CN117997540A - Zero trust authentication method, device and system suitable for power operation and maintenance - Google Patents

Zero trust authentication method, device and system suitable for power operation and maintenance Download PDF

Info

Publication number
CN117997540A
CN117997540A CN202211371169.9A CN202211371169A CN117997540A CN 117997540 A CN117997540 A CN 117997540A CN 202211371169 A CN202211371169 A CN 202211371169A CN 117997540 A CN117997540 A CN 117997540A
Authority
CN
China
Prior art keywords
maintenance
authentication
digital identity
party
power operation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211371169.9A
Other languages
Chinese (zh)
Inventor
党倩
赵博
孙碧颖
尚闻博
金鑫
杜春慧
刘欣蕊
邱昱
录鹏东
裴俊捷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Smart Grid Research Institute Co ltd
State Grid Gansu Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Gansu Electric Power Co Ltd
Original Assignee
State Grid Smart Grid Research Institute Co ltd
State Grid Gansu Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Gansu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Smart Grid Research Institute Co ltd, State Grid Gansu Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Gansu Electric Power Co Ltd filed Critical State Grid Smart Grid Research Institute Co ltd
Priority to CN202211371169.9A priority Critical patent/CN117997540A/en
Publication of CN117997540A publication Critical patent/CN117997540A/en
Pending legal-status Critical Current

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a zero trust authentication method, device and system suitable for power operation and maintenance, wherein the method comprises the following steps: receiving an electric power operation and maintenance access request of a third-party operation and maintenance person, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information and digital identity credentials of the third-party operation and maintenance person, the digital identity information is generated according to registration information of the third-party operation and maintenance person, and the digital identity credentials are obtained according to registration results of the third-party operation and maintenance person by means of asymmetric encryption; authenticating the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information; if the authentication is passed, generating a power operation and maintenance certificate, wherein the power operation and maintenance certificate comprises a session certificate and a work certificate. The invention solves the problems of low real-time performance and safety of the identity verification system suitable for power operation and maintenance in the related technology.

Description

Zero trust authentication method, device and system suitable for power operation and maintenance
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a zero trust authentication method, device, and system suitable for power operation and maintenance.
Background
In actual power production operation, special maintenance is needed to protect the safe operation of the secondary equipment of the power grid, and most of operation and maintenance personnel are third-party technicians. In the maintenance process, as the number of operation and maintenance personnel is large, the system types are large, the equipment number is large, and dynamic authentication management on the operation and maintenance personnel is difficult to realize, the operation and maintenance access risk is not compliant, and the risk exists in the power safety production.
The traditional identity verification system facing to power operation and maintenance is easy to have the problems of single-point failure, user information leakage and the like, and is difficult to provide authentication service for a third party system on the premise of ensuring safety; the authentication system based on the work ticket is low in efficiency, and real-time performance, authenticity and safety cannot be guaranteed. Therefore, the authentication system suitable for power operation and maintenance has the problem of low real-time performance and safety in the prior art.
Disclosure of Invention
The invention provides a zero trust authentication method, device and system suitable for power operation and maintenance, which at least solve the problems of low instantaneity and safety of an identity verification system suitable for power operation and maintenance in the related technology.
According to a first aspect of an embodiment of the present invention, there is provided a zero trust authentication method suitable for power operation and maintenance, the method comprising: receiving an electric power operation and maintenance access request of a third-party operation and maintenance person, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information of the third-party operation and maintenance person and digital identity credentials, the digital identity information is generated according to registration information of the third-party operation and maintenance person, and the digital identity credentials are obtained according to registration results of the third-party operation and maintenance person by means of asymmetric encryption; authenticating the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information; if the authentication is passed, generating a power operation and maintenance certificate, wherein the power operation and maintenance certificate comprises a session certificate and a work certificate.
Optionally, the authenticating the power operation and maintenance access request according to the authentication credentials determined by the operation and maintenance request number and the digital identity information includes: acquiring a corresponding digital identity certificate according to the digital identity information; performing exclusive OR operation on the obtained hash value of the digital identity certificate and the operation and maintenance request number to obtain an authentication certificate; comparing the hash value of the digital identity credential in the authentication credential with the exclusive or result of the operation and maintenance request number in the power operation and maintenance access request; if the comparison results are consistent, judging that the authentication is passed, otherwise, judging that the authentication is not passed.
Optionally, if the authentication is passed, generating a power operation and maintenance credential, wherein the power operation and maintenance credential includes a session credential and a work credential including: if the authentication is passed, generating an authentication passing identifier and a session random number; generating the session credential according to the authentication passing identifier, the session random number, the private key for security management authentication, the operation and maintenance request number and the digital identity credential of the third party operation and maintenance personnel by using asymmetric encryption; generating a work ticket according to the operation and maintenance area and the authority information; encoding the work ticket; and generating a work certificate according to the encoded work ticket, the third timestamp and the private key for security management authentication by using asymmetric encryption.
Optionally, before the receiving the power operation and maintenance access request of the third party operation and maintenance personnel, the method further includes: generating digital identity information of the third party operation and maintenance personnel according to registration information of the third party operation and maintenance personnel by utilizing a hash algorithm, wherein the registration information comprises the identity information of the third party operation and maintenance personnel and a first timestamp; generating a public key and a private key of the third party operation and maintenance personnel according to the digital identity information of the third party operation and maintenance personnel; generating a registration result based on the public key of the third party operation and maintenance personnel, the digital identity information and the digital identity certificate of the third party operation and maintenance personnel, the second timestamp and the private key for digital identity information registration, wherein the registration result is decrypted by the third party operation and maintenance personnel by adopting the private key of the third party operation and maintenance personnel to obtain the digital identity certificate of the third party operation and maintenance personnel.
Optionally, the method further comprises: and carrying out identity verification on the third party operation and maintenance personnel according to the preset period and the random number in the preset period.
Optionally, the method further comprises: determining the access right of the third party operation staff to the operation and maintenance operating system based on the power operation and maintenance credentials; scoring the operation and maintenance authentication behaviors of the third-party operation and maintenance personnel according to preset operation and maintenance authentication matters and scores corresponding to the operation and maintenance authentication matters, and generating a zero trust score set, wherein the zero trust score set comprises related operation and maintenance authentication matters and total scores; and if the total score is smaller than or equal to a preset threshold value, canceling the access right of the third party operation and maintenance personnel to the operation and maintenance operation system.
According to a second aspect of the embodiment of the present invention, there is also provided a zero-trust authentication apparatus suitable for power operation and maintenance, the apparatus comprising: the system comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving an electric power operation and maintenance access request of a third party operation and maintenance person, the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information of the third party operation and maintenance person and digital identity credentials, the digital identity information is generated according to registration information of the third party operation and maintenance person, and the digital identity credentials are obtained according to registration results of the third party operation and maintenance person by utilizing asymmetric encryption; the authentication module is used for authenticating the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information; the first generation module is used for generating an electric operation and maintenance certificate if the authentication is passed, wherein the electric operation and maintenance certificate comprises a session certificate and a work certificate.
Optionally, the authentication module includes: the acquisition unit is used for acquiring the corresponding digital identity certificate according to the digital identity information; the obtaining unit is used for carrying out exclusive OR operation on the obtained hash value of the digital identity certificate and the operation and maintenance request number to obtain an authentication certificate; the comparison unit is used for comparing the hash value of the digital identity certificate in the authentication certificate and the power operation and maintenance access request with the exclusive or result of the operation and maintenance request number; and the judging unit is used for judging that the authentication passes if the comparison results are consistent, or else judging that the authentication does not pass.
Optionally, the first generating module includes: the first generation unit is used for generating an authentication passing identifier and a session random number if the authentication passes; the second generation unit is used for generating a session credential according to the authentication passing identifier, the session random number, the private key for security management authentication, the operation and maintenance request number and the digital identity credential of the third party operation and maintenance personnel by utilizing asymmetric encryption; the third generation unit is used for generating a work ticket according to the operation and maintenance area and the authority information; the encoding unit is used for encoding the work ticket; and a fourth generation unit for generating a work certificate according to the encoded work ticket, the third timestamp and the private key for security management authentication by using asymmetric encryption.
Optionally, the apparatus further comprises: the second generation module is used for generating digital identity information of the third-party operation and maintenance personnel according to registration information of the third-party operation and maintenance personnel by utilizing a hash algorithm, wherein the registration information comprises the identity information of the third-party operation and maintenance personnel and a first timestamp; the third generation module is used for generating a public key and a private key of the third party operation and maintenance personnel according to the digital identity information of the third party operation and maintenance personnel; and the fourth generation module is used for generating a registration result based on the public key of the third party operation and maintenance personnel, the digital identity information and the digital identity certificate of the third party operation and maintenance personnel, the second time stamp and the private key for digital identity information registration, wherein the registration result is decrypted by the third party operation and maintenance personnel by adopting the private key of the third party operation and maintenance personnel to obtain the digital identity certificate of the third party operation and maintenance personnel.
Optionally, the apparatus further comprises: and the verification module is used for carrying out identity verification on the third party operation and maintenance personnel according to the preset period and the random number in the preset period.
Optionally, the apparatus further comprises: the access right determining module is used for determining the access right of the third party operation and maintenance personnel to the operation and maintenance operating system based on the power operation and maintenance credentials; the scoring module is used for scoring the operation and maintenance authentication behaviors of the third-party operation and maintenance personnel according to preset operation and maintenance authentication matters and scores corresponding to the operation and maintenance authentication matters, and generating a zero trust scoring set, wherein the zero trust scoring set comprises the related operation and maintenance authentication matters and total scores; and the access permission cancellation module is used for canceling the access permission of the third party operation and maintenance personnel to the operation and maintenance operation system if the total score is smaller than or equal to a preset threshold value.
According to a third aspect of embodiments of the present invention, there is also provided a zero trust authentication system suitable for power operation and maintenance, the system comprising: the system comprises a digital identity registration module, an authentication proxy gateway and a zero trust security management center; the authentication proxy gateway receives an electric power operation and maintenance access request of a third party operation and maintenance person and sends the electric power operation and maintenance access request to the zero trust security management center, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information of the third party operation and maintenance person and digital identity credentials, the digital identity information is generated by the digital identity registration module according to registration information of the third party operation and maintenance person, and the digital identity credentials are obtained by the third party operation and maintenance person by utilizing asymmetric encryption according to registration results of the third party operation and maintenance person sent by the digital identity registration module; the zero trust security management center authenticates the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information; and if the authentication is passed, the zero-trust security management center generates an electric operation and maintenance credential and sends the electric operation and maintenance credential to the third party operation and maintenance personnel through the authentication proxy gateway, wherein the electric operation and maintenance credential comprises a session credential and a working credential.
According to a fourth aspect of embodiments of the present invention, there is also provided an electronic device including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory complete communication with each other through the communication bus; wherein the memory is used for storing a computer program; a processor for performing the method steps of any of the embodiments described above by running the computer program stored on the memory.
According to a fifth aspect of embodiments of the present invention, there is also provided a computer-readable storage medium having stored therein a computer program, wherein the computer program is arranged to perform the method steps of any of the embodiments described above when run.
In the embodiment of the invention, the verification is performed by receiving the power operation and maintenance access request, and because the operation and maintenance access request comprises operation and maintenance request numbers, different operation and maintenance request numbers are used for each operation and maintenance, the real-time performance of the verification is improved, the operation and maintenance access request also comprises the digital identity information and the digital identity certificate of the third-party operation and maintenance personnel, the digital identity certificate is obtained according to the registration result of the third-party operation and maintenance personnel by utilizing asymmetric encryption, the verification safety is improved, and the problem that the real-time performance and the safety of an identity verification system suitable for the power operation and maintenance are not high in the related technology is solved.
According to the embodiment of the invention, the digital identity certificate corresponding to the digital identity information is calculated according to the digital identity information and the operation and maintenance request number in the received power operation and maintenance access request, and then the exclusive or result of the hash value of the digital identity certificate and the operation and maintenance request number is compared with the power operation and maintenance access request to judge whether the authentication is passed. The digital identity certificate is obtained according to the registration result of the third party operation and maintenance personnel by utilizing asymmetric encryption, so that the purpose of preventing the identity of the third party operation and maintenance personnel from being falsified by other people is achieved.
In the embodiment of the invention, after the identity authentication of the third party operation and maintenance personnel is passed, the session certificate and the working certificate used by the operation and maintenance are generated. Because the session credentials and the working credentials are generated by the private key for security management authentication, the reliability of the session credentials and the working credentials is ensured. And because the session credential comprises the random number of the session and the authentication passing identifier, the work credential comprises the operation and maintenance area and the authority information of the third-party operation and maintenance personnel, and the effect of improving the instantaneity and the safety is achieved.
In the embodiment of the invention, because the registration information of the third party operation and maintenance personnel and the time stamp of the registration are used when the third party operation and maintenance personnel perform identity registration, and asymmetric encryption is used when the registration result is transmitted, the digital identity certificate of the third party operation and maintenance personnel is prevented from being stolen by other people, and the security of the registration is improved.
In the embodiment of the invention, after the authentication is passed, the identity of the third party operation and maintenance personnel is verified at regular intervals with a certain frequency, so that the operation and maintenance safety is improved.
In the embodiment of the invention, the operation and maintenance authentication behavior of the third party operation and maintenance personnel is scored according to the preset operation and maintenance authentication matters and the corresponding scores, and when the score is smaller than or equal to the preset threshold value, the access authority of the third party operation and maintenance personnel is cancelled, so that the operation and maintenance safety is further improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic diagram of an alternative hardware environment for a zero trust authentication method for power operation and maintenance in accordance with an embodiment of the present invention;
FIG. 2 is a flow diagram of an alternative zero trust authentication method suitable for power operation and maintenance according to an embodiment of the present invention;
FIG. 3 is a block diagram of an alternative zero trust authentication means suitable for power operation and maintenance in accordance with an embodiment of the present invention;
FIG. 4 is a schematic diagram of an alternative zero trust operation and maintenance management system in accordance with an embodiment of the present invention;
FIG. 5 is a schematic diagram of an alternative zero trust operation and maintenance management system operational flow in accordance with an embodiment of the present invention;
fig. 6 is a block diagram of an alternative electronic device in accordance with an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that in the description of the present invention, the terms "first," "second," and the like are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to one aspect of the embodiment of the invention, a zero-trust authentication method suitable for power operation and maintenance is provided. Alternatively, in the present embodiment, the above-described zero-trust authentication method applicable to power operation and maintenance may be applied to a hardware environment as shown in fig. 1. As shown in fig. 1, the terminal 102 may include a memory 104, a processor 106, and a display 108 (optional components). The terminal 102 may be communicatively coupled to a server 112 via a network 110, the server 112 being operable to provide services (e.g., application services, etc.) to the terminal or to clients installed on the terminal, and a database 114 may be provided on the server 112 or independent of the server 112 for providing data storage services to the server 112. In addition, a processing engine 116 may be run in the server 112, which processing engine 116 may be used to perform the steps performed by the server 112.
Alternatively, the terminal 102 may be, but is not limited to, a terminal capable of calculating data, such as a mobile terminal (e.g., a mobile phone, a tablet computer), a notebook computer, a PC (Personal Computer ) or the like, where the network may include, but is not limited to, a wireless network or a wired network. Wherein the wireless network comprises: bluetooth, WIFI (WIRELESS FIDELITY ) and other networks that enable wireless communications. The wired network may include, but is not limited to: wide area network, metropolitan area network, local area network. The server 112 may include, but is not limited to, any hardware device that can perform calculations.
In addition, in this embodiment, the above-mentioned zero-trust authentication method applicable to power operation and maintenance may be applied to, but not limited to, an independent processing device with a relatively high processing capability, without performing data interaction. For example, the processing device may be, but is not limited to, a more powerful terminal device, i.e., the operations described above for the zero trust authentication method for power operation and maintenance may be integrated into a single processing device. The above is merely an example, and is not limited in any way in the present embodiment.
Alternatively, in this embodiment, the above-mentioned zero-trust authentication method applicable to power operation and maintenance may be performed by the server 112, by the terminal 102, or by both the server 112 and the terminal 102. The zero-trust authentication method applied to the power operation and maintenance performed by the terminal 102 according to the embodiment of the present invention may also be performed by a client installed thereon.
Taking an example that the zero-trust authentication method suitable for power operation and maintenance is applied to a central processing unit, fig. 2 is a schematic flow diagram of an alternative zero-trust authentication method suitable for power operation and maintenance according to an embodiment of the present invention, as shown in fig. 2, the flow of the method may include the following steps:
Step S201, receiving an electric power operation and maintenance access request of a third party operation and maintenance personnel, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information of the third party operation and maintenance personnel and digital identity credentials, the digital identity information is generated according to registration information of the third party operation and maintenance personnel, and the digital identity credentials are obtained according to registration results of the third party operation and maintenance personnel by means of asymmetric encryption. Optionally, the zero trust authentication method suitable for the power operation and maintenance is used for a zero trust authentication system suitable for the power operation and maintenance, and the system firstly receives a power operation and maintenance access request of a third party operation and maintenance personnel, wherein the access request comprises an operation and maintenance request number which can only be used in the current operation and maintenance, and the next operation and maintenance can use a new operation and maintenance request number; digital identity information and digital identity credentials of the third party operation and maintenance personnel, wherein the digital identity information is generated according to registration information of the third party operation and maintenance personnel, such as: the name, the job number, the unit, the operation and maintenance level, the registration time and other attributes of the third-party operation and maintenance personnel, and the digital identity certificate is obtained according to the registration result of the third-party operation and maintenance personnel by utilizing asymmetric encryption.
Step S202, the power operation and maintenance access request is authenticated according to the operation and maintenance request number and the authentication credentials determined by the digital identity information. Optionally, the authentication credentials are determined by computing the operation and maintenance request number and the digital identity information, so as to perform comparative authentication with the received power operation and maintenance access request.
Step S203, if the authentication is passed, a power operation and maintenance certificate is generated, wherein the power operation and maintenance certificate comprises a session certificate and a work certificate. Optionally, if the authentication credential is consistent with the comparison result of the received power operation and maintenance access request, determining that the authentication is passed, and generating a power operation and maintenance credential, namely a session credential and a work credential, for use by a third party operation and maintenance personnel in operation and maintenance.
In the embodiment of the invention, the verification is performed by receiving the power operation and maintenance access request, and because the operation and maintenance access request comprises operation and maintenance request numbers, different operation and maintenance request numbers are used for each operation and maintenance, the real-time performance of the verification is improved, the operation and maintenance access request also comprises the digital identity information and the digital identity certificate of the third-party operation and maintenance personnel, the digital identity certificate is obtained according to the registration result of the third-party operation and maintenance personnel by utilizing asymmetric encryption, the verification safety is improved, and the problem that the real-time performance and the safety of an identity verification system suitable for the power operation and maintenance are not high in the related technology is solved.
As an alternative embodiment, authenticating the power operation and maintenance access request according to the authentication credentials determined by the operation and maintenance request number and the digital identity information includes: acquiring a corresponding digital identity certificate according to the digital identity information; performing exclusive OR operation on the obtained hash value of the digital identity certificate and the operation and maintenance request number to obtain an authentication certificate; comparing the hash value of the digital identity credential in the authentication credential with the exclusive or result of the operation and maintenance request number in the power operation and maintenance access request; if the comparison results are consistent, judging that the authentication is passed, otherwise, judging that the authentication is not passed.
Optionally, the received power operation and maintenance access request is: s=n1||id||hash (D ID) N1, wherein N1 is the operation and maintenance request number, only the operation and maintenance is effective, the ID is the digital identity information of the third party operation and maintenance personnel, D ID is a digital identity credential of a third party operator, is an exclusive or operator, and i is a string connector. Firstly, a digital identity credential D ID stored during corresponding registration is acquired according to a digital identity information ID in a power operation and maintenance access request, hash calculation is carried out on the digital identity credential D ID, then exclusive OR operation is carried out on a Hash value Hash (D ID) of the obtained digital identity credential and an operation and maintenance request number, an authentication credential is obtained, the authentication credential is compared with a power operation and maintenance access request S, if the obtained authentication credential is consistent with information contained in the power operation and maintenance access request S, authentication is judged to be passed, and otherwise, authentication is judged not to be passed.
According to the embodiment of the invention, the digital identity certificate corresponding to the digital identity information is calculated according to the digital identity information and the operation and maintenance request number in the received power operation and maintenance access request, and then the exclusive or result of the hash value of the digital identity certificate and the operation and maintenance request number is compared with the power operation and maintenance access request to judge whether the authentication is passed. The digital identity certificate is obtained according to the registration result of the third party operation and maintenance personnel by utilizing asymmetric encryption, so that the purpose of preventing the identity of the third party operation and maintenance personnel from being falsified by other people is achieved.
As an alternative embodiment, if the authentication is passed, generating a power operation and maintenance credential, wherein the power operation and maintenance credential includes a session credential and a work credential includes: if the authentication is passed, generating an authentication passing identifier and a session random number; generating a session credential according to the authentication passing identifier, the session random number, the private key for security management authentication, the operation and maintenance request number and the digital identity credential of the third party operation and maintenance personnel by utilizing asymmetric encryption; generating a work ticket according to the operation and maintenance area and the authority information; encoding the work ticket; and generating a work certificate according to the encoded work ticket, the third timestamp and the private key for security management authentication by using asymmetric encryption.
Optionally, if the authentication is passed, an authentication pass identifier V and a session random number N2 are generated, and a session credential is generated by asymmetric encryption according to the authentication pass identifier V and the session random number N2, a private key Kzs for security management authentication, an operation and maintenance request number N1, and a digital identity credential D ID of a third party operation and maintenance person: hash (D ID) 4N 1i N2 i E (Kzs, n2||v). Where E () represents encryption using an asymmetric encryption algorithm, existing asymmetric encryption algorithms can be used, such as: RSA, elgamal, knapsack algorithm, rabin, etc. In addition, according to the operation and maintenance area and authority of the third party operation and maintenance personnel, a work ticket < T > is generated, the work ticket is encoded, an encoded work ticket < P > is obtained, and a work certificate c=e (Kzs, < P > ||t3) is generated according to the encoded work ticket < P >, a third timestamp T3, namely, a timestamp corresponding to the time, and a private key Kzs for security management authentication by using asymmetric encryption. Wherein, the operation and maintenance area and the authority can comprise: the work ticket number, the work responsible person, the work class member, the work place, the work content, the planned work time, the work ending time, the construction range, the security measure, the work licensor, the work ticket issuer, the work ticket approver, the user evaluation, the operation and maintenance knot and the like.
In the embodiment of the invention, after the identity authentication of the third party operation and maintenance personnel is passed, the session certificate and the working certificate used by the operation and maintenance are generated. Because the session credentials and the working credentials are generated by the private key for security management authentication, the reliability of the session credentials and the working credentials is ensured. And because the session credential comprises the random number of the session and the authentication passing identifier, the work credential comprises the operation and maintenance area and the authority information of the third-party operation and maintenance personnel, and the effect of improving the instantaneity and the safety is achieved.
As an alternative embodiment, before receiving the power operation and maintenance access request of the third party operation and maintenance personnel, the method further comprises: generating digital identity information of the third party operation and maintenance personnel according to registration information of the third party operation and maintenance personnel by utilizing a hash algorithm, wherein the registration information comprises the identity information and a first timestamp of the third party operation and maintenance personnel; generating a public key and a private key of the third party operation and maintenance personnel according to the digital identity information of the third party operation and maintenance personnel; and generating a registration result based on the public key of the third-party operation and maintenance personnel, the digital identity information and the digital identity certificate of the third-party operation and maintenance personnel, the second timestamp and the private key for digital identity information registration, wherein the registration result is decrypted by the third-party operation and maintenance personnel by adopting the private key of the third-party operation and maintenance personnel to obtain the digital identity certificate of the third-party operation and maintenance personnel.
Optionally, a Hash algorithm is utilized to generate digital identity information id=hash (name/no/company/level/t 1) of the third party operation and maintenance personnel according to registration information of the third party operation and maintenance personnel, wherein the registration information may include information such as name (name), work number (no), unit (company), operation and maintenance level (level), registration time (time) and the like of the third party operation and maintenance personnel, and t1 is a first timestamp, namely a timestamp of the registration time. Then generating a public key Kp and a private key Ks of the third party operation and maintenance personnel according to the digital identity information ID of the third party operation and maintenance personnel, the registration result E is generated from the public key Kp of the third party operation and maintenance person, the digital identity information ID and digital identity credential D ID of the third party operation and maintenance person, the second time stamp t2 and the private key Krs for digital identity information registration (Krs i E (Kp, ID D ID ||t2)). It should be noted that, the registration result is decrypted by the third party operation and maintenance personnel by using the private key Ks of the third party operation and maintenance personnel to obtain the digital identity credential D ID of the third party operation and maintenance personnel.
In the embodiment of the invention, because the registration information of the third party operation and maintenance personnel and the time stamp of the registration are used when the third party operation and maintenance personnel perform identity registration, and asymmetric encryption is used when the registration result is transmitted, the digital identity certificate of the third party operation and maintenance personnel is prevented from being stolen by other people, and the security of the registration is improved.
As an alternative embodiment, the method further comprises: and carrying out identity verification on the third party operation and maintenance personnel according to the preset period and the random number in the preset period. Optionally, after the verification is passed, the identity of the third party operation and maintenance personnel is periodically verified by taking the period T and the random number Nt as frequencies. In the embodiment of the invention, after the authentication is passed, the identity of the third party operation and maintenance personnel is verified at regular intervals with a certain frequency, so that the operation and maintenance safety is improved.
As an alternative embodiment, the method further comprises: determining the access right of a third party operation and maintenance personnel to an operation and maintenance operating system based on the power operation and maintenance credentials; scoring the operation and maintenance authentication behaviors of third-party operation and maintenance personnel according to preset operation and maintenance authentication matters and scores corresponding to the operation and maintenance authentication matters, and generating a zero trust score set, wherein the zero trust score set comprises the operation and maintenance authentication matters and total scores; and if the total score is smaller than or equal to a preset threshold value, canceling the access authority of the third party operation and maintenance personnel to the operation and maintenance operation system.
Optionally, determining the access right of the third party operation staff to the operation and maintenance operation system according to the power operation and maintenance credentials, wherein the operation and maintenance operation system is a system used by the third party operation and maintenance staff for performing operation and maintenance work, and grading the operation and maintenance authentication behaviors of the third party operation and maintenance staff according to preset operation and maintenance authentication matters and scores corresponding to the operation and maintenance authentication matters to generate a zero trust grading set { e1, e2, …, en; score, wherein the zero trust score set includes the involved operation and maintenance certification matters e1, e2, …, en, and the total score. In this embodiment, taking the preset threshold value as 0 as an example when the total score is less than or equal to the preset threshold value, that is, when the total score is less than or equal to 0, the access authority of the third party operation staff to the operation and maintenance operation system is cancelled. At this time, if the third party operation and maintenance personnel want to restore the access authority, the third party operation and maintenance personnel need to conduct manual auditing and reset the grading information to continuously access the operation and maintenance operating system. Here, the operation and maintenance certification matters e1, e2, …, en and the corresponding scores of the operation and maintenance certification matters may be as shown in table 1.
TABLE 1
Operation and maintenance authentication matters Score value
Authentication success 100
Authentication failure -100
The number of retries of the command exceeds 3 -60
Password error -90
Request exception -50
IP address error -80
Identity impersonation -100
Information tampering -100
Unauthorized access -90
Taking the preset threshold value as 0 as an example, the initial score is 0, 100 points are added when authentication is successful, the password is wrongly buckled for 90 points in the subsequent operation and maintenance operation, if the password is overridden for 90 points at the moment, the total score is smaller than the preset threshold value 0, and the access authority of a third party operation and maintenance personnel to the operation and maintenance operation system is cancelled at the moment. In the embodiment of the invention, the operation and maintenance authentication behavior of the third party operation and maintenance personnel is scored according to the preset operation and maintenance authentication matters and the corresponding scores, and when the score is smaller than or equal to the preset threshold value, the access authority of the third party operation and maintenance personnel is cancelled, so that the operation and maintenance safety is further improved.
According to another aspect of the embodiment of the invention, a zero-trust authentication device suitable for power operation and maintenance is also provided. Fig. 3 is a block diagram of an alternative zero trust authentication apparatus suitable for power operation and maintenance according to an embodiment of the present invention, as shown in fig. 3, the apparatus may include: the receiving module 301 is configured to receive an electric power operation and maintenance access request of a third party operation and maintenance person, where the electric power operation and maintenance access request includes an operation and maintenance request number, digital identity information of the third party operation and maintenance person, and digital identity credentials, the digital identity information is generated according to registration information of the third party operation and maintenance person, and the digital identity credentials are obtained according to a registration result of the third party operation and maintenance person by using asymmetric encryption; the authentication module 302 is configured to authenticate the power operation and maintenance access request according to an authentication credential determined by the operation and maintenance request number and the digital identity information; the first generation module 303 is configured to generate a power operation and maintenance credential if the authentication is passed, where the power operation and maintenance credential includes a session credential and a work credential.
It should be noted that, the receiving module 301 in this embodiment may be used to perform the above-mentioned step S201, the authenticating module 302 in this embodiment may be used to perform the above-mentioned step S202, and the first generating module 303 in this embodiment may be used to perform the above-mentioned step S203.
By the module, the power operation and maintenance access request is received for verification, and the operation and maintenance access request comprises operation and maintenance request numbers, different operation and maintenance request numbers are used for each operation and maintenance, so that the real-time performance of verification is improved, the operation and maintenance access request also comprises digital identity information and digital identity credentials of third-party operation and maintenance personnel, the digital identity credentials are obtained according to the registration result of the third-party operation and maintenance personnel by utilizing asymmetric encryption, the verification safety is improved, and the problems of low real-time performance and safety of an identity verification system suitable for power operation and maintenance in the related technology are solved.
As an alternative embodiment, the authentication module comprises: the acquisition unit is used for acquiring the corresponding digital identity certificate according to the digital identity information; the obtaining unit is used for carrying out exclusive OR operation on the hash value of the acquired digital identity certificate and the operation and maintenance request number to obtain an authentication certificate; the comparison unit is used for comparing the hash value of the digital identity credential in the authentication credential and the power operation and maintenance access request with the exclusive or result of the operation and maintenance request number; and the judging unit is used for judging that the authentication passes if the comparison results are consistent, or else judging that the authentication does not pass.
As an alternative embodiment, the first generating module includes: the first generation unit is used for generating an authentication passing identifier and a session random number if the authentication passes; the second generation unit is used for generating a session credential according to the authentication passing identifier, the session random number, the private key for security management authentication, the operation and maintenance request number and the digital identity credential of the third party operation and maintenance personnel by utilizing asymmetric encryption; the third generation unit is used for generating a work ticket according to the operation and maintenance area and the authority information; the encoding unit is used for encoding the work ticket; and a fourth generation unit for generating a work certificate according to the encoded work ticket, the third timestamp and the private key for security management authentication by using asymmetric encryption.
As an alternative embodiment, the apparatus further comprises: the second generation module is used for generating digital identity information of the third-party operation and maintenance personnel according to registration information of the third-party operation and maintenance personnel by utilizing a hash algorithm, wherein the registration information comprises the identity information of the third-party operation and maintenance personnel and a first timestamp; the third generation module is used for generating a public key and a private key of the third party operation and maintenance personnel according to the digital identity information of the third party operation and maintenance personnel; and the fourth generation module is used for generating a registration result based on the public key of the third party operation and maintenance personnel, the digital identity information and the digital identity certificate of the third party operation and maintenance personnel, the second time stamp and the private key for digital identity information registration, wherein the registration result is decrypted by the third party operation and maintenance personnel by adopting the private key of the third party operation and maintenance personnel to obtain the digital identity certificate of the third party operation and maintenance personnel.
As an alternative embodiment, the apparatus further comprises: and the verification module is used for carrying out identity verification on the third party operation and maintenance personnel according to the preset period and the random number in the preset period.
As an alternative embodiment, the apparatus further comprises: the access right determining module is used for determining the access right of the third party operation and maintenance personnel to the operation and maintenance operating system based on the power operation and maintenance credentials; the scoring module is used for scoring the operation and maintenance authentication behaviors of the third party operation and maintenance personnel according to the preset operation and maintenance authentication matters and scores corresponding to the operation and maintenance authentication matters, and generating a zero trust scoring set, wherein the zero trust scoring set comprises the related operation and maintenance authentication matters and total scores; and the access permission cancellation module is used for canceling the access permission of the third-party operation and maintenance personnel to the operation and maintenance operating system if the total score is smaller than or equal to a preset threshold value.
It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above embodiments. It should be noted that the above modules may be implemented in software or in hardware as part of the apparatus shown in fig. 1, where the hardware environment includes a network environment.
According to yet another aspect of the embodiment of the present invention, there is further provided a zero-trust authentication system applicable to power operation and maintenance, the system including a digital identity registration module, an authentication proxy gateway, and a zero-trust security management center; the authentication proxy gateway receives an electric power operation and maintenance access request of a third party operation and maintenance person and sends the electric power operation and maintenance access request to a zero trust security management center, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information of the third party operation and maintenance person and digital identity credentials, the digital identity information is generated by a digital identity registration module according to registration information of the third party operation and maintenance person, and the digital identity credentials are obtained by the third party operation and maintenance person by utilizing asymmetric encryption according to registration results of the third party operation and maintenance person sent by the digital identity registration module; the zero trust security management center authenticates the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information; if the authentication is passed, the zero-trust security management center generates an electric operation and maintenance credential and sends the electric operation and maintenance credential to a third party operation and maintenance personnel through the authentication proxy gateway, wherein the electric operation and maintenance credential comprises a session credential and a working credential.
Optionally, as shown in fig. 4, the system includes a digital identity registration module, an authentication proxy gateway and a zero trust security management center, where the digital identity registration module is used for third party operation and maintenance personnel identity registration. The zero trust security management center is used for authenticating an electric power operation and maintenance access request submitted by a third party operation and maintenance personnel, and authorizing and monitoring according to an authentication result, namely the zero trust security management center can be further divided according to functions, and comprises an identity authentication engine, an authorization engine and a monitoring engine which are respectively used for identity authentication, operation and maintenance authorization and operation and maintenance monitoring, and the authentication proxy gateway is used for forwarding information among the system, the third party operation and maintenance personnel and electric power equipment. Specifically, FIG. 5 is a schematic diagram of an alternative zero trust operation and maintenance management system operational flow, as shown in FIG. 5, the third party operator sends a power operation and maintenance access request S=N1||ID||Hash (D ID) to the authentication proxy gateway for a process of opening a door N1, wherein, the digital identity information ID is generated by the digital identity registration module according to registration information of the third party operation and maintenance personnel, that is, id=hash (name/no/company/level/t 1), and the digital identity credential D ID is obtained by the third party operation and maintenance personnel according to registration results of the third party operation and maintenance personnel sent by the digital identity registration module by using asymmetric encryption. The authentication proxy gateway intercepts the power operation and maintenance access request S and reports the power operation and maintenance access request S to the zero-trust security management center, and the zero-trust security management center authenticates the power operation and maintenance access request according to an authentication credential Hash (D ID) N1 determined by the operation and maintenance request number N1 and the digital identity information ID; if the authentication is passed, an access interface of the power equipment is released, a third party operation and maintenance personnel is allowed to carry out operation and maintenance operation, the zero-trust security management center generates a power operation and maintenance certificate, namely a session certificate Hash (D ID) [ N1 ] N2 ] E (Kzs, N2 ] V) and a working certificate C=E (Kzs, < P > |t3), the power operation and maintenance certificate is sent to the third party operation and maintenance personnel through the authentication proxy gateway, and the non-passing authentication requirement is returned.
By the system, the power operation and maintenance access request is received for verification, and because the operation and maintenance access request comprises operation and maintenance request numbers, different operation and maintenance request numbers are used for each operation and maintenance, the real-time performance of verification is improved, the operation and maintenance access request also comprises digital identity information and digital identity credentials of third-party operation and maintenance personnel, the digital identity credentials are obtained according to the registration result of the third-party operation and maintenance personnel by utilizing asymmetric encryption, the verification safety is improved, and the problems of low real-time performance and safety of an identity verification system suitable for power operation and maintenance in the related technology are solved.
According to yet another aspect of the embodiments of the present invention, there is also provided an electronic device for implementing the above-mentioned zero-trust authentication method applicable to power operation and maintenance, where the electronic device may be a server, a terminal, or a combination thereof.
Fig. 6 is a block diagram of an alternative electronic device according to an embodiment of the invention, as shown in fig. 6, comprising a processor 601, a communication interface 602, a memory 603 and a communication bus 604, wherein the processor 601, the communication interface 602 and the memory 603 perform communication with each other via the communication bus 604, wherein the memory 603 is for storing a computer program; the processor 601 is configured to execute the computer program stored in the memory 603, and implement the following steps:
Receiving an electric power operation and maintenance access request of a third-party operation and maintenance person, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information and digital identity credentials of the third-party operation and maintenance person, the digital identity information is generated according to registration information of the third-party operation and maintenance person, and the digital identity credentials are obtained according to registration results of the third-party operation and maintenance person by means of asymmetric encryption; authenticating the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information; if the authentication is passed, generating a power operation and maintenance certificate, wherein the power operation and maintenance certificate comprises a session certificate and a work certificate.
Alternatively, in the present embodiment, the above-described communication bus may be a PCI (PERIPHERAL COMPONENT INTERCONNECT, peripheral component interconnect standard) bus, or an EISA (Extended Industry Standard Architecture ) bus, or the like. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, only one thick line is shown in fig. 6, but not only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The memory may include RAM or may include non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
As an example, as shown in fig. 6, the memory 603 may include, but is not limited to, the receiving module 301, the authentication module 302, and the first generating module 303 in the zero-trust authentication device applicable to the power operation and maintenance. In addition, other module units in the zero-trust authentication device applicable to power operation and maintenance may be included, but are not limited to, which will not be described in detail in this example.
The processor may be a general purpose processor and may include, but is not limited to: CPU (Central Processing Unit ), NP (Network Processor, network processor), etc.; but may also be a DSP (DIGITAL SIGNAL Processing), ASIC (Application SPECIFIC INTEGRATED Circuit), FPGA (Field-Programmable gate array) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In addition, the electronic device further includes: and the display is used for displaying a zero trust authentication result applicable to power operation and maintenance.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the structure shown in fig. 6 is only schematic, and the device implementing the above-mentioned zero-trust authentication method suitable for power operation and maintenance may be a terminal device, where the terminal device may be a smart phone (such as an Android Mobile phone, an iOS Mobile phone, etc.), a tablet computer, a palm computer, a Mobile internet device (Mobile INTERNET DEVICES, MID), a PAD, etc. Fig. 6 does not limit the structure of the electronic device. For example, the terminal device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 6, or have a different configuration than shown in fig. 6.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, ROM, RAM, magnetic or optical disk, etc.
According to yet another aspect of an embodiment of the present invention, there is also provided a storage medium. Alternatively, in the present embodiment, the above-described storage medium may be used to execute a program code adapted to a zero-trust authentication method for power operation and maintenance.
Alternatively, in this embodiment, the storage medium may be located on at least one network device of the plurality of network devices in the network shown in the above embodiment.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of:
Receiving an electric power operation and maintenance access request of a third-party operation and maintenance person, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information and digital identity credentials of the third-party operation and maintenance person, the digital identity information is generated according to registration information of the third-party operation and maintenance person, and the digital identity credentials are obtained according to registration results of the third-party operation and maintenance person by means of asymmetric encryption; authenticating the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information; if the authentication is passed, generating a power operation and maintenance certificate, wherein the power operation and maintenance certificate comprises a session certificate and a work certificate.
Alternatively, specific examples in the present embodiment may refer to examples described in the above embodiments, which are not described in detail in the present embodiment.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: various media capable of storing program codes, such as a U disk, ROM, RAM, a mobile hard disk, a magnetic disk or an optical disk.
According to yet another aspect of embodiments of the present invention, there is also provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium; the computer instructions are read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the zero trust authentication method steps described in any one of the embodiments above as being applicable to a power operation.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present invention may be embodied essentially or partly in the form of a software product, or all or part of the technical solution, which is stored in a storage medium, and includes several instructions to cause one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the zero trust authentication method of the present invention applicable to power operation.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In several embodiments provided by the present invention, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and are merely a logical functional division, and there may be other manners of dividing the apparatus in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution provided in the present embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (10)

1. A zero-trust authentication method suitable for power operation and maintenance, the method comprising:
Receiving an electric power operation and maintenance access request of a third-party operation and maintenance person, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information of the third-party operation and maintenance person and digital identity credentials, the digital identity information is generated according to registration information of the third-party operation and maintenance person, and the digital identity credentials are obtained according to registration results of the third-party operation and maintenance person by means of asymmetric encryption;
authenticating the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information;
If the authentication is passed, generating a power operation and maintenance certificate, wherein the power operation and maintenance certificate comprises a session certificate and a work certificate.
2. The zero-trust authentication method for a power operation and maintenance of claim 1, wherein the authenticating the power operation and maintenance access request based on the operation and maintenance request number and the authentication credentials determined by the digital identity information comprises:
acquiring a corresponding digital identity certificate according to the digital identity information;
Performing exclusive OR operation on the obtained hash value of the digital identity certificate and the operation and maintenance request number to obtain an authentication certificate;
Comparing the hash value of the digital identity credential in the authentication credential with the exclusive or result of the operation and maintenance request number in the power operation and maintenance access request;
if the comparison results are consistent, judging that the authentication is passed, otherwise, judging that the authentication is not passed.
3. The zero-trust authentication method for power operation and maintenance of claim 1, wherein the generating power operation and maintenance credentials if the authentication is passed, wherein the power operation and maintenance credentials include session credentials and work credentials comprises:
if the authentication is passed, generating an authentication passing identifier and a session random number;
Generating the session credential according to the authentication passing identifier, the session random number, the private key for security management authentication, the operation and maintenance request number and the digital identity credential of the third party operation and maintenance personnel by using asymmetric encryption;
Generating a work ticket according to the operation and maintenance area and the authority information;
Encoding the work ticket;
and generating a work certificate according to the encoded work ticket, the third timestamp and the private key for security management authentication by using asymmetric encryption.
4. The method of claim 1, further comprising, prior to said receiving a power operation and maintenance access request from a third party operation and maintenance person:
generating digital identity information of the third party operation and maintenance personnel according to registration information of the third party operation and maintenance personnel by utilizing a hash algorithm, wherein the registration information comprises the identity information of the third party operation and maintenance personnel and a first timestamp;
generating a public key and a private key of the third party operation and maintenance personnel according to the digital identity information of the third party operation and maintenance personnel;
Generating a registration result based on the public key of the third party operation and maintenance personnel, the digital identity information and the digital identity certificate of the third party operation and maintenance personnel, the second timestamp and the private key for digital identity information registration, wherein the registration result is decrypted by the third party operation and maintenance personnel by adopting the private key of the third party operation and maintenance personnel to obtain the digital identity certificate of the third party operation and maintenance personnel.
5. The zero-trust authentication method for power operation according to claim 1, further comprising:
And carrying out identity verification on the third party operation and maintenance personnel according to the preset period and the random number in the preset period.
6. The zero-trust authentication method for power operation according to claim 1, further comprising:
Determining the access right of the third party operation staff to the operation and maintenance operating system based on the power operation and maintenance credentials;
Scoring the operation and maintenance authentication behaviors of the third-party operation and maintenance personnel according to preset operation and maintenance authentication matters and scores corresponding to the operation and maintenance authentication matters, and generating a zero trust score set, wherein the zero trust score set comprises related operation and maintenance authentication matters and total scores;
and if the total score is smaller than or equal to a preset threshold value, canceling the access right of the third party operation and maintenance personnel to the operation and maintenance operation system.
7. A zero-trust authentication apparatus adapted for power operation and maintenance, the apparatus comprising:
The system comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving an electric power operation and maintenance access request of a third party operation and maintenance person, the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information of the third party operation and maintenance person and digital identity credentials, the digital identity information is generated according to registration information of the third party operation and maintenance person, and the digital identity credentials are obtained according to registration results of the third party operation and maintenance person by utilizing asymmetric encryption;
The authentication module is used for authenticating the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information;
the first generation module is used for generating an electric operation and maintenance certificate if the authentication is passed, wherein the electric operation and maintenance certificate comprises a session certificate and a work certificate.
8. The zero-trust authentication system suitable for the power operation and maintenance is characterized by comprising a digital identity registration module, an authentication proxy gateway and a zero-trust security management center;
The authentication proxy gateway receives an electric power operation and maintenance access request of a third party operation and maintenance person and sends the electric power operation and maintenance access request to the zero trust security management center, wherein the electric power operation and maintenance access request comprises an operation and maintenance request number, digital identity information of the third party operation and maintenance person and digital identity credentials, the digital identity information is generated by the digital identity registration module according to registration information of the third party operation and maintenance person, and the digital identity credentials are obtained by the third party operation and maintenance person by utilizing asymmetric encryption according to registration results of the third party operation and maintenance person sent by the digital identity registration module;
the zero trust security management center authenticates the power operation and maintenance access request according to the operation and maintenance request number and the authentication credentials determined by the digital identity information;
And if the authentication is passed, the zero-trust security management center generates an electric operation and maintenance credential and sends the electric operation and maintenance credential to the third party operation and maintenance personnel through the authentication proxy gateway, wherein the electric operation and maintenance credential comprises a session credential and a working credential.
9. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus, characterized in that,
The memory is used for storing a computer program;
the processor is configured to perform the method steps of any of claims 1 to 6 by running the computer program stored on the memory.
10. A computer-readable storage medium, characterized in that the storage medium has stored therein a computer program, wherein the computer program, when executed by a processor, implements the method steps of any of claims 1 to 6.
CN202211371169.9A 2022-11-03 2022-11-03 Zero trust authentication method, device and system suitable for power operation and maintenance Pending CN117997540A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211371169.9A CN117997540A (en) 2022-11-03 2022-11-03 Zero trust authentication method, device and system suitable for power operation and maintenance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211371169.9A CN117997540A (en) 2022-11-03 2022-11-03 Zero trust authentication method, device and system suitable for power operation and maintenance

Publications (1)

Publication Number Publication Date
CN117997540A true CN117997540A (en) 2024-05-07

Family

ID=90897977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211371169.9A Pending CN117997540A (en) 2022-11-03 2022-11-03 Zero trust authentication method, device and system suitable for power operation and maintenance

Country Status (1)

Country Link
CN (1) CN117997540A (en)

Similar Documents

Publication Publication Date Title
CN106330850B (en) Security verification method based on biological characteristics, client and server
CN108684041B (en) System and method for login authentication
CN106559408B (en) SDN authentication method based on trust management
JP5860815B2 (en) System and method for enforcing computer policy
US10333930B2 (en) System and method for transparent multi-factor authentication and security posture checking
CN111708991A (en) Service authorization method, service authorization device, computer equipment and storage medium
CN106453361B (en) A kind of security protection method and system of the network information
CN103259663A (en) User unified authentication method in cloud computing environment
CN108880822A (en) A kind of identity identifying method, device, system and a kind of intelligent wireless device
CN110175466B (en) Security management method and device for open platform, computer equipment and storage medium
CN105099690A (en) OTP and user behavior-based certification and authorization method in mobile cloud computing environment
CN105553666B (en) Intelligent power terminal safety authentication system and method
CN102438013A (en) Hardware-based credential distribution
CN101262342A (en) Distributed authorization and validation method, device and system
CN113221128B (en) Account and password storage method and registration management system
CN105447715A (en) Method and apparatus for anti-theft electronic coupon sweeping by cooperating with third party
CN106161348A (en) A kind of method of single-sign-on, system and terminal
Alqubaisi et al. Should we rush to implement password-less single factor FIDO2 based authentication?
CN111901304B (en) Registration method and device of mobile security equipment, storage medium and electronic device
CN102571874A (en) On-line audit method and device in distributed system
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
CN110929231A (en) Digital asset authorization method and device and server
CN112261103A (en) Node access method and related equipment
CN104994503B (en) A kind of mobile application access method
CN109639695A (en) Dynamic identity authentication method, electronic equipment and storage medium based on mutual trust framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination