CN114666079A - Industrial control system access control method based on attribute certificate - Google Patents

Industrial control system access control method based on attribute certificate Download PDF

Info

Publication number
CN114666079A
CN114666079A CN202011529272.2A CN202011529272A CN114666079A CN 114666079 A CN114666079 A CN 114666079A CN 202011529272 A CN202011529272 A CN 202011529272A CN 114666079 A CN114666079 A CN 114666079A
Authority
CN
China
Prior art keywords
authentication module
encryption authentication
industrial control
attribute
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011529272.2A
Other languages
Chinese (zh)
Other versions
CN114666079B (en
Inventor
刘贤达
蒋一恒
赵剑明
陈春雨
张博文
王天宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Institute of Automation of CAS
Original Assignee
Shenyang Institute of Automation of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Institute of Automation of CAS filed Critical Shenyang Institute of Automation of CAS
Priority to CN202011529272.2A priority Critical patent/CN114666079B/en
Publication of CN114666079A publication Critical patent/CN114666079A/en
Application granted granted Critical
Publication of CN114666079B publication Critical patent/CN114666079B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

The invention discloses an industrial control system access control method based on an attribute certificate, which is applied to the technical field of industrial information security. The attribute-based access control model is to determine whether a subject has authority to access a resource by verifying whether an operation attribute of a subject attribute on a resource attribute satisfies an access policy in a certain environment attribute. If so, the principal is authorized to access the resource, otherwise authorization is denied. And adding users and industrial control equipment in the industrial control system, judging whether the attribute of the industrial control equipment operated by the users meets an access control strategy, if so, authorizing the corresponding authority, adding user trust value accumulation in the system, and changing the trust level of the industrial control equipment operated by the users according to the trust value to realize authority supervision and protection on the single equipment and the whole industrial control system.

Description

Industrial control system access control method based on attribute certificate
Technical Field
The invention relates to the field of industrial control systems, in particular to a method for accessing a control model of an industrial control system based on an attribute set, and belongs to the field of information security of industrial control networks.
Background
With the integration of information technologies such as industrial internet of things and cloud computing and industrial control systems, the safety of industrial data is facing great risks. To protect the confidentiality and integrity of data in such a complex distributed environment, this would generate a large amount of data as more and more devices are accessing the industrial control system. At this time, some security problems may exist, for example, intruders may impersonate the identity of a legitimate user, and once they successfully intrude, they may damage the industrial control system, such as the industrial ethernet, the data acquisition and monitoring, the distributed control system, the programmable logic controller, the human-computer interaction interface, and the like, and may affect the operation security of the industrial control system. The above problems all arise from the omission of the authentication of the visitor and the failure of a proper authorization, and therefore a security mechanism is needed to prevent the illegal access of a malicious user and avoid the unauthorized access of a legitimate user. The access control mechanism is a means for protecting data from being used and accessed by an unauthorized user, and is indispensable in a computer or a non-computer system, and the access control mechanism controls resource access requests made by the user according to the identity of the user on the basis of identity identification, which is one of effective measures for solving the problems. The purpose of access control is to limit the access capability and scope of users to specified data information through various technical means, and to ensure that data resources are not used and accessed by unauthorized users. To ensure that industrial ethernet and industrial systems are not subject to unauthorized access, use, leakage, disruption, modification and destruction.
Disclosure of Invention
The invention aims to provide a method and a system for authenticating and authorizing the identity of an industrial user or industrial control equipment, and aims to solve the problem of the safety of data security access and transmission of an industrial control system at the present stage. The attribute-based access control model is to determine whether a subject has authority to access a resource by verifying whether an operation attribute of a subject attribute on a resource attribute satisfies an access policy in a certain environment attribute. If so, the principal is authorized to access the resource, otherwise authorization is denied.
The technical scheme adopted by the invention for realizing the purpose is as follows: an industrial control system access control method based on attribute certificates comprises the following steps:
step 1: a user registers industrial control equipment information of a subject PLC1 and an object PLC2 through a safety control platform, defines industrial control equipment attributes, and downloads an industrial control equipment attribute set to an encryption authentication module #1 in the subject PLC1 and an encryption authentication module #2 in the object PLC 2;
step 2: a user defines an access object PLC2 through a security management and control platform, and downloads a strategy based on an attribute set to an encryption authentication module of the object PLC 2;
and step 3: the safety control platform authenticates identities through an encryption authentication module #1 and an encryption authentication module # 2;
and 4, step 4: after receiving the verification success command from the encryption authentication module #2, the encryption authentication module #1 requests a key generation parameter from the encryption authentication module # 2; the encryption authentication module #2 returns n attributes randomly selected by the encryption authentication module #1 as key generation parameters; generating a key by the encryption authentication module #1 and the encryption authentication module #2 according to the selected n attributes;
and 5: after the encryption authentication module #1 and the encryption authentication module #2 negotiate a key, the host PLC1 accesses data in the guest PLC 2;
step 6: the safety control platform monitors whether the main PLC1 encryption authentication module #1 has abnormal behavior, and judges whether the trust value of the PLC1 encryption authentication module #1 is greater than or equal to a threshold value;
when the access encryption authentication module #2 does not meet the attribute requirements in the PLC2, or the accumulation of abnormal behaviors of the PLC1 encryption authentication module #1 reaches a threshold value, the credit rating is reduced and increased, and the attribute authority is distributed to the encryption authentication module #1 again; otherwise, the credit rating is reduced, and the authority is reduced according to the credit rating;
if the PLC1 meets the preset attribute requirements in the PLC2 or the PLC1 equipment behavior accumulation is lower than a threshold value, the credit rating is reduced, and the attribute authority is redistributed to the PLC 1; otherwise, the credit rating of the encryption authentication module #1 is increased.
The security management and control platform authenticates identities through an encryption authentication module #1 and an encryption authentication module #2, and the method comprises the following steps of:
the encryption authentication module #1 sends m attributes of the encryption authentication module #2, and the encryption authentication module #2 verifies whether an attribute strategy is met or not according to an access control strategy based on an attribute set; if the attribute strategy is not satisfied, the encryption and authentication module #2 returns a verification error instruction and disconnects the connection; and if the attribute strategy is met, the encryption authentication module #2 returns a verification success instruction.
The industrial control equipment attribute comprises factory MAC address, IP address and position information of the equipment.
The strategy based on the attribute set comprises that the industrial control equipment at different positions has different authorities to access other industrial control equipment, the authorities of the industrial control equipment at different times are different, and the authorities of the equipment at different IP addresses are different.
After the encryption authentication module #1 and the encryption authentication module #2 negotiate a key, the host PLC1 accesses data in the guest PLC2, and both communication data are encrypted and decrypted by the negotiated key.
The key generation comprises the following steps:
setting a public key, namely inputting a system security parameter A by a security control platform, and outputting a main key MK and a system public key CPK to an encryption authentication module in each industrial control device; the encryption authentication module in each industrial control device generates a respective public key APK;
outputting a private key: the safety control platform operates a random algorithm, inputs a system master key MK, a unique authentication identifier GID of the industrial control equipment and seeds S of each encryption authentication module1,S2,...SkOutputting a private key D of the security control platform to an encryption authentication module in each industrial control device;
the encryption authentication module of each industrial control device is based on the respective seed S1,S2,...SkOutputting a private key SK to a storage area of each encryption authentication module by a unique user identifier GID of the industrial control equipment, an encryption authentication module management attribute set NK and a random value r on one ZP; then the data visitor is thatThe main body obtains a private key SK;
the plaintext output is that the industrial control equipment runs an algorithm, and obtains and outputs a ciphertext CT to an encryption authentication module according to all attributes S participating in encryption, the plaintext M and a system public key CPK;
the safety control platform runs an algorithm and inputs an attribute set NK and a ciphertext CT of the industrial control equipment; and if the SK meets the access strategy set by the encryption authentication module, outputting the plaintext M to the encryption authentication module of the industrial control equipment.
When the industrial control device u i is used as a subject to access other industrial control device services as objects, the objects can be accessed only if the trust value t (u i) meets t (u i) ≧ mi n { Tr i }, and the corresponding permission set R is activated { R1, R2, …, RK }, K represents the numbers of different permissions when the subject accesses the objects, and Tr i is a trust interval in which the subject can access the objects.
The invention has the following beneficial effects and advantages:
1. the invention realizes the access control technology in the industrial control system, adopts a distributed structure, and the encryption authentication module is embedded in the industrial control equipment, thereby realizing the independent communication between the equipment.
2. The invention can limit the access authority of the subject industrial control device to the object industrial control device, thereby enabling the resources of the industrial control system to be used in a reasonable range.
3. The invention carries out encryption access control with granularity being refined to attribute level on the data access of the industrial control system.
4. And adding users and industrial control equipment in the industrial control system, judging whether the attribute of the industrial control equipment operated by the users meets an access control strategy, if so, authorizing the corresponding authority, adding user trust value accumulation in the system, and changing the trust level of the industrial control equipment operated by the users according to the trust value to realize authority supervision and protection on the single equipment and the whole industrial control system.
Drawings
FIG. 1 is a schematic structural diagram of an industrial control system based on an attribute certificate;
FIG. 2 is a flowchart of an access control process of an attribute-based industrial control system;
FIG. 3 is a flowchart of a process for generating a public key by the security management and control platform;
fig. 4 is a flowchart of a process of generating a private key by the security management and control platform.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
The invention has the basic principle that users and industrial control equipment can be used as subjects of the access control model, mass data of the industrial control system is stored in the security control platform and belongs to objects of the access control model, and the subjects want to access the objects to meet certain access control strategies. The attribute can be used as an element of user encrypted data, when a certain visitor meets user encryption, the calibrated attribute can decrypt a ciphertext, and all users can access resources after being authenticated, so that whether the user has access and use authority to the certain resource is determined, the access strategy of the industrial control system can be reliably and effectively executed, an attacker is prevented from impersonating a legal user to obtain the access authority of the resource, the safety of the system and the data is ensured, and the legal benefit of the visitor is authorized. This fine-grained authorization of encrypting attributes is a flexible authorization scheme.
The invention provides a group identity authentication and authorization method of industrial control equipment, which can be realized by the following technologies, as shown in FIG. 2:
the user registers industrial control equipment information on the safety control platform, defines the attributes of the industrial control equipment and correspondingly downloads the attribute set of the industrial control equipment to the encryption module. So that the server will determine that the user and device are legitimate.
The security management and control platform is credible and manages different attribute sets.
As shown in fig. 3 and 4, the key generation process includes:
1. and setting a public key, namely inputting a system security parameter A by the security control platform, outputting a main key MK and a system public key CPK, and generating respective public keys APK by each encryption authentication module. As shown in fig. 3
2. Outputting a private key: the safety control platform operates a random algorithm and outputsThe system-in master key MK, the unique authentication identification GID of the industrial control equipment and the seed S of each encryption authentication module1,S2,...SkAnd outputting a private key D of the security management and control platform.
3. The encryption authentication module runs an algorithm and inputs their respective seeds S1,S2,...SkAnd outputting a private key SK by using the unique user identifier GID of the industrial control equipment, the management attribute set NK of the encryption authentication module and a random value r on one ZP. The data visitor then gets the private key SK.
4. And (3) plaintext output, namely, the industrial control equipment runs an algorithm (encryption algorithm Enencrypt), all attributes (attribute set owned by single industrial control equipment) S participating in encryption, the plaintext M and a system public key CPK are input, and a ciphertext CT is output.
5. And the safety control platform operates an algorithm (decryption algorithm Decrypt), inputs an attribute set NK and a ciphertext CT of the industrial control equipment, and outputs a plaintext M if the SK meets an access strategy set by the encryption authentication module. The access control strategy based on the ciphertext comprises a strategy of replacing attribute information by a corresponding numerical value to realize ciphertext hiding, and the strategy is actually a logic expression formed by attributes and relations among the attributes, such as a strategy 1: HMI equipment or (PLC equipment and 9:00-17: 00).
The safety control platform performs trust value audit on the user or the industrial control equipment:
the trust level is set to (1,2, …, q). If tm ≦ T (ui ≦ tm +1, tm and tm +1 are the minimum and maximum in the trust hierarchy, the user's trust level is m (1 ≦ m ≦ q-1). Wherein q represents the number of levels, and the trust level is set to multiple levels for the devices to assign different rights when communicating.
When an industrial control device ui wants to access a service, only if the trust value t (ui) is consistent with t (ui) being equal to or greater than min { Tri }, the industrial control system resource can be accessed, and the corresponding permission set R is activated { R1, R2, …, RK }.
When the user ui activates his rights, the trust level is determined by the size of t (ui).
And according to the hierarchical relationship, the authority Pm is distributed to the user or the industrial control equipment for accessing system resources with different authorities.
The system model of the invention is shown in fig. 1, and the industrial control system access control method based on the attribute certificate specifically comprises a security control platform, a management terminal, an encryption authentication module and various industrial control devices. The safety control platform can be used for registering user information and equipment information, defining a user and equipment attribute set, defining an access control strategy for a subject to access object attributes, providing remote access interface service for the user, and storing industrial control equipment information including an equipment public key; the attribute authorization node can generate an identity certificate of the accessed object according to the subject attribute set; and remotely operating the safety control platform in the management terminal. See fig. 1.
The specific example is given by the access control method of the industrial control system based on the attribute certificate based on the model.
The PLC1 is used as a subject to access data in the PLC2, a user wants to operate the industrial control equipment PLC1 to access data in the PLC2, the PLC1 is used as an access subject, the PLC2 is used as an access object, and if the access is required to be successful, the PLC2 needs to be authenticated by an encryption authentication module at the front end of the PLC 2. As shown in fig. 2, the specific steps include the following:
step 1: the user registers industrial control equipment information through the safety control platform, defines the attributes of the industrial control equipment, and correspondingly downloads the attribute set of the industrial control equipment to the encryption module. The industrial control equipment attributes comprise factory MAC addresses, IP addresses and location information of the equipment, and the specific attributes can be converted into integer type, character type and floating point type data types for simple identification of a computer.
And 2, step: the user defines an access control policy of the PLC2 as an access object through the security management and control platform, and downloads the policy based on the attribute set into the encryption authentication module # 2.
And step 3: and the user operates the encryption authentication module #1 and the encryption authentication module #2 to authenticate the identity through the security management and control platform. The encryption and authentication module #1 serves as a main body, m attributes (all attribute sets of the main body) of itself are sent to the encryption and authentication module #2, and the encryption and authentication module #2 verifies whether or not an attribute policy is satisfied according to an access control policy based on the attribute sets. If the attribute strategy is not satisfied, the encryption authentication module #2 returns a verification error instruction and disconnects the connection. And if the attribute strategy is met, the encryption authentication module #2 returns a verification success instruction. The access control strategy sets that the industrial control equipment at different positions has different authorities to access other industrial control equipment, the authorities of the industrial control equipment at different times are different, and the authorities of the equipment at different IP addresses are different.
And 4, step 4: after receiving the verification success command from the encryption authentication module #2, the encryption authentication module #1 requests the encryption authentication module #2 for a key generation parameter. The encryption authentication module #2 returns n attributes randomly selected by the encryption authentication module #1 as key generation parameters. Both the encryption authentication module #1 and the encryption authentication module #2 generate keys based on the selected n attributes.
And 5: the PLC1 can access data in the PLC2 only after the cryptographic authentication module #1 and the cryptographic authentication module #2 agree out the key. And the communication data of both parties are encrypted and decrypted by the negotiated key.
Step 6: the safety control platform has authority audit behavior at the same time, monitors whether the PLC1 encryption authentication module #1 has suspicious behavior (namely, attribute changes), and judges whether the trust value of the PLC1 encryption authentication module #1 is greater than or equal to the threshold attribute: when the access encryption authentication module #2 does not meet the attribute requirement in the PLC2, or the accumulation of abnormal behaviors of the PLC1 encryption authentication module #1 reaches a threshold value, the credit rating is reduced and increased, and the attribute authority is distributed to the encryption authentication module #1PLC1 again; if the PLC1 meets the preset attribute requirements in the PLC2, or the PLC1 equipment behavior accumulation is lower than a threshold value, the credit rating is reduced, and if the attribute authority is redistributed to the PLC1, otherwise, the credit rating of the encryption authentication module #1 is increased.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.

Claims (7)

1. An industrial control system access control method based on attribute certificates is characterized by comprising the following steps:
step 1: a user registers industrial control equipment information of a subject PLC1 and an object PLC2 through a safety control platform, defines industrial control equipment attributes, and downloads an industrial control equipment attribute set to an encryption authentication module #1 in the subject PLC1 and an encryption authentication module #2 in the object PLC 2;
step 2: a user defines access to the object PLC2 through the security management and control platform and downloads the strategy based on the attribute set into the encryption authentication module of the object PLC 2;
and step 3: the safety control platform authenticates the identity through an encryption authentication module #1 and an encryption authentication module # 2;
and 4, step 4: after receiving the verification success instruction from the encryption authentication module #2, the encryption authentication module #1 requests a key generation parameter from the encryption authentication module # 2; the encryption authentication module #2 returns n attributes randomly selected by the encryption authentication module #1 as key generation parameters; generating a key by the encryption authentication module #1 and the encryption authentication module #2 according to the selected n attributes;
and 5: after the encryption authentication module #1 and the encryption authentication module #2 negotiate a key, the host PLC1 accesses data in the guest PLC 2;
step 6: the safety control platform monitors whether the main PLC1 encryption authentication module #1 has abnormal behavior, and judges whether the trust value of the PLC1 encryption authentication module #1 is greater than or equal to a threshold value;
when the access encryption authentication module #2 does not meet the attribute requirement in the PLC2, or the accumulation of abnormal behaviors of the PLC1 encryption authentication module #1 reaches a threshold value, the credit rating is reduced and increased, and the attribute authority is distributed to the encryption authentication module #1 again; otherwise, the credit rating is reduced, and the authority is reduced according to the trust rating;
if the PLC1 meets the preset attribute requirements in the PLC2 or the PLC1 equipment behavior accumulation is lower than a threshold value, the credit rating is reduced, and the attribute authority is redistributed to the PLC 1; otherwise, the credit rating of the encryption authentication module #1 is increased.
2. The industrial control system access control method based on the attribute certificate as claimed in claim 1, wherein the security management and control platform authenticates the identity through an encryption authentication module #1 and an encryption authentication module #2, comprising the following steps:
the encryption authentication module #1 sends m attributes of the encryption authentication module #2, and the encryption authentication module #2 verifies whether an attribute strategy is met or not according to an access control strategy based on an attribute set; if the attribute strategy is not met, the encryption authentication module #2 returns a verification error instruction and disconnects the connection; and if the attribute strategy is met, the encryption authentication module #2 returns a verification success instruction.
3. The industrial control system access control method based on the attribute certificate as claimed in claim 1, wherein the industrial control device attribute includes a factory MAC address, an IP address, and location information of a device.
4. The industrial control system access control method based on the attribute certificate as claimed in claim 1, wherein the policy based on the attribute set includes that industrial control devices at different positions have different permissions to access other industrial control devices, the permissions of the industrial control devices at different times are different, and the permissions of the devices at different IP addresses are different.
5. The method as claimed in claim 1, wherein after the encryption and authentication module #1 and the encryption and authentication module #2 negotiate a secret key, the host PLC1 accesses data in the guest PLC2, and both communication data are encrypted and decrypted by the negotiated secret key.
6. The industrial control system access control method based on the attribute certificate as claimed in claim 5, wherein the key generation comprises the following steps:
setting a public key, namely inputting a system security parameter A by a security control platform, and outputting a main key MK and a system public key CPK to an encryption authentication module in each industrial control device; the encryption authentication module in each industrial control device generates a respective public key APK;
outputting a private key: the safety control platform operates a random algorithm, inputs a system master key MK, a unique authentication identifier GID of the industrial control equipment and seeds S of each encryption authentication module1,S2,...SkOutputting a private key D of the security control platform to an encryption authentication module in each industrial control device;
the encryption authentication module of each industrial control device is based on the respective seed S1,S2,...SkOutputting a private key SK to a storage area of each encryption authentication module by a unique user identifier GID of the industrial control equipment, an encryption authentication module management attribute set NK and a random value r on one ZP; then the data accessor, namely the main body, obtains a private key SK;
the plaintext output is that the industrial control equipment runs an algorithm, and obtains and outputs a ciphertext CT to an encryption authentication module according to all attributes S participating in encryption, the plaintext M and a system public key CPK;
the safety control platform runs an algorithm and inputs an attribute set NK and a ciphertext CT of the industrial control equipment; and if the SK meets the access strategy set by the encryption authentication module, outputting the plaintext M to the encryption authentication module of the industrial control equipment.
7. The method according to claim 1, wherein when the industrial control device ui is used as a subject to access other industrial control devices serving as objects, the object can be accessed only if the trust value t (ui) is t (ui) ≧ min { Tri }, and the corresponding permission set R ═ R1, R2, …, RK } is activated, K represents the number of different permissions when the subject accesses the object, and Tri is a trust interval in which the subject can access the object.
CN202011529272.2A 2020-12-22 2020-12-22 Industrial control system access control method based on attribute certificate Active CN114666079B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011529272.2A CN114666079B (en) 2020-12-22 2020-12-22 Industrial control system access control method based on attribute certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011529272.2A CN114666079B (en) 2020-12-22 2020-12-22 Industrial control system access control method based on attribute certificate

Publications (2)

Publication Number Publication Date
CN114666079A true CN114666079A (en) 2022-06-24
CN114666079B CN114666079B (en) 2023-03-24

Family

ID=82024660

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011529272.2A Active CN114666079B (en) 2020-12-22 2020-12-22 Industrial control system access control method based on attribute certificate

Country Status (1)

Country Link
CN (1) CN114666079B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120060207A1 (en) * 2010-09-03 2012-03-08 Ebay Inc. Role-based attribute based access control (rabac)
CN104641591A (en) * 2012-09-21 2015-05-20 诺基亚公司 Method and apparatus for providing access control to shared data based on trust level
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN105991278A (en) * 2016-07-11 2016-10-05 河北省科学院应用数学研究所 Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption)
CN107846397A (en) * 2017-09-30 2018-03-27 北京理工大学 A kind of cloud storage access control method based on the encryption of attribute base
CN109818757A (en) * 2019-03-18 2019-05-28 广东工业大学 Cloud storage data access control method, Attribute certificate awarding method and system
CN111431843A (en) * 2019-01-10 2020-07-17 中国科学院电子学研究所 Access control method based on trust and attribute in cloud computing environment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120060207A1 (en) * 2010-09-03 2012-03-08 Ebay Inc. Role-based attribute based access control (rabac)
CN104641591A (en) * 2012-09-21 2015-05-20 诺基亚公司 Method and apparatus for providing access control to shared data based on trust level
US20150222606A1 (en) * 2012-09-21 2015-08-06 Nokia Corporation Method and apparatus for providing access control to shared data based on trust level
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN105991278A (en) * 2016-07-11 2016-10-05 河北省科学院应用数学研究所 Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption)
CN107846397A (en) * 2017-09-30 2018-03-27 北京理工大学 A kind of cloud storage access control method based on the encryption of attribute base
CN111431843A (en) * 2019-01-10 2020-07-17 中国科学院电子学研究所 Access control method based on trust and attribute in cloud computing environment
CN109818757A (en) * 2019-03-18 2019-05-28 广东工业大学 Cloud storage data access control method, Attribute certificate awarding method and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
王易: "云计算环境下基于属性加密的访问控制方案研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
陈丹伟,杨晟: "基于动态信用等级的密文访问控制方案", 《计算机应用》 *
马丁义,郭银章: "基于信任和属性的云服务访问控制模型研究", 《太原科技大学学报》 *

Also Published As

Publication number Publication date
CN114666079B (en) 2023-03-24

Similar Documents

Publication Publication Date Title
CN110784491B (en) Internet of things safety management system
CN110855671B (en) Trusted computing method and system
WO2021179449A1 (en) Mimic defense system based on certificate identity authentication, and certificate issuing method
CN106888084B (en) Quantum fort machine system and authentication method thereof
US7155616B1 (en) Computer network comprising network authentication facilities implemented in a disk drive
TWI536285B (en) Controlling method of physically secured authorization for utility applications, and authentication system for utility network
CN103003822B (en) The domain authentication of platform resource is controlled
US8971537B2 (en) Access control protocol for embedded devices
CN103248479A (en) Cloud storage safety system, data protection method and data sharing method
CN112383391B (en) Data security protection method based on data attribute authorization, storage medium and terminal
JP2023500570A (en) Digital signature generation using cold wallet
WO2022154843A1 (en) Systems and methods for encrypted content management
CN105471901A (en) Industrial information security authentication system
US10909254B2 (en) Object level encryption system including encryption key management system
CN115426136A (en) Cross-domain access control method and system based on block chain
CN110519238B (en) Internet of things security system and communication method based on cryptographic technology
CN109818923A (en) A kind of attribute base cloud service access control method based on attribute ciphertext re-encryption
Jamal et al. Reliable access control for mobile cloud computing (MCC) with cache-aware scheduling
CN106992978B (en) Network security management method and server
CN115865320A (en) Block chain-based security service management method and system
CN108347426B (en) Teaching system information security management system based on big data and access method
CN111538973A (en) Personal authorization access control system based on state cryptographic algorithm
CN111190694A (en) Virtualization security reinforcement method and device based on Roc platform
CN114666079B (en) Industrial control system access control method based on attribute certificate
Alshahrani et al. Authentication method in software-defined network based on ciphertext-policy attributes encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant