CN116248277A - Zero-trust security processing method and system for authentication encryption of Internet of things equipment - Google Patents

Zero-trust security processing method and system for authentication encryption of Internet of things equipment Download PDF

Info

Publication number
CN116248277A
CN116248277A CN202310226783.4A CN202310226783A CN116248277A CN 116248277 A CN116248277 A CN 116248277A CN 202310226783 A CN202310226783 A CN 202310226783A CN 116248277 A CN116248277 A CN 116248277A
Authority
CN
China
Prior art keywords
access
equipment
information
internet
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310226783.4A
Other languages
Chinese (zh)
Inventor
蒋娟
陈柯
廖勇
尹旭东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Junjie Safety Technology Co ltd
Original Assignee
Shenzhen Junjie Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Junjie Safety Technology Co ltd filed Critical Shenzhen Junjie Safety Technology Co ltd
Priority to CN202310226783.4A priority Critical patent/CN116248277A/en
Publication of CN116248277A publication Critical patent/CN116248277A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a zero trust security processing method and a system for authentication and encryption of equipment of the Internet of things, which relate to the technical field of security of the Internet of things, and the method comprises the following steps: setting up a zero trust security management platform, carrying out data signature encryption and identity authentication on a resource access main body by access user information and Internet of things access equipment information by adopting a ZTRUST zero trust session key negotiation cryptographic system, carrying out multi-factor dynamic evaluation on the resource access main body based on a trust evaluation layer when an identity authentication result is passed, calculating and distributing the resource access main body of a resource access layer based on a fine grain access authorization strategy when the identity access credibility reaches a credibility reference value to obtain security access authority resources, solving the technical problems that dynamic continuous trust evaluation and dynamic adjustment of access authority are required for the authentication encryption of Internet of things equipment in the prior art, leading the authentication encryption efficiency of the Internet of things equipment to be low, realizing reasonable authentication encryption on the Internet of things equipment and improving the authentication encryption efficiency of the Internet of things equipment.

Description

Zero-trust security processing method and system for authentication encryption of Internet of things equipment
Technical Field
The invention relates to the technical field of security of the Internet of things, in particular to a zero-trust security processing system for authentication and encryption of equipment of the Internet of things.
Background
In recent years, as enterprises and consumers accelerate adoption of the internet of things technology, every industry can benefit from the technology from personal wearable devices, home appliances to industrial manufacturing and smart cities.
However, most of the hardware devices of the internet of things lack a trusted identity authentication mechanism, and many systems lack access control and device protection capabilities, so that the risk of replacing devices or accessing illegal devices cannot be avoided. On the other hand, most of the hardware devices of the internet of things only exchange data purely through a network, and do not encrypt the data. Even if the data encryption technology is used in some scenes, encryption only occurs at the receiving end, but the data is not encrypted at the initiating end of the data, namely the data outlet of the device, so that the data lacks an effective protection mechanism in the transmission process, and the risk of tampering is easy to occur. With the proliferation of internet of things connection devices, the defects are bringing great hidden trouble to the data security of the internet of things.
In the prior art, complicated dynamic continuous trust evaluation and dynamic adjustment of access authority are required for authentication encryption of the internet of things equipment, so that the technical problems that the authentication encryption efficiency of the internet of things equipment is too low and misjudgment is easy exist.
Disclosure of Invention
The application provides a zero-trust security processing method for internet of things equipment authentication encryption, which is used for solving the technical problems that in the prior art, complex dynamic continuous trust evaluation and dynamic adjustment of access authority are required for the internet of things equipment authentication encryption, so that the internet of things equipment authentication encryption efficiency is too low and errors are easy to judge.
In view of the above problems, the application provides a zero-trust security processing method and system for authentication encryption of internet of things equipment.
In a first aspect, the present application provides a zero-trust security processing method for authentication encryption of an internet of things device, the method comprising: setting up a zero-trust security management platform, wherein the zero-trust security management platform comprises a device access layer, a trust evaluation layer and a resource access layer; acquiring information of access equipment of the Internet of things through the equipment access layer; acquiring access user information, and generating a resource access subject according to the access user information and the access equipment information of the Internet of things; performing data signature encryption and identity authentication on the resource access main body by adopting a ZTRUST zero trust session key negotiation cryptosystem to obtain an identity authentication result; when the identity verification result is passing, carrying out multi-factor dynamic evaluation on the resource access subject based on the trust evaluation layer to obtain identity access credibility; when the identity access credibility reaches a credibility reference value, acquiring a fine-grained access authorization strategy; and the resource access layer performs calculation and distribution on the resource access main body based on the fine-granularity access authorization policy to obtain the security access authority resource.
In a second aspect, the present application provides a zero trust secure processing system for internet of things device authentication encryption, the system comprising: the platform building module is used for building a zero-trust security management platform, wherein the zero-trust security management platform comprises an equipment access layer, a trust evaluation layer and a resource access layer; the access module is used for acquiring the information of the access equipment of the Internet of things through the equipment access layer; the access topic module is used for obtaining access user information and generating a resource access main body according to the access user information and the access equipment information of the Internet of things; the authentication result obtaining module is used for carrying out data signature encryption and identity authentication on the resource access main body by adopting a ZTRUST zero trust session key negotiation cryptosystem to obtain an authentication result; the evaluation module is used for carrying out multi-factor dynamic evaluation on the resource access subject based on the trust evaluation layer when the identity verification result is passed, so as to obtain identity access credibility; the authorization policy module is used for obtaining fine-grained access authorization policies when the identity access credibility reaches a credibility reference value; and the calculation distribution module is used for the resource access layer to calculate and distribute the resource access main body based on the fine-granularity access authorization policy so as to obtain the security access authority resource.
One or more technical solutions provided in the present application have at least the following technical effects or advantages:
the zero trust security processing method for the internet of things equipment authentication encryption, which is provided by the application, relates to the technical field of internet of things security, and solves the technical problems that in the prior art, complex dynamic continuous trust evaluation and dynamic adjustment of access authority are needed for the internet of things equipment authentication encryption, so that the internet of things equipment authentication encryption efficiency is too low and errors are easy to judge, and the authentication encryption of the internet of things equipment by adopting a ZTRUST zero trust session key negotiation cryptosystem is realized, so that the efficiency of the internet of things equipment authentication encryption is improved.
Drawings
Fig. 1 is a schematic flow chart of a zero-trust security processing method for authentication encryption of internet of things equipment;
fig. 2 is a schematic flow chart of an authentication result obtained in the zero trust security processing method for authentication encryption of the internet of things equipment;
FIG. 3 is a schematic diagram of a process for obtaining identity access reliability in a zero-trust security processing method for authentication encryption of an Internet of things device;
fig. 4 is a schematic flow chart of a fine-grained access authorization policy constructed in a zero-trust security processing method for authentication encryption of an internet of things device;
fig. 5 is a schematic flow chart of a process for obtaining a secure access authority resource in a zero-trust secure processing method for authentication and encryption of an internet of things device;
fig. 6 is a schematic structural diagram of a zero-trust security processing system for authentication encryption of an internet of things device.
Reference numerals illustrate: the system comprises a platform building module 1, an access module 2, an access topic module 3, an identity verification result obtaining module 4, an evaluation module 5, an authorization policy module 6 and a calculation distribution module 7.
Detailed Description
The zero trust security processing method for the authentication encryption of the Internet of things equipment is used for solving the technical problems that in the prior art, complex dynamic continuous trust evaluation and dynamic adjustment of access authority are needed for the authentication encryption of the Internet of things equipment, so that the authentication encryption efficiency of the Internet of things equipment is too low and errors are easy to judge.
Example 1
As shown in fig. 1, an embodiment of the present application provides a zero-trust security processing method for authentication encryption of an internet of things device, where the method includes:
step S100: setting up a zero-trust security management platform, wherein the zero-trust security management platform comprises a device access layer, a trust evaluation layer and a resource access layer;
specifically, the zero trust security processing method for internet of things equipment authentication encryption is applied to a zero trust security processing system for internet of things equipment authentication encryption, because complex dynamic continuous trust evaluation and dynamic adjustment of access rights are needed when the internet of things equipment authentication encryption is carried out at the present stage, the efficiency of the internet of things authentication encryption is too low and errors are easy to judge, on the basis, a zero trust security management platform is needed to be built, the platform is used for carrying out dynamic continuous trust evaluation on the internet of things equipment and dynamic adjustment of access rights, the built zero trust security management platform comprises an equipment access layer, a trust evaluation layer and a resource access layer, the equipment access layer is suitable for a level for accessing the current internet of things equipment, the trust evaluation layer is a level for carrying out multi-dimensional dynamic trust evaluation on the current accessed internet of things equipment, and the resource access layer is a level for carrying out resource allocation on the current accessed internet of things equipment, so that the zero trust security management platform is carried out, and the security access resource is obtained for later realization as an important reference basis.
Step S200: acquiring information of access equipment of the Internet of things through the equipment access layer;
specifically, based on the built zero-trust security management platform, based on the device access layer in the built zero-trust security management platform, device information accessed by the current internet of things is acquired, the internet of things device connected with the internet of things is networking device capable of communicating with other devices and networks, the internet of things device can be connected to the networks in a wireless mode and has the capability of transmitting data, and the device access can judge the access device after being connected with the internet of things device, so that the access device information of the internet of things is obtained, and further security access permission resources are guaranteed.
Step S300: acquiring access user information, and generating a resource access subject according to the access user information and the access equipment information of the Internet of things;
specifically, the access user accessing the current internet of things is recorded, so that access user information corresponding to the access user is obtained, the access user information comprises the current time and the access user before the current time, the recorded access user information and the internet of things access equipment information acquired from the equipment access layer in the zero-trust security management platform are integrated, and as different equipment can access users, the equipment accessed by the current internet of things corresponds to the user accessed by the current internet of things, so that the access user information and the access user information are integrated to generate a resource access main body, and a secure access authority resource tamping basis is obtained for subsequent implementation.
Step S400: performing data signature encryption and identity authentication on the resource access main body by adopting a ZTRUST zero trust session key negotiation cryptosystem to obtain an identity authentication result;
specifically, in the prior art, complex dynamic continuous trust evaluation and dynamic adjustment of access authority are required for authentication encryption of the internet of things equipment, so that the efficiency is too low and misjudgment is easy, authentication of identity and encryption of data of the obtained resource access main body are required by adopting a ZTRUST zero trust session key negotiation cryptographic system, firstly, trusted internet of things equipment information and trusted user identity information are obtained through a digital identity management platform, further, the internet of things equipment characteristics and trusted user identity information extracted by the trusted internet of things equipment information are encrypted by adopting the ZTRUST zero trust session key negotiation cryptographic system, thereby generating encrypted equipment identification authentication identity information and trusted user digital signature, finally, carrying out identity authentication on the formed resource access main body based on the encrypted equipment identification authentication identity information and the trusted user digital signature, and further, obtaining an identity verification result has a limiting effect on obtaining safe access authority resources.
Step S500: when the identity verification result is passing, carrying out multi-factor dynamic evaluation on the resource access subject based on the trust evaluation layer to obtain identity access credibility;
specifically, based on an authentication result obtained by adopting a ZTRUST zero-trust session key negotiation cryptosystem to carry out data signature encryption and identity authentication on a resource access main body, when the authentication result fails, the current resource access main body is rejected, when the authentication result fails, the current resource access main body needs to be dynamically evaluated by multiple factors on the basis of a trust evaluation layer in a built zero-trust security management platform, namely, a multi-factor joint decision access mechanism is firstly required to be built, network environment information, access behavior information, operation software information and terminal hardware information of the current Internet of things are correspondingly obtained, dynamic evaluation is carried out on the current resource access main body on the basis of the data signature encryption and the authentication result, the identity access reliability of the current access to the Internet of things equipment is correspondingly obtained through the weighted and fused dynamic evaluation result, and the effect of promoting the acquisition of security access authority resources is achieved.
Step S600: when the identity access credibility reaches a credibility reference value, acquiring a fine-grained access authorization strategy;
specifically, firstly, a trusted reference value is set, identity access credibility obtained by carrying out multi-factor dynamic evaluation on a resource access main body based on a trust evaluation layer is compared with the set trusted reference value, if the identity access credibility does not reach the trusted reference value, access requests of current users are refused, if the identity access credibility reaches the trusted reference value, function data sets of all trusted people are obtained through a digital avatar management platform, then authority allocation is carried out on the basis of equipment interaction level information and the function data sets, further intersection screening is carried out on access resource information of which the authority allocation is completed and resource request authorities of the set resource access main body, namely, the intersection of the access resource information and the corresponding request authorities is extracted, fine-granularity access authorization strategies are constructed, and the later realization of obtaining safe access authority resources has a profound influence.
Step S700: and the resource access layer performs calculation and distribution on the resource access main body based on the fine-granularity access authorization policy to obtain the security access authority resource.
Specifically, on the basis of the fine-grained access authorization policy, the resource access layer in the built zero-trust security management platform is used for carrying out calculation and distribution on the resource access subject, access function level information obtained by the digital signature of the trusted personnel and equipment hierarchical access resource information are firstly input into the authority distribution model together, and the function authority distribution result is correspondingly output, further the authority calculation is carried out on the function authority distribution result and the obtained access request information, namely, the authority calculation is carried out on the function authority distribution result and the access request information respectively according to the influence degree correspondence of the function authority distribution result and the access request information, and the security access authority resource which carries out authentication encryption on the Internet of things equipment finally is obtained according to the calculation result, so that the authentication encryption on the Internet of things equipment by adopting the ZTRUST zero-trust session key negotiation cryptographic system is realized, and the authentication encryption efficiency of the Internet of things equipment is further improved.
Further, as shown in fig. 2, step S400 of the present application further includes:
step S410: acquiring trusted Internet of things equipment information and trusted personnel identity information through a digital avatar management platform;
step S420: generating internet of things equipment characteristic factors according to the trusted internet of things equipment information;
step S430: encrypting the internet of things equipment characteristic factors and the trusted personnel identity information by adopting a ZTRUST zero trust session key negotiation cryptosystem to generate equipment identification authentication identity information and a trusted personnel digital signature;
step S440: and carrying out identity authentication on the resource access subject based on the equipment identification authentication identity information and the trusted personnel digital signature to obtain the identity authentication result.
Specifically, firstly, the system respectively carries out corresponding screening on the trusted Internet of things equipment in the connected Internet of things equipment and the trusted personnel identity information in the access user through a digital avatar management platform, thereby respectively obtaining the trusted Internet of things equipment information and the trusted personnel identity information, further extracting the characteristics of the Internet of things equipment by the obtained trusted Internet of things equipment information, wherein the characteristics of the Internet of things equipment can be that the Internet of things equipment is an android version, an IOS version, an H5 version, an applet version, a user self-defined version and the like, and respectively extracting the characteristics of the currently obtained Internet of things, further adopting a ZTRUST zero trust session key negotiation cipher system to correspondingly encrypt the obtained Internet of things equipment characteristic factor and the obtained trusted personnel identity information, enabling a ZTRUST zero trust session key negotiation cipher system to be suitable for any terminal, realizing user authentication, equipment authentication and application authentication, ensuring the network access safety of the equipment, thus carrying out one-step of digital authentication by one-step on the Internet of things equipment, generating a digital signature by comparing the acquired Internet of things equipment characteristic factor with the trusted personnel identity information, and a digital signature by one-step, and simultaneously carrying out one-step of digital authentication by comparing the obtained Internet of things equipment identity information with the obtained by one-step, and a digital authentication system for obtaining the identity information by a digital authentication system, and a digital authentication system for the user identity information by a user is obtained by a digital authentication system, and a user authentication system is realized, the method has the advantage of providing important basis for obtaining the safe access right resources for later implementation.
Further, step S430 of the present application includes:
step S431: obtaining equipment endpoint deployment information according to the trusted Internet of things equipment information;
step S432: performing interaction level analysis based on the equipment endpoint deployment information to obtain equipment interaction level information;
step S433: performing feature coding on the trusted internet of things equipment information according to the equipment interaction level information to obtain internet of things equipment feature factors;
step S434: and carrying out dynamic password identification based on the equipment characteristic factors of the Internet of things to obtain the equipment identification authentication identity information.
Specifically, each piece of internet of things equipment is used as a communication endpoint, all deployed communication endpoints of the trusted internet of things equipment are integrated, equipment fingerprints are contained in deployed communication endpoints, the equipment fingerprints can be IMEI, IMSI, MAC, a system type, a system version, a system name, an equipment model, a CPU core number, a CPU serial number and the like, so that equipment endpoint deployment information is generated, then equipment fingerprints contained in the equipment endpoint deployment information are analyzed at an interaction layer, namely, the interaction level of deployed equipment endpoints in the trusted internet of things equipment is extracted, equipment interaction level information is obtained through integration, further, feature coding is carried out on the trusted internet of things equipment information according to the obtained equipment interaction level information, namely, the feature codes of the internet of things equipment are correspondingly obtained according to the equipment type and the interaction level where the internet of things equipment is located, dynamic password identification is carried out on the basis of the obtained internet of things equipment feature factors, namely, the password is updated in real time according to the current network environment, equipment information, an access user and the like, and finally, equipment identification authentication identity information is correspondingly obtained, so that high-efficiency access rights of safety resources are guaranteed when the access rights are obtained.
Further, step S400 of the present application further includes:
step S450: embedding a Z password module into each device in the trusted Internet of things device information, and activating the Z password module;
step S460: continuously monitoring the trusted Internet of things equipment information based on the activated Z password module to obtain equipment operation data information;
step S470: performing abnormal characteristic analysis on the equipment operation data information to obtain equipment operation abnormal coefficients;
step S480: when the equipment operation abnormal coefficient reaches an abnormal reference line, marking the abnormal equipment, and blocking and removing the marked abnormal equipment from the trusted internet of things equipment information.
Specifically, in order to ensure continuous bidirectional authentication of the internet of things equipment, the Z cryptographic modules are required to be embedded in all equipment in the information of the trusted internet of things equipment, all the embedded Z cryptographic modules are correspondingly activated, the activated Z cryptographic modules can continuously perform bidirectional authentication with the ztrust security system, namely, authorized access to the authorized equipment is performed, illegal equipment is blocked, continuous uninterrupted monitoring is performed on the information of the trusted internet of things equipment based on the activated Z cryptographic modules, the monitoring result is recorded as equipment operation data information, further abnormal characteristic analysis is performed on the obtained equipment operation data information, namely, characteristics in the currently obtained equipment operation data information are compared with abnormal characteristics, the verification method of the equipment fingerprints can be used in the abnormal characteristics, the current characteristics are verified, the basic line is extracted, the construction of equipment operation abnormal coefficients is completed through the extracted abnormal characteristics, the abnormal operation is performed on the basis of the current equipment operation data information, the abnormal operation is required to be blocked, the abnormal operation is performed on the basis of the abnormal operation is not exceeded, the abnormal operation is continued, the abnormal operation data information is continued, the abnormal operation is continued or the abnormal operation coefficient is removed from the basic line, the abnormal operation data information is obtained, the abnormal operation coefficient is removed from the corresponding basic line, the abnormal operation information is obtained, the abnormal operation information is marked, and the abnormal operation information is removed, and the abnormal operation system is marked from the abnormal operation system is obtained, and the abnormal operation system.
Further, as shown in fig. 3, step S500 of the present application further includes:
step S510: constructing a multi-factor joint decision access mechanism;
step S520: based on the multi-factor joint decision access mechanism, an access trust evaluation dimension is obtained, wherein the access trust evaluation dimension comprises a network environment, access behaviors, operation software and terminal hardware;
step S530: dynamically evaluating the resource access subject based on the access trust evaluation dimension to obtain a multi-factor trust evaluation coefficient;
step S540: and carrying out weighted fusion on the multi-factor trust evaluation coefficients to obtain the identity access credibility.
In particular, a multi-factor joint decision access mechanism is constructed, the multi-factor joint decision access mechanism is a mechanism formed by combining multiple factors to perform joint decision when the Internet of things equipment is accessed, the current access trust evaluation dimension is acquired based on the constructed multi-factor joint decision access mechanism, wherein the access trust evaluation dimension comprises a network environment, access behaviors, scratch software and terminal hardware, the access trust evaluation dimension is further used for performing dynamic skin evaluation on a resource access theme, namely, the Internet of things equipment performs multi-dimensional evaluation in the process of being accessed and accessing user operation, wherein the damage range, damage results and the like of illegal operation, service interruption, security hole, illegal equipment and the like can be limited, the method comprises the steps of carrying out real-time evaluation on all operation processes in an access period, wherein the dynamic evaluation can be specifically carried out on identity credibility, environment credibility, behavior credibility, software credibility, hardware credibility and the like, so that a multi-factor trust evaluation coefficient is correspondingly obtained, and the obtained multi-factor trust evaluation coefficients are further subjected to weighted fusion, namely, the weight ratio of the identity factor trust evaluation coefficient, the environment factor trust evaluation coefficient, the behavior factor trust evaluation coefficient, the software factor trust evaluation coefficient and the hardware factor trust evaluation coefficient can be set as a first influence coefficient according to the influence degree on the Internet of things equipment: second influence coefficient: third influence coefficient: fourth influence coefficient: and the fifth influence coefficient is 4:2:2:3:1, the influence parameters after weighted fusion are respectively 0.4 for the first influence parameter, 0.2 for the second influence parameter, 0.3 for the second influence parameter and 0.1 for the second influence parameter, so that the identity access reliability is correspondingly obtained, and the technical effect of obtaining the safety access authority resource is finally achieved.
Further, as shown in fig. 4, step S600 of the present application further includes:
step S610: acquiring a function data set of each trusted person through the digital identity management platform;
step S620, performing authority allocation based on the equipment interaction level information and the job data set to obtain equipment hierarchical access resource information;
step S630: obtaining a resource request authority of the resource access main body;
step S640: and constructing the fine-granularity access authorization policy based on the intersection of the equipment hierarchical access resource information and the resource request authority.
Specifically, the accessible device resource rights are allocated according to the roles of trusted personnel, for example, the access rights allocated by security management personnel are correspondingly higher, so that the roles of the trusted personnel are summarized and integrated through a digital avatar management platform to obtain a role data set of the trusted personnel, further, the rights allocation corresponding to the obtained device interaction level information and the intelligent data set is performed, namely, based on the device level resources capable of being accessed and controlled, for example, if the current internet of things device is accessible to a second level device, the second level device and the device resources below the second level device can be accessed, so that the device level access resource information is obtained, meanwhile, the resource request rights of a resource access main body are set, the device level access resource information and the resource request rights are parallel, and in the parallel process, the intersection part of the device level access resource information and the resource request rights is screened, namely, the minimum rights are mapped, so that the construction of a fine-granularity access authorization policy is completed, and the technical effect of obtaining the security access rights resources is achieved.
Further, as shown in fig. 5, step S700 of the present application further includes:
step S710: obtaining access function grade information according to the digital signature of the trusted personnel;
step S720: inputting the access function level information and the equipment hierarchical access resource information into a permission distribution model to obtain a function permission distribution result;
step S730: obtaining access request information of the resource access main body;
step S740: and carrying out authorization calculation on the job authority allocation result and the access request information based on the fine-granularity access authorization policy to obtain the secure access authority resource.
Specifically, based on a trusted personnel digital signature generated by encrypting trusted personnel identity information by adopting a ZTRUST zero trust session key negotiation cryptosystem, access function grade corresponding to the current trusted personnel is obtained, the obtained access function grade information and equipment grading access resource information are further input into a permission distribution model, the permission distribution model is a neural network model which can be subjected to self iterative optimization continuously in machine learning, the permission distribution model is obtained through training of a training data set and a supervision data set, and each group of training data in the training data set comprises the access function grade information and the equipment grading access resource information; the supervision data sets are supervision data corresponding to the training data sets one by one.
Further, the authority allocation model construction process comprises the following steps: and inputting each group of training data in the training data set into the authority distribution model, outputting and supervising the adjustment of the authority distribution model through the supervising data corresponding to the group of training data, finishing the training of the current group when the output result of the authority distribution model is consistent with the supervising data, finishing the training of all the training data in the training data set, and finishing the training of the authority distribution model.
In order to ensure the accuracy of the rights assignment model, the test processing of the rights assignment model may be performed by the test data set, for example, the test accuracy may be set to 80%, and when the test accuracy of the test data set satisfies 80%, the rights assignment model construction is completed.
And inputting the access function grade information and the equipment hierarchical access resource information into a permission distribution model, and outputting a function permission distribution result. Extracting the access request information in the resource access main body, and further carrying out authorization calculation on the obtained function allocation result and the access request information by using the obtained fine-grained access authorization strategy, namely completing the response to the access request information according to the fine-grained access authorization strategy according to the function authority allocation result of the current access personnel, thereby correspondingly obtaining the zero-trust security processing mode of the authentication encryption of the Internet of things, and finally marking the zero-trust security processing mode as the security access authority resource for output.
Example two
Based on the same inventive concept as the zero-trust security processing method for the authentication encryption of the internet of things device in the foregoing embodiment, as shown in fig. 6, the present application provides a zero-trust security processing system for the authentication encryption of the internet of things device, the system comprising:
the platform building module 1 is used for building a zero-trust security management platform, wherein the zero-trust security management platform comprises an equipment access layer, a trust evaluation layer and a resource access layer;
the access module 2 is used for acquiring the information of the access equipment of the Internet of things through the equipment access layer;
the access topic module 3 is used for obtaining access user information, and generating a resource access main body according to the access user information and the Internet of things access equipment information;
the authentication result obtaining module 4 is used for carrying out data signature encryption and identity authentication on the resource access main body by adopting a ZTRUST zero trust session key negotiation cryptosystem to obtain an authentication result;
the evaluation module 5 is used for carrying out multi-factor dynamic evaluation on the resource access subject based on the trust evaluation layer when the authentication result is passed, so as to obtain the identity access credibility;
the authorization policy module 6 is used for obtaining a fine-grained access authorization policy when the identity access credibility reaches a credibility reference value;
the calculation distribution module 7 is used for the resource access layer to calculate and distribute the resource access subject based on the fine granularity access authorization policy, so as to obtain the security access authority resource.
Further, the system further comprises:
the information acquisition module is used for acquiring the equipment information of the trusted Internet of things and the identity information of the trusted personnel through the digital avatar management platform;
the factor generation module is used for generating internet of things equipment characteristic factors according to the trusted internet of things equipment information;
the encryption module is used for encrypting the internet of things equipment characteristic factors and the trusted personnel identity information by adopting a ZTRUST zero trust session key negotiation cryptosystem to generate equipment identification authentication identity information and a trusted personnel digital signature;
and the identity authentication module is used for carrying out identity authentication on the resource access main body based on the equipment identification authentication identity information and the trusted personnel digital signature to obtain the identity authentication result.
Further, the system further comprises:
the equipment endpoint deployment information acquisition module is used for acquiring equipment endpoint deployment information according to the trusted internet of things equipment information;
the interaction level analysis module is used for carrying out interaction level analysis based on the equipment endpoint deployment information to obtain equipment interaction level information;
the feature coding module is used for carrying out feature coding on the trusted internet of things equipment information according to the equipment interaction level information to obtain internet of things equipment feature factors;
and the dynamic password identification module is used for carrying out dynamic password identification based on the equipment characteristic factors of the Internet of things to obtain the equipment identification authentication identity information.
Further, the system further comprises:
the activation module is used for embedding a Z password module into each device in the trusted Internet of things device information and activating the Z password module;
the persistence monitoring module is used for carrying out persistence monitoring on the trusted Internet of things equipment information based on the activated Z password module to obtain equipment operation data information;
the abnormal characteristic analysis module is used for carrying out abnormal characteristic analysis on the equipment operation data information to obtain equipment operation abnormal coefficients;
the marking module is used for marking the abnormal equipment when the equipment operation abnormal coefficient reaches an abnormal reference line, and blocking and removing the marked abnormal equipment from the trusted internet of things equipment information.
Further, the system further comprises:
the mechanism construction module is used for constructing a multi-factor joint decision access mechanism;
the evaluation dimension obtaining module is used for obtaining an access trust degree evaluation dimension based on the multi-factor joint decision access mechanism, wherein the access trust degree evaluation dimension comprises a network environment, access behaviors, operation software and terminal hardware;
the dynamic evaluation module is used for dynamically evaluating the resource access subject based on the access trust evaluation dimension to obtain a multi-factor trust evaluation coefficient;
and the weighted fusion module is used for carrying out weighted fusion on the multi-factor trust evaluation coefficients to obtain the identity access credibility.
Further, the system further comprises:
the function data set obtaining module is used for obtaining the function data set of each trusted person through the digital identity management platform;
the permission distribution module is used for performing permission distribution based on the equipment interaction level information and the job data set to obtain equipment hierarchical access resource information;
the resource request authority acquisition module is used for acquiring the resource request authority of the resource access main body;
and the policy construction module is used for constructing the fine-granularity access authorization policy based on the intersection of the equipment hierarchical access resource information and the resource request authority.
Further, the system further comprises:
the digital signature module is used for obtaining access function level information according to the digital signature of the trusted personnel;
the input module is used for inputting the access function grade information and the equipment hierarchical access resource information into the authority allocation model to obtain a function authority allocation result;
the access request information acquisition module is used for acquiring access request information of the resource access main body;
and the authorization calculation module is used for carrying out authorization calculation on the job authority allocation result and the access request information based on the fine-granularity access authorization policy to obtain the secure access authority resource.
Through the foregoing detailed description of the zero-trust security processing method for the authentication encryption of the internet of things equipment, those skilled in the art can clearly know the zero-trust security processing method and the system for the authentication encryption of the internet of things equipment in the embodiment, and for the device disclosed in the embodiment, the description is relatively simple because the device corresponds to the method disclosed in the embodiment, and relevant places refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. The zero-trust security processing method for the authentication encryption of the Internet of things equipment is characterized by comprising the following steps of:
setting up a zero-trust security management platform, wherein the zero-trust security management platform comprises a device access layer, a trust evaluation layer and a resource access layer;
acquiring information of access equipment of the Internet of things through the equipment access layer;
acquiring access user information, and generating a resource access subject according to the access user information and the access equipment information of the Internet of things;
performing data signature encryption and identity authentication on the resource access main body by adopting a ZTRUST zero trust session key negotiation cryptosystem to obtain an identity authentication result;
when the identity verification result is passing, carrying out multi-factor dynamic evaluation on the resource access subject based on the trust evaluation layer to obtain identity access credibility;
when the identity access credibility reaches a credibility reference value, acquiring a fine-grained access authorization strategy;
and the resource access layer performs calculation and distribution on the resource access main body based on the fine-granularity access authorization policy to obtain the security access authority resource.
2. The method of claim 1, wherein the obtaining the authentication result comprises:
acquiring trusted Internet of things equipment information and trusted personnel identity information through a digital avatar management platform;
generating internet of things equipment characteristic factors according to the trusted internet of things equipment information;
encrypting the internet of things equipment characteristic factors and the trusted personnel identity information by adopting a ZTRUST zero trust session key negotiation cryptosystem to generate equipment identification authentication identity information and a trusted personnel digital signature;
and carrying out identity authentication on the resource access subject based on the equipment identification authentication identity information and the trusted personnel digital signature to obtain the identity authentication result.
3. The method of claim 2, wherein generating the device identification authentication identity information comprises:
obtaining equipment endpoint deployment information according to the trusted Internet of things equipment information;
performing interaction level analysis based on the equipment endpoint deployment information to obtain equipment interaction level information;
performing feature coding on the trusted internet of things equipment information according to the equipment interaction level information to obtain internet of things equipment feature factors;
and carrying out dynamic password identification based on the equipment characteristic factors of the Internet of things to obtain the equipment identification authentication identity information.
4. The method according to claim 2, wherein the method comprises:
embedding a Z password module into each device in the trusted Internet of things device information, and activating the Z password module;
continuously monitoring the trusted Internet of things equipment information based on the activated Z password module to obtain equipment operation data information;
performing abnormal characteristic analysis on the equipment operation data information to obtain equipment operation abnormal coefficients;
when the equipment operation abnormal coefficient reaches an abnormal reference line, marking the abnormal equipment, and blocking and removing the marked abnormal equipment from the trusted internet of things equipment information.
5. The method of claim 1, wherein the obtaining identity access trustworthiness comprises:
constructing a multi-factor joint decision access mechanism;
based on the multi-factor joint decision access mechanism, an access trust evaluation dimension is obtained, wherein the access trust evaluation dimension comprises a network environment, access behaviors, operation software and terminal hardware;
dynamically evaluating the resource access subject based on the access trust evaluation dimension to obtain a multi-factor trust evaluation coefficient;
and carrying out weighted fusion on the multi-factor trust evaluation coefficients to obtain the identity access credibility.
6. The method of claim 3, wherein the obtaining a fine-grained access authorization policy comprises:
acquiring a function data set of each trusted person through the digital identity management platform;
performing authority allocation based on the equipment interaction level information and the job data set to obtain equipment hierarchical access resource information;
obtaining a resource request authority of the resource access main body;
and constructing the fine-granularity access authorization policy based on the intersection of the equipment hierarchical access resource information and the resource request authority.
7. The method of claim 6, wherein the obtaining the secure access rights resource comprises:
obtaining access function grade information according to the digital signature of the trusted personnel;
inputting the access function level information and the equipment hierarchical access resource information into a permission distribution model to obtain a function permission distribution result;
obtaining access request information of the resource access main body;
and carrying out authorization calculation on the job authority allocation result and the access request information based on the fine-granularity access authorization policy to obtain the secure access authority resource.
8. A zero trust security processing system for internet of things equipment authentication encryption, which is characterized in that the system comprises:
the platform building module is used for building a zero-trust security management platform, wherein the zero-trust security management platform comprises an equipment access layer, a trust evaluation layer and a resource access layer;
the access module is used for acquiring the information of the access equipment of the Internet of things through the equipment access layer;
the access topic module is used for obtaining access user information and generating a resource access main body according to the access user information and the access equipment information of the Internet of things;
the authentication result obtaining module is used for carrying out data signature encryption and identity authentication on the resource access main body by adopting a ZTRUST zero trust session key negotiation cryptosystem to obtain an authentication result;
the evaluation module is used for carrying out multi-factor dynamic evaluation on the resource access subject based on the trust evaluation layer when the identity verification result is passed, so as to obtain identity access credibility;
the authorization policy module is used for obtaining fine-grained access authorization policies when the identity access credibility reaches a credibility reference value;
and the calculation distribution module is used for the resource access layer to calculate and distribute the resource access main body based on the fine-granularity access authorization policy so as to obtain the security access authority resource.
CN202310226783.4A 2023-03-10 2023-03-10 Zero-trust security processing method and system for authentication encryption of Internet of things equipment Pending CN116248277A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310226783.4A CN116248277A (en) 2023-03-10 2023-03-10 Zero-trust security processing method and system for authentication encryption of Internet of things equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310226783.4A CN116248277A (en) 2023-03-10 2023-03-10 Zero-trust security processing method and system for authentication encryption of Internet of things equipment

Publications (1)

Publication Number Publication Date
CN116248277A true CN116248277A (en) 2023-06-09

Family

ID=86632923

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310226783.4A Pending CN116248277A (en) 2023-03-10 2023-03-10 Zero-trust security processing method and system for authentication encryption of Internet of things equipment

Country Status (1)

Country Link
CN (1) CN116248277A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116633696A (en) * 2023-07-25 2023-08-22 深圳市永达电子信息股份有限公司 Network computing node access controller architecture, management and control method and electronic equipment
CN117354062A (en) * 2023-12-04 2024-01-05 天津市品茗科技有限公司 Management system of application platform of Internet of things
CN117407843A (en) * 2023-10-13 2024-01-16 成都安美勤信息技术股份有限公司 Privacy information access detection management method
CN117857221A (en) * 2024-03-07 2024-04-09 北京谷器数据科技有限公司 Authority management method and system for remote service platform

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116633696A (en) * 2023-07-25 2023-08-22 深圳市永达电子信息股份有限公司 Network computing node access controller architecture, management and control method and electronic equipment
CN116633696B (en) * 2023-07-25 2024-01-02 深圳市永达电子信息股份有限公司 Network computing node access controller system, management and control method and electronic equipment
CN117407843A (en) * 2023-10-13 2024-01-16 成都安美勤信息技术股份有限公司 Privacy information access detection management method
CN117407843B (en) * 2023-10-13 2024-04-19 成都安美勤信息技术股份有限公司 Privacy information access detection management method
CN117354062A (en) * 2023-12-04 2024-01-05 天津市品茗科技有限公司 Management system of application platform of Internet of things
CN117354062B (en) * 2023-12-04 2024-02-09 天津市品茗科技有限公司 Management system of application platform of Internet of things
CN117857221A (en) * 2024-03-07 2024-04-09 北京谷器数据科技有限公司 Authority management method and system for remote service platform

Similar Documents

Publication Publication Date Title
CN116248277A (en) Zero-trust security processing method and system for authentication encryption of Internet of things equipment
Shrestha et al. A methodology for security classification applied to smart grid infrastructures
US20130042298A1 (en) System and method for generating trust among data network users
CN107395567B (en) Equipment use permission obtaining method and system based on Internet of things
CN113114656B (en) Infrastructure layout method based on edge cloud computing
CN115065469B (en) Data interaction method and device for power internet of things and storage medium
CN105100102A (en) Authority configuration method and device as well as information configuration method and device
CN113079140B (en) Cooperative spectrum sensing position privacy protection method based on block chain
CN116455668A (en) User trust measurement method and system in zero trust network environment
CN114021109A (en) System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry
CN107888548A (en) A kind of Information Authentication method and device
CN102404114A (en) Monitoring method and system both for Web service
CN112199700A (en) Safety management method and system for MES data system
Rysavy et al. A formal authorization framework for networked SCADA systems
CN116192481A (en) Analysis method for secure communication mechanism between cloud computing server models
CN116170199A (en) Equipment access verification system based on gateway of Internet of things
CN116208401A (en) Cloud master station access control method and device based on zero trust
CN110278127B (en) Agent deployment method and system based on secure transmission protocol
CN111769632B (en) Distributed power source secure communication method and system adopting NB-IOT technology
Wu et al. Design and Implementation of the Zero Trust Model in the Power Internet of Things
CN112637274A (en) Cone block chain terminal and access method thereof
CN114666079B (en) Industrial control system access control method based on attribute certificate
CN109547494A (en) Network security detection gateway and system
CN117390708B (en) Privacy data security protection method and system
CN112822687B (en) Cone block chain mobile terminal authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination