resource access request to an access data channel (resource access proxy platform), if the resource is directly requested, the resource access request is redirected to the proxy platform, the proxy platform verifies whether the request carries an access certificate Token, if the request carries the access certificate Token, the validity of the Token is verified, and the request is forwarded to a resource end by a verification rule;
and 8, if the verification certificate is not carried, initiating an authentication request to the control channel, and if the verification is passed, generating a verifiable resource access certificate Token which can be realized through a distributed verifiable certificate. And the certificate is returned to the equipment end for storage, so that repeated authentication can be avoided within a limited period, the resource consumption of the authorization platform is reduced, and the performance is improved. Simultaneously, the trusted resource request is forwarded to the resource terminal;
and 9, the trust evaluation engine carries out basic evaluation according to the configured strategy, and can be expanded to bring the request behavior, the response behavior, the risk level and the like into an evaluation range in the following process, and the evaluation result can be directly acted on the session in the data channel.
The invention has the beneficial effects that:
according to the zero-trust-based distributed authentication system and the authorization method for the equipment of the Internet of things, a uniform equipment authentication platform is provided for equipment manufacturers and application resource providers of the Internet of things by constructing an infrastructure for application security access control of the Internet of things, and based on an authentication mode of trusted equipment identities, the breakthrough of network security boundaries of a traditional authentication model can be realized, and meanwhile, dynamic security control aiming at resource levels can be realized.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the following briefly introduces the embodiments or the drawings needed to be practical in the prior art description, and obviously, the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a block diagram of the present invention.
FIG. 2 is a flow chart of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without any inventive step, are within the scope of the present invention.
In any embodiment, as shown in fig. 1, a zero-trust-based internet of things device distributed authentication system of the present invention includes: the whole scheme comprises an equipment end, a zero trust architecture authentication platform, an Internet of things unified identity identification platform and a resource end, wherein the equipment end is composed of a plurality of entities.
The unified identity platform end is composed of multiple nodes, and by adopting a distributed trusted account book technology, the issuing, the trusted verification and the trusted storage of the identity are realized, so that an identity authentication basis is provided for an upper-layer authorization system. The identity types in the system comprise resource platform identity, Internet of things equipment identity authentication, resource authentication and the like.
The equipment end comprises equipment entities or edge gateways, and related functions in authentication and authorization processes in the method can be realized through the edge computing gateway for the Internet of things equipment which is limited in resources, does not have direct communication capability with the block chain and cannot perform credential storage. The SDK at the equipment end can be loaded when leaving a factory, and the SDK has the main functions of communicating with the authentication platform and the resource end to register and authenticate the identity and acquire the access certificate Token.
The resource end SDK needs integration of each resource provider, and the main realized functions comprise: resource provider identity registration, resource authorization policy configuration, resource authorization rule management, untrusted request redirection, Token verification of resource access credentials and the like.
The zero trust authentication flat system consists of a data channel and a control channel. And the control channel dynamically controls the real-time session in the data channel according to the authorization condition, and adopts the operations of establishment, interruption, permission and the like. When the data channel receives an untrusted resource access request from an equipment end (or resource end redirection), the identity authentication is carried out on the equipment through the unified identity platform, and the authority verification is carried out through the control channel, so that the safe access of the resource is realized. The main functions of the system are equipment identity verification, authority verification, access certificate Token issuance, access certificate Token verification and the like.
In a specific embodiment, as shown in fig. 2, an authorization method of a zero-trust-based internet-of-things device distributed authentication system of the present invention includes the following steps:
a resource provider locally generates a public and private key pair, uploads a public key to a unified identity platform through an SDK (software development kit) for registration, and acquires a service provider ID (SPID for short);
the resource side encrypts the SPID by using a private key and uploads the SPID to the unified identity authentication platform for identity authentication;
the authenticated resource party can register resources to the unified identity platform to obtain each resource identifier ID (SID for short);
the authenticated identity platform carries out configuration (or update) of a related resource access strategy;
an SDK (including edge computing equipment) at an equipment end locally generates a public and private key pair, and uploads a public key to a unified identity platform for registration to obtain an equipment ID;
the equipment encrypts the equipment ID through a private key and uploads the equipment ID to a unified identity authentication platform for identity authentication;
the authenticated device initiates a resource access request to an access data channel (resource access proxy platform), if the resource is directly requested, the resource access request is redirected to the proxy platform, the proxy platform verifies whether the request carries an access certificate Token, if the request carries the access certificate Token, the validity of the Token is verified, and the request is forwarded to a resource end by a verification rule;
if the verification certificate is not carried, an authentication request is sent to the control channel, and if the verification is passed, a verifiable resource access certificate Token is generated, wherein the access certificate can be realized through a distributed verifiable certificate. And the certificate is returned to the equipment end for storage, so that repeated authentication can be avoided within a limited period, the resource consumption of the authorization platform is reduced, and the performance is improved. Simultaneously, the trusted resource request is forwarded to the resource terminal;
the trust evaluation engine can perform basic evaluation according to the configured strategy, and can be expanded to bring the request behavior, the response behavior, the risk level and the like into an evaluation range, and the evaluation result can directly act on the session in the data channel.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims. It should be noted that the various technical features described in the above embodiments can be combined in any suitable manner without contradiction, and the invention is not described in any way for the possible combinations in order to avoid unnecessary repetition. In addition, any combination of the various embodiments of the present invention is also possible, and the same should be considered as the disclosure of the present invention as long as it does not depart from the spirit of the present invention.
Claims (5)
1. A zero trust-based Internet of things equipment distributed authentication system is characterized by comprising an equipment end, a zero trust architecture authentication platform, an Internet of things unified identity identification platform and a resource end;
the unified identity platform is composed of multiple nodes, and by adopting a distributed trusted account book technology, the issuing, the trusted verification and the trusted storage of the identity are realized, so that an identity authentication basis is provided for an upper-layer authorization system;
the device end consists of a device entity or an edge gateway, and an SDK (software development kit) at the device end is loaded when leaving a factory, and the SDK mainly has the functions of communicating with an authentication platform and a resource end and registering, authenticating and acquiring an identity Token;
the SDK of the resource end is integrated through each resource provider: resource provider identity registration, resource authorization strategy configuration, resource authorization rule management, untrusted request redirection and resource access credential Token verification;
the zero trust architecture authentication platform consists of a data channel and a control channel; the control channel dynamically controls the real-time session in the data channel according to the authorization condition, and adopts the operations of establishing, interrupting and permitting; when the data channel receives an untrusted resource access request redirected from the equipment side or the resource side, identity authentication is carried out on the equipment through the unified identity identification platform, and authority verification is carried out through the control channel, so that safe access to resources is realized.
2. The zero-trust based internet of things device distributed authentication system of claim 1, wherein the identity types in the unified identity platform comprise resource platform identity, internet of things device identity authentication, and resource authentication.
3. The zero-trust-based distributed authentication system and the authorization method for the devices of the internet of things are characterized in that for the devices of the internet of things which are limited in resources, do not have the capability of direct communication with a block chain and cannot store certificates, the related functions in the authentication and authorization processes are realized through an edge computing gateway.
4. The zero-trust-based Internet of things equipment distributed authentication system as claimed in claim 1, wherein the zero-trust architecture authentication platform realizes functions of equipment identity verification, authority verification, access credential Token issuance and access credential Token verification.
5. An authorization method of a zero-trust-based Internet of things equipment distributed authentication system is characterized by comprising the following steps:
step 1, a resource provider locally generates a public and private key pair, and uploads a public key to a unified identity platform through an SDK (software development kit) for registration to obtain an SPID (session identification);
step 2, the resource side encrypts the SPID by using a private key and uploads the SPID to a unified identity authentication platform for identity authentication;
step 3, the authenticated resource party can register the resource to the uniform identity platform to obtain the SID;
step 4, the authenticated identity platform carries out related resource access or updating strategy configuration;
step 5, the SDK at the device end locally generates a public and private key pair, and uploads a public key to the unified identity platform for registration to obtain a device ID;
step 6, the equipment encrypts the equipment ID through a private key and uploads the equipment ID to a unified identity authentication platform for identity authentication;
step 7, the authenticated device initiates a resource access request to the access data channel, if the resource is directly requested, the resource access request is redirected to the proxy platform, the proxy platform verifies whether the request carries an access certificate Token, if the request carries the access certificate Token, the validity of the Token is verified, and the request is forwarded to the resource end by verifying a rule;
step 8, if the authentication request is not carried, the authentication request is sent to the control channel, if the authentication is passed, a verifiable resource access certificate Token is generated, the access certificate is realized through a distributed verifiable certificate, and the access certificate is returned to the equipment end for storage, the certificate avoids repeated authentication in a limited period, the resource consumption of the authorization platform is reduced, the performance is improved, and meanwhile, the trusted resource request is forwarded to the resource end;
and 9, the trust evaluation engine carries out basic evaluation according to the configured strategy, and is expanded to bring the request behavior, the response behavior, the risk level and the like into an evaluation range, and the evaluation result directly acts on the session in the data channel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111500793.XA CN114189380B (en) | 2021-12-09 | 2021-12-09 | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111500793.XA CN114189380B (en) | 2021-12-09 | 2021-12-09 | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114189380A true CN114189380A (en) | 2022-03-15 |
| CN114189380B CN114189380B (en) | 2023-09-15 |
Family
ID=80604070
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111500793.XA Active CN114189380B (en) | 2021-12-09 | 2021-12-09 | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114189380B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118465A (en) * | 2022-06-13 | 2022-09-27 | 北京寰宇天穹信息技术有限公司 | Cloud edge-side cooperative zero trust access control method and system based on trusted label |
| CN115296912A (en) * | 2022-08-06 | 2022-11-04 | 福建中锐网络股份有限公司 | Credibility authentication method for Internet of things platform and equipment based on block chain |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110188563A (en) * | 2019-06-02 | 2019-08-30 | 四川虹微技术有限公司 | A kind of trust data update method and device |
| CN111262832A (en) * | 2020-01-08 | 2020-06-09 | 北京工业大学 | DDoS attack discovery method for fusing trust and learning in cloud environment |
| CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
| CN112087469A (en) * | 2020-09-18 | 2020-12-15 | 全球能源互联网研究院有限公司 | Zero-trust dynamic access control method for power Internet of things equipment and users |
| CN112118102A (en) * | 2020-10-21 | 2020-12-22 | 国网天津市电力公司 | Dedicated zero trust network system of electric power |
| CN112507317A (en) * | 2020-12-07 | 2021-03-16 | 国网河北省电力有限公司电力科学研究院 | Electric power Internet of things safety protection method based on zero trust |
| US20210176066A1 (en) * | 2019-12-10 | 2021-06-10 | Winkk, Inc | User identification proofing using a combination of user responses to system turing tests using biometric methods |
-
2021
- 2021-12-09 CN CN202111500793.XA patent/CN114189380B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110188563A (en) * | 2019-06-02 | 2019-08-30 | 四川虹微技术有限公司 | A kind of trust data update method and device |
| US20210176066A1 (en) * | 2019-12-10 | 2021-06-10 | Winkk, Inc | User identification proofing using a combination of user responses to system turing tests using biometric methods |
| CN111262832A (en) * | 2020-01-08 | 2020-06-09 | 北京工业大学 | DDoS attack discovery method for fusing trust and learning in cloud environment |
| CN112055029A (en) * | 2020-09-16 | 2020-12-08 | 全球能源互联网研究院有限公司 | Zero-trust power Internet of things equipment and user real-time trust degree evaluation method |
| CN112087469A (en) * | 2020-09-18 | 2020-12-15 | 全球能源互联网研究院有限公司 | Zero-trust dynamic access control method for power Internet of things equipment and users |
| CN112118102A (en) * | 2020-10-21 | 2020-12-22 | 国网天津市电力公司 | Dedicated zero trust network system of electric power |
| CN112507317A (en) * | 2020-12-07 | 2021-03-16 | 国网河北省电力有限公司电力科学研究院 | Electric power Internet of things safety protection method based on zero trust |
Non-Patent Citations (2)
| Title |
|---|
| 訾然、刘嘉: ""基于精益信任的风险信任体系构建研究"", 《信息网络安全》, no. 10, pages 32 - 41 * |
| 赖宇阳、徐平江、房超、唐晓柯、张海峰: ""一种高安全的网络数据传输实现"", 《信息安全与通信保密》, no. 2, pages 109 - 112 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118465A (en) * | 2022-06-13 | 2022-09-27 | 北京寰宇天穹信息技术有限公司 | Cloud edge-side cooperative zero trust access control method and system based on trusted label |
| CN115118465B (en) * | 2022-06-13 | 2023-11-28 | 北京寰宇天穹信息技术有限公司 | Cloud edge end cooperative zero trust access control method and system based on trusted label |
| CN115296912A (en) * | 2022-08-06 | 2022-11-04 | 福建中锐网络股份有限公司 | Credibility authentication method for Internet of things platform and equipment based on block chain |
| CN115296912B (en) * | 2022-08-06 | 2024-03-12 | 福建中锐网络股份有限公司 | Block chain-based internet of things platform and equipment trusted authentication method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114189380B (en) | 2023-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10541991B2 (en) | Method for OAuth service through blockchain network, and terminal and server using the same | |
| JP5599910B2 (en) | Authentication delegation based on re-verification of cryptographic evidence | |
| US8990356B2 (en) | Adaptive name resolution | |
| CN108737436A (en) | Based on the cross-domain services device identity identifying method for trusting alliance's block chain | |
| CN112822675B (en) | MEC environment-oriented OAuth 2.0-based single sign-on mechanism | |
| US20100138907A1 (en) | Method and system for generating digital certificates and certificate signing requests | |
| US20130339740A1 (en) | Multi-factor certificate authority | |
| KR20040013668A (en) | Validation Method of Certificate Validation Server using Certificate Policy Table and Certificate Policy Mapping Table in PKI | |
| US11100209B2 (en) | Web client authentication and authorization | |
| Xue et al. | A distributed authentication scheme based on smart contract for roaming service in mobile vehicular networks | |
| KR20120104193A (en) | Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party | |
| CN112231692A (en) | Security authentication method, device, equipment and storage medium | |
| US20210084020A1 (en) | System and method for identity and authorization management | |
| JP2023544529A (en) | Authentication methods and systems | |
| CN114189380B (en) | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment | |
| CN117560170A (en) | Apparatus, method, and computer readable medium for hybrid computer network environment | |
| CN115996122A (en) | Access control method, device and system | |
| CN114091009A (en) | Method for establishing secure link by using distributed identity | |
| CN116633562A (en) | Network zero trust security interaction method and system based on WireGuard | |
| Songshen et al. | Hash-Based Signature for Flexibility Authentication of IoT Devices | |
| US20170118198A1 (en) | Identity verification | |
| CN111682941A (en) | Centralized identity management, distributed authentication and authorization method based on cryptography | |
| US20230421583A1 (en) | Systems, methods, and storage media for abstracting session information for an application in an identity infrastructure | |
| CN114726604B (en) | Multi-factor identity authentication method based on edge calculation and SDN under everything interconnection | |
| US20230370456A1 (en) | Systems, methods, and storage media for controlling user access to an application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |