CN111262834B

CN111262834B - Authentication and credibility analysis method, device and system for physical entity

Info

Publication number: CN111262834B
Application number: CN202010020929.6A
Authority: CN
Inventors: 谢家贵; 张波; 李志平; 马旭锋; 朱斯语
Original assignee: China Academy of Information and Communications Technology CAICT
Current assignee: China Academy of Information and Communications Technology CAICT
Priority date: 2020-01-09
Filing date: 2020-01-09
Publication date: 2022-03-29
Anticipated expiration: 2040-01-09
Also published as: CN111262834A

Abstract

The invention provides a method, a device and a system for authenticating and analyzing credibility of a physical entity, wherein the method for authenticating the physical entity comprises the following steps: determining a current user to be authenticated by an authoritative enterprise node; under the condition that the current user is a first type user, the authoritative enterprise node receives an enterprise authentication result sent by the secondary node and sends the enterprise authentication result to the first type user; under the condition that the current user is a second type user, the authoritative enterprise node authenticates the second type user to generate a common user identifier, determines signature information corresponding to the second type user, constructs a user authentication result based on the common user identifier and the signature information, and sends the user authentication result to the second type user; the user authentication result comprises signature information and a signature generated by performing signature operation on the common user identifier by using the signature information. The invention can protect the physical entity identification of the object in the authentication and credible analysis processes, and prevent the physical entity identification from being tampered and stolen.

Description

Authentication and credibility analysis method, device and system for physical entity

Technical Field

The present application relates to the field of industrial internet, and in particular, to a method, an apparatus, and a system for authentication and trusted analysis of a physical entity.

Background

The 'industrial Internet (Industri authoritative enterprise node l Internet)' emphasizes processing industrial big data by utilizing advanced Internet technologies such as artificial intelligence, cloud computing and the like, and improves the industrial value; "industry 4.0 (industrial 4.0)" is proposed in germany, and it is emphasized that technologies such as Internet of Things (IoT), Internet of Service (IoS), Cyber of services (IoS), Cyber physical system (Cyber physical authoritative enterprise node system (CPS)) and the like are used for creating intelligent products and intelligent factories, so that production efficiency is improved and added value is created.

The industry internet is based on "connection", i.e., the connection of physical entities of an industry, such as machines, products, parts, etc., into a virtual network space via a network; the core is 'data', namely, the description, the process, the algorithm, the design drawing, the manufacturing process, the state monitoring and other industrial data of the physical entity are exchanged and shared through network infrastructure.

The physical entities in the industrial internet all have unique physical entity identifications. In the industrial internet, two aspects of authentication and credible resolution are provided for physical entities. The authentication process may encode the physical entity to generate a physical entity identifier, that is, an "identity card" of the physical entity, so as to store the industrial data generated by the physical entity in correspondence with the physical entity identifier.

The credible analysis process can utilize the physical entity identification to carry out positioning and information query, namely, a server for storing relevant industrial data of raw materials, parts, products and the like of the physical entity is accessed in the industrial internet by relying on credible analysis, so that intelligent association of different main, different places and different kinds of data is realized according to the queried industrial data, and important support is provided for data exchange and sharing. The physical entity identification plays an important role in the industrial internet, so a scheme for protecting the physical entity identification is required to prevent the physical entity identification from being tampered or stolen.

Disclosure of Invention

In view of this, the present application provides a method, an apparatus, and a system for authentication and trusted analysis of a physical entity, which can protect an object entity identifier during the authentication and trusted analysis, and prevent the physical entity identifier from being tampered and stolen.

In order to achieve the above object, the present invention provides the following technical features:

a method of authentication of a physical entity, comprising:

determining a current user to be authenticated by an authoritative enterprise node;

under the condition that the current user is a first type user, the authoritative enterprise node receives an enterprise authentication result sent by the secondary node and sends the enterprise authentication result to the first type user; the enterprise authentication result comprises a signature generated by a secondary node performing signature operation on an enterprise prefix identification by using a private key after the enterprise prefix identification is generated;

under the condition that the current user is a second type user, an authoritative enterprise node authenticates the second type user to generate a common user identifier, determines signature information corresponding to the second type user, constructs a user authentication result based on the common user identifier and the signature information, and sends the user authentication result to the second type user; the user authentication result comprises the signature information and a signature generated by performing signature operation on the common user identifier by using the signature information.

Optionally, before the authoritative enterprise node receives the enterprise authentication result sent by the secondary node, the method further includes:

an authoritative enterprise node sends an authentication request to a secondary node, wherein the authentication request comprises first type user information of the first type user;

the secondary node receives the authentication request, generates an enterprise prefix identification based on the first type user information in the authentication request, performs signature operation on the enterprise prefix identification by using a private key of the secondary node to generate a signature, and constructs and stores an enterprise authentication result;

the second-level node sends the enterprise authentication result to the authoritative enterprise node, and sends the corresponding relation between the first-type user identification of the first-type user and the second-level node identification to the top-level node of the country;

and the country top level node stores the corresponding relation between the first type user identification of the first type user and the second level node identification.

Optionally, if the authoritative enterprise node is integrated with an identity cryptosystem, the determining the subscription information corresponding to the second type of user includes:

acquiring a user identity corresponding to the second type user;

based on an identification cryptosystem, taking the user identity identification as a secret key, and taking the secret key as the signature information;

the signature generated by performing a signature operation on the common user identifier by using the signature information includes: and executing a signature operation on the common user identifier by using the secret key to obtain a signature.

Optionally, if the authoritative enterprise node is connected to a third-party certification authority, the determining the subscription information corresponding to the second type of user includes:

the authoritative enterprise node sends an authentication request to a third-party authentication authority, wherein the authentication request comprises second type user information of the second type user;

the authoritative enterprise node receives a digital certificate which is generated and sent by a third-party certification authority aiming at the second type of users, and takes the digital certificate as the signature information;

the signature generated by performing a signature operation on the common user identifier by using the signature information includes: and executing signature operation on the common user identification by using the digital certificate to obtain a signature.

Optionally, if the authoritative enterprise node is integrated with an identifier password system and connected to a third-party certification authority, the determining the signature information corresponding to the second type of user includes:

the authoritative enterprise node judges whether the second type user designates a signature mode of a third-party certification authority;

if the second type user does not designate a signature mode of a third-party certification authority, an authoritative enterprise node acquires a user identity corresponding to the second type user; based on an identification cryptosystem, taking the user identity identification as a secret key, and taking the secret key as the signature information; the signature generated by performing a signature operation on the common user identifier by using the signature information includes: executing signature operation on the common user identifier by using the secret key to obtain a signature;

if the second type user designates a signature mode of a third-party certification authority, the authoritative enterprise node sends a certification request to the third-party certification authority, wherein the certification request comprises second type user information of the second type user; receiving a digital certificate generated and sent by a third-party certification authority aiming at the second type of user, and taking the digital certificate as the signature information; the signature generated by performing a signature operation on the common user identifier by using the signature information includes: and executing signature operation on the common user identification by using the digital certificate to obtain a signature.

Optionally, the user authentication result further includes a signature type; the signature type is a first type or a second type;

a first type, which is used for representing a signature mode for carrying out signature operation on a common user identifier by means of a secret key generated by an identifier password system;

the second type is used for representing a signature mode for performing signature operation on the common user identification by means of a digital certificate generated by a third-party certification authority;

the data structure of the user authentication result includes:

a signature type field for storing the signature type;

a digital certificate field for storing a digital certificate generated by a third party certification authority, the field being empty when the digital certificate is not generated by the third party certification authority;

a signature field for storing a signature.

A trusted resolution method of a physical entity, comprising:

a public recursion analysis node receives a credible analysis request sent by a current user;

under the condition that the current user is a first type of user, the public recursive analysis node performs trusted analysis operation on the signature in the enterprise authentication result in the trusted analysis request in a recursive mode to obtain a trusted analysis result;

and under the condition that the current user is a second type user, the public recursion analysis node carries out credible analysis operation on the signature information and the signature in the user authentication result in the credible analysis request to obtain a credible analysis result.

Optionally, before the public recursive analysis node performs a trusted analysis operation on the signature in the enterprise authentication result in the trusted analysis request in a recursive manner, and obtains the trusted analysis result, the method further includes:

the public recursion analysis node judges whether a local cipher machine stores a historical credible analysis result corresponding to the first type of user identification in the credible analysis request;

if a historical credible analysis result corresponding to the first type of user identification in the credible analysis request is stored and is effective, using the historical credible analysis result as the credible analysis result;

if the historical credible analysis result corresponding to the first type user identification in the credible analysis request is not stored, executing the step of carrying out credible analysis operation on the signature in the enterprise authentication result by adopting a recursion mode to obtain a credible analysis result; and correspondingly storing the trusted analysis result and the first type user identification in the local cipher machine.

Optionally, the performing, by the public recursive analysis node, a trusted analysis operation on a signature in an enterprise authentication result in the trusted analysis request in a recursive manner includes:

a public recursion analysis node queries a first type user identifier of the first type user from a top node of a country;

if the country top level node inquires the first type user identification, the network address of the second level node and the digital certificate of the second level node which are associated with the first type user identification are returned;

the public recursion analysis node inquires the first type user identification from a secondary node corresponding to the network address of the secondary node;

if the second-level node inquires the first-type user identification, a network address corresponding to the first-type user identification and a signature corresponding to the first-type user identification are returned;

the public recursion analysis node verifies whether the signature in the enterprise authentication result is consistent with the signature corresponding to the first type user identification returned by the secondary node;

if not, determining that the credible analysis fails;

if the two digital certificates are consistent, inquiring a root certificate of the national top node from the national top node, and verifying the digital certificate of the second node by adopting the root certificate;

if the verification fails, determining that the trusted analysis fails;

if the verification is passed, verifying the signature in the enterprise authentication result by using a digital certificate of the secondary node, if the verification is passed, indicating that the trusted analysis is successful, otherwise, indicating that the trusted analysis is failed;

if the credibility analysis is successful, the network address of the secondary node, the network address of the first type user and the credibility analysis result are correspondingly stored in the local cipher machine together with the first type user identification.

Optionally, if the user authentication result adopts a signature mode of a password identification system, the public recursion analysis node performs a trusted analysis operation on the signature information and the signature in the user authentication result in the trusted analysis request, and obtaining the trusted analysis result includes:

the public recursion analysis node takes the user identity in the credible analysis request as a public key;

decrypting the signature by using the public key;

and if the decryption is successful, determining that the trusted analysis is successful, otherwise, determining that the trusted analysis is failed.

Optionally, if the user authentication result adopts a signature manner of a third-party authentication mechanism, the public recursion analysis node performs a trusted analysis operation on the signature information and the signature in the user authentication result in the trusted analysis request, and obtaining the trusted analysis result includes:

the public recursion analysis node takes a digital certificate in the user authentication result as a public key;

decrypting the signature by using the public key;

if the decryption is successful, acquiring a root certificate of a third-party certification authority, and if the decryption is failed, determining that the trusted analysis fails;

verifying the digital certificate by using a root certificate of the third-party certification authority;

and if the verification is successful, determining that the trusted analysis is successful, otherwise, determining that the trusted analysis is failed.

Optionally, when the user authentication result includes a signature type field, a digital certificate field, and a signature field, the public recursive analysis node performs a trusted analysis operation on the signature information and the signature in the user authentication result in the trusted analysis request, and obtaining the trusted analysis result includes:

if the signature type field indicates a first type, extracting a signature from the signature field, and taking a user identity in the trusted analysis request as a public key; decrypting the signature by using the public key; if the decryption is successful, determining that the trusted analysis is successful, otherwise determining that the trusted analysis is failed;

if the signature type field indicates a second type, extracting a signature from the signature field and extracting a digital certificate from the digital certificate field; taking the digital certificate as a public key; decrypting the signature by using the public key; if the decryption is successful, acquiring a root certificate of a third-party certification authority, and if the decryption is failed, determining that the trusted analysis fails; verifying the digital certificate by using a root certificate of the third-party certification authority; and if the verification is successful, determining that the trusted analysis is successful, otherwise, determining that the trusted analysis is failed.

An authentication apparatus of a physical entity, comprising:

the node confirmer is used for determining a current user to be authenticated by the authoritative enterprise node;

the receiver is used for receiving the enterprise authentication result sent by the secondary node by the authoritative enterprise node and sending the enterprise authentication result to the first type user under the condition that the current user is the first type user; the enterprise authentication result comprises a signature generated by a secondary node performing signature operation on an enterprise prefix identification by using a private key after the enterprise prefix identification is generated;

the node authenticator is used for authenticating the second type user by the authoritative enterprise node to generate a common user identifier and determining signature information corresponding to the second type user under the condition that the current user is the second type user;

the authentication result builder is used for building a user authentication result based on the common user identification and the signature information and sending the user authentication result to a second type user; the user authentication result comprises the signature information and a signature generated by performing signature operation on the common user identifier by using the signature information.

An industrial internet system comprising:

a physical entity identification application system and a physical entity identification service system;

wherein, the physical entity identification service system comprises: the system comprises an international root node, a national root node connected with the international root node, a secondary node connected with the national root node, an authoritative enterprise node connected with the secondary node, and a public recursion resolution node connected with the national root node, the secondary node and the authoritative enterprise node;

the authoritative enterprise node is used for determining the current user to be authenticated; under the condition that the current user is a first type user, receiving an enterprise authentication result sent by a secondary node; the enterprise authentication result comprises a signature generated by a secondary node performing signature operation on an enterprise prefix identification by using a private key after the enterprise prefix identification is generated; under the condition that the current user is a second type user, an authoritative enterprise node authenticates the second type user to generate a common user identifier, determines signature information corresponding to the second type user, and constructs and sends a user authentication result based on the common user identifier and the signature information; the user authentication result comprises the signature information and a signature generated by performing signature operation on the common user identifier by using the signature information.

A trusted resolution mechanism for physical entities, comprising:

the receiver is used for the public recursive analysis node to receive a credible analysis request sent by a current user;

the recursion analyzer is used for carrying out credible analysis operation on the signature in the enterprise authentication result in the credible analysis request by a public recursion analysis node in a recursion mode under the condition that the current user is a first type user to obtain a credible analysis result;

and the credible analyzer is used for carrying out credible analysis operation on the signature information and the signature in the user authentication result in the credible analysis request by the public recursive analysis node under the condition that the current user is the second type user to obtain a credible analysis result.

An industrial internet system comprising:

the public recursion analysis node is used for receiving a credible analysis request sent by a current user, and under the condition that the current user is a first type of user, the public recursion analysis node performs credible analysis operation on a signature in an enterprise authentication result in the credible analysis request in a recursion mode to obtain a credible analysis result; and under the condition that the current user is a second type user, the public recursion analysis node carries out credible analysis operation on the signature information and the signature in the user authentication result in the credible analysis request to obtain a credible analysis result.

Through the technical means, the following beneficial effects can be realized:

because the authoritative enterprise node has different processing modes for the first type of users and the second type of users, the method divides the current users into the first type of users and the second type of users, and adopts different protection strategies aiming at different current users.

For a first type of user: the upper node of the authoritative enterprise node, namely the secondary node, can authenticate the first type user and generate an enterprise prefix identification, and in order to protect the enterprise prefix identification, the secondary node adopts a private key of the secondary node to sign the enterprise prefix identification to obtain a signature. Therefore, the encrypted enterprise prefix identification can be transmitted between the secondary node and the authoritative enterprise node, so that the enterprise prefix identification is protected, and the enterprise prefix identification is prevented from being tampered or stolen.

For a second type of user: the authoritative enterprise node can receive an authentication request of the second type user, then authenticate the second type user to generate a common user identifier, and the first type user can also determine signature information corresponding to the second type user and perform signature operation on the common user identifier by adopting the signature information to obtain a signature. Therefore, the encrypted common user identifier can be transmitted between the first type user and the second type user, so that the common user identifier is protected, and the common user identifier is prevented from being tampered or stolen.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

FIGS. 1a-1c are schematic diagrams of the architecture of an industrial Internet system disclosed in an embodiment of the present application;

fig. 2 is a flowchart of a first embodiment of a method for authenticating a physical entity disclosed in an embodiment of the present application;

3a-3b are flow diagrams of a second embodiment of a method for authenticating a physical entity disclosed in an embodiment of the present application;

4a-4b are flow diagrams of a third embodiment of a method for authenticating a physical entity disclosed in an embodiment of the present application;

5a-5b are flow diagrams of a fourth embodiment of a method for authenticating a physical entity disclosed in an embodiment of the present application;

fig. 6 is a flowchart of a fifth embodiment of a method for authenticating a physical entity disclosed in an embodiment of the present application;

fig. 7 is a flowchart of a first embodiment of a method for trusted resolution of a physical entity disclosed in an embodiment of the present application;

fig. 8a-8b are flowcharts of a second embodiment of a method for trusted parsing of physical entities disclosed in the embodiments of the present application;

fig. 9 is a flowchart of a third embodiment of a method for trusted resolution of a physical entity disclosed in an embodiment of the present application;

fig. 10 is a flowchart of a fourth embodiment of a method for trusted resolution of a physical entity, disclosed in an embodiment of the present application;

fig. 11a is a flowchart of a fifth embodiment of a method for trusted parsing of a physical entity disclosed in an embodiment of the present application;

fig. 11b is a flowchart of a sixth embodiment of a method for trusted parsing of a physical entity disclosed in the embodiment of the present application;

fig. 12 is a schematic structural diagram of an authentication apparatus for a physical entity according to an embodiment of the present disclosure;

fig. 13 is a schematic structural diagram of a trusted analysis device of an industrial internet according to an embodiment of the present application.

Detailed Description

Interpretation of terms:

and (3) international root node: the system refers to a highest-level service node in a certain identification system, is not limited to a specific country or region, and provides public root zone data management and root resolution service for the global scope.

National top node: the key of the credible analysis system of the industrial internet is an international gateway for external interconnection and a core hub for internal planning. The system can provide top-level authentication registration and credibility analysis service, and management capabilities such as identification record, identification authentication and the like for the nationwide. The national top level node is communicated with international root nodes of various identification systems and is also communicated with various domestic second-level and other following credible analysis service nodes.

Secondary nodes: the system is a credible analysis public service node in an industry or area, and can provide authentication registration and credible analysis service for the industry or area, and complete related identification service management, identification application docking and the like.

Enterprise nodes: the method is a trusted analysis service node inside an enterprise, and can provide identification registration and trusted analysis service for a specific enterprise. The system can be independently deployed and can also be used as a component element of an enterprise information system.

A third party certification authority (Certificate authority) for issuing digital certificates.

Identify cryptosystem IBC (Identity-Based cryptography & Signature Schemes): the system is developed on the basis of a CA authentication system and is essentially one of public key infrastructures; the major idea of the method proposed by sharir cryptologist is to use a user identifier as a public key, and generate a private key of the user by a key Generation center kgc (key Generation center) according to the user identifier, thereby simplifying the management of the public key of the CA center technically.

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In order to facilitate those skilled in the art to understand the technical architecture of the present application, the present application provides a first embodiment of an industrial internet system, and referring to fig. 1, the industrial internet system includes: a physical entity identification application system 100 and a physical entity identification service system 200.

The physical entity identification service system 200 includes:

an international root node 201, a national root node 202 connected to the international root node 201, a secondary node 203 connected to the national root node 202, an authoritative enterprise node 204 connected to the secondary node 203, and a common recursive resolution node 205 connected to the national root node 202, the secondary node 203 and the authoritative enterprise node 204.

Optionally, the authoritative enterprise node may be integrated with an identity cryptosystem IBC, so as to perform a signing operation on the user to be authenticated, and a specific process will be described in detail in the subsequent embodiments, which is not described in detail here.

The present application provides an embodiment two of an industrial internet system, and with reference to fig. 1b, the system includes: the physical entity identification application system 100, the physical entity identification service system 200, and the third party certification authority 300.

The physical entity identification service system 200 includes: an international root node 201, a national root node 202 connected to the international root node 201, a secondary node 203 connected to the national root node 202, an authoritative enterprise node 204 connected to the secondary node 203, and a common recursive resolution node 205 connected to the national root node 202, the secondary node 203 and the authoritative enterprise node 204.

Optionally, the authoritative enterprise node is connected to the third-party certification authority 300, so as to perform a signing operation on the user to be certified, and a specific process will be described in detail in the following embodiments, which will not be described in detail here.

The present application provides an embodiment three of an industrial internet system, and with reference to fig. 1c, the embodiment includes: the physical entity identification application system 100, the physical entity identification service system 200, and the third party certification authority 300.

Optionally, the authoritative enterprise node may be integrated with an identity cryptosystem IBC, and the authoritative enterprise node is connected to the third-party certificate authority 300, so as to perform a signing operation on the user to be authenticated, and a specific process will be described in detail in the following embodiments, which will not be described in detail here.

In the above fig. 1a-1c, the number of the country root node 202, the secondary node 203 and the authoritative enterprise node 204 is related to the actual application scenario, and the illustration is only used for illustrative purposes, and does not really reflect the number of the country root node 202, the secondary node 203 and the authoritative enterprise node 204.

The physical entity identification application system 100 includes: industrial internet APP, industrial internet platform, enterprise information system, etc., which are not described herein again.

An enterprise node that has been authenticated and registered in the industrial internet system is referred to as an authoritative enterprise node. In order to protect the security of the authoritative enterprise node and the industrial Internet, authentication operation and credible resolution operation are carried out on a temporary user who wants to access the authoritative enterprise node.

The temporary user is assigned with the identification in the process of being authenticated, the authenticated user carries the assigned identification to access the authoritative enterprise node, the authoritative enterprise node performs credible analysis by means of the public recursion analysis node, and the data of the authoritative enterprise node is allowed to be accessed after the credible analysis is passed.

The application provides an embodiment I of an authentication method of a physical entity, which is applied to an authoritative enterprise node. Referring to fig. 2, the following steps may be included:

step S201: the authoritative enterprise node determines the current user to be authenticated.

The authoritative enterprise node can acquire the authentication request sent by the second type user and can also receive the authentication request sent by the first type user; therefore, after obtaining an authentication request, the authoritative enterprise node first determines the type of the temporary user sending the authentication request, that is, whether the current user to be authenticated is a first type user or a second type user.

In the invention, users who want to access the authoritative enterprise node are called temporary users, and the temporary users can be divided into two types: the first type of users are other enterprise terminals which want to access the authoritative enterprise node, and the second type of users are ordinary user terminals which want to access the authoritative enterprise node.

Step S202: under the condition that the current user is a first type user, the authoritative enterprise node receives an enterprise authentication result sent by the secondary node and sends the enterprise authentication result to the first type user; and the enterprise authentication result comprises a signature generated by a secondary node performing signature operation on the enterprise prefix identification by using a private key after the enterprise prefix identification is generated.

Step S203: under the condition that the current user is a second type user, an authoritative enterprise node authenticates the second type user to generate a common user identifier, determines signature information corresponding to the second type user, constructs a user authentication result based on the common user identifier and the signature information, and sends the user authentication result to the second type user; the user authentication result comprises the signature information and a signature generated by performing signature operation on the common user identifier by using the signature information.

Through the technical means, the following beneficial effects can be realized:

The authentication process for authoritative enterprise nodes is described in detail below.

The present application provides a second embodiment of a method for authenticating a physical entity, which is applied to an authoritative enterprise node in an industrial internet system described in any one of fig. 1a to 1 c. Referring to fig. 3a and 3b, the following steps may be included:

steps S301 to S305 are processes performed in advance by the top level node and the second level node of the country. After the second-level node authenticates to the top-level node of the country, the enterprise node can authenticate to the second-level node, and becomes an authoritative enterprise node after the authentication is successful. The authentication process is similar to step S306 and step S309.

Step S301: and the national top level node acquires the root certificate in a self-signature mode.

The country top level node can generate a public key and a private key according to a certain key algorithm, then the private key is used for carrying out encryption operation on the public key, and an encryption result is used as a root certificate of the country top level node.

Step S302: and the secondary node sends an authentication request to the top-level node of the country, wherein the authentication request comprises the information of the secondary node and the public key of the secondary node.

The secondary node can generate a public key and a private key according to a certain key algorithm, and sends an authentication request including the public key of the secondary node and the node information of the secondary node.

Step S303: the country top level node receives an authentication request sent by the secondary node, generates a digital certificate of the secondary node and a prefix mark of the secondary node, and executes signature operation on the prefix mark of the secondary node to obtain a signature.

The country top level node generates a second-level node prefix mark according to a certain rule, and a private key of the country top level node is used for signing the second-level node prefix mark to generate a signature. And the country top level node encrypts the public key sent by the second level node by using the private key of the country top level node, and the encrypted result is used as a digital certificate of the second level node.

Step S304: the country top level node stores the digital certificate of the second level node and the network address of the second level node, and sends the digital certificate and the signature of the second level node to the second level node.

The country top level node may store the digital certificate of the second level node and the network address of the second level node for use in subsequent trusted resolution operations.

Step S305: and the secondary node receives and stores the digital certificate and the signature sent by the national top node.

The above is the processing procedure between the national top level node and the second level node, and also the pre-execution procedure for coding and identifying the first type user.

The authentication process of the authoritative enterprise node for the second type of user is described below.

Step S306: and the authoritative enterprise node sends an authentication request to the secondary node, wherein the authentication request comprises the first type of user information.

After receiving the authentication requests sent by other first-type users, the authoritative enterprise node forwards the authentication requests to the secondary node, and the secondary node processes the authentication requests of the first-type users.

Step S307: the second-level node generates an enterprise prefix identification, performs signature operation on the enterprise prefix identification by using a private key of the second-level node to generate a signature, constructs and sends an enterprise authentication result to the authoritative enterprise node, and the authoritative enterprise node sends the enterprise authentication result to the first type user.

The second-level node generates an enterprise prefix identification according to a certain rule, then carries out signature operation on the enterprise prefix identification by using a private key of the second-level node to generate a signature, and constructs and sends an enterprise authentication result to the authoritative enterprise node. The enterprise authentication result is that the private key of the secondary node is used for signing the enterprise prefix identification to generate a signature.

Step S308: and the secondary node sends the corresponding relation between the first type user identification and the secondary node identification to the top node of the country.

Step S309: and the country top level node stores the corresponding relation between the first type user identification and the second type node identification.

The country top node may store a correspondence between the second-level node identifier and the first-type user identifier for subsequent trusted resolution.

Authentication procedure for the second type of user the present invention provides three implementations.

The first implementation mode comprises the following steps: the signature is only carried out by means of the identity cryptosystem IBC.

If the authoritative enterprise node is integrated with an identity cryptosystem IBC, the authoritative enterprise node determines the signature information corresponding to the second type of user, and the method comprises the following steps: acquiring a user identity corresponding to the second type user; based on an identity cryptosystem IBC, taking the user identity as a secret key, and taking the secret key as the signature information;

The present application provides a third embodiment of an authentication method for a physical entity to introduce a first implementation manner. The embodiment is applied to the authoritative enterprise node in the industrial internet system shown in fig. 1. Referring to fig. 4a or 4b, the following steps may be included:

step S401: and the authoritative enterprise node acquires the user identity corresponding to the second type user.

The authoritative enterprise node integrates the identification cryptosystem IBC in advance, and can receive an authentication request sent by a second type of user; wherein the authentication request comprises a user identity.

Step S402: and the authoritative enterprise node takes the user identity as a secret key based on an identity cryptosystem IBC. That is, the key is used as the signature information in this embodiment. Step S403: and the authoritative enterprise node authenticates the second type user to generate a common user identifier, and executes a signature operation on the common user identifier by using the secret key to obtain a signature.

And the authoritative enterprise node authenticates the second type user to generate a common user identifier, and the specific authentication process is a mature technology and is not described herein any more.

Step S404: and the authoritative enterprise node constructs and sends the user authentication result to the second type user.

The user authentication result comprises the signature information and a signature generated by performing signature operation on the common user identifier by using the signature information.

In order to ensure the safety of the common user identification, the invention uses the technical idea of an identification password system IBC and takes the user identification as a private key so as to carry out signature operation on the common user identification by using the private key. The private key and the user identity in the technology of the identity cryptosystem IBC have strong correlation, so the user identity can be used as the private key, the private key does not need to be additionally generated, and the method is very simple and convenient.

Since the user identity is a private key, the security level is not high after simplicity and convenience, so the first implementation mode is more suitable for the second type of user with not very high security requirements.

The second implementation mode comprises the following steps: a way of signing with only a digital certificate issued by a third party.

If the authoritative enterprise node is connected with the third-party certification authority, the determining the signature information corresponding to the second type of user includes: receiving a digital certificate generated and sent by a third-party certification authority aiming at the second type of user, and taking the digital certificate as the signature information;

The present application provides a fourth embodiment of an authentication method for a physical entity, to introduce a second implementation manner: a way of signing with only a digital certificate issued by a third party. The present embodiment is applied to authoritative enterprise nodes in the industrial internet system shown in fig. 1 b.

Referring to fig. 5a or 5b, the following steps may be included:

step S501: and the authoritative enterprise node receives the authentication request sent by the user node.

Step S502: and the authoritative enterprise node forwards the authentication request to a third-party authentication authority.

Step S503: and the authoritative enterprise node receives the digital certificate generated and sent by the third-party certification authority to the second type of user. In this embodiment, a digital certificate is used as the signature information.

Step S504: and the authoritative enterprise node authenticates the second type user to generate a common user identifier, and executes a signature operation on the common user identifier by using the digital certificate to obtain a signature.

And the authoritative enterprise node authenticates the second type user to generate a common user identifier, and the specific authentication process is a mature technology and is not described herein any more. Step S505: the authoritative enterprise node constructs and sends a user authentication result to the second type user; the user authentication result comprises the signature information and a signature generated by performing signature operation on the common user identifier by using the signature information.

In order to ensure the safety of the common user identification, the invention utilizes a third-party certification authority to generate a digital certificate and utilizes the digital certificate as a private key so as to carry out signature operation on the common user identification by utilizing the private key. The security of the digital certificate generated by the third-party certification authority is high, so that the security of the method is high.

Because a third-party certification authority is needed to generate the digital certificate, the signature, the update and the storage of the digital certificate are complex, the processing process is complex after the safety is high, and the second implementation mode can be suitable for a second type user with high safety requirements. But also to nodes with lower security requirements.

The third implementation mode comprises the following steps: and a signature mode is carried out by adopting an identification cryptosystem IBC or a signature mode by utilizing a digital certificate issued by a third party.

If the authoritative enterprise node is integrated with an identity cryptosystem IBC and is connected with a third-party certification authority, the determining of the signature information corresponding to the second type of user comprises the following steps:

if the second type user does not designate the signature mode of a third-party certification authority, acquiring a user identity corresponding to the second type user; based on an identity cryptosystem IBC, taking the user identity as a secret key, and taking the secret key as the signature information; the signature generated by performing a signature operation on the common user identifier by using the signature information includes: executing signature operation on the common user identifier by using the secret key to obtain a signature;

if the second type user designates the signature mode of a third party certification authority, receiving a digital certificate generated and sent by the third party certification authority aiming at the second type user, and taking the digital certificate as the signature information; the signature generated by performing a signature operation on the common user identifier by using the signature information includes: and executing signature operation on the common user identification by using the digital certificate to obtain a signature.

That is, in order to be compatible with the first implementation manner and the second implementation manner, the present application provides a fifth embodiment of an authentication method for a physical entity, so as to introduce a third implementation manner that a signature is performed by using an identity cryptosystem IBC or a digital certificate issued by a third party. The present embodiment is applied to authoritative enterprise nodes in the industrial internet system shown in fig. 1 c.

Referring to fig. 6, the following steps may be included:

step S601: and judging whether the second type user designates the signature mode of a third-party certification authority.

Step S602: if the second type of user does not specify the signing mode of the third party certificate authority, the embodiment shown in fig. 4a is performed.

Step S603: if the second type of user specifies a signature scheme of a third party certificate authority, the embodiment shown in FIG. 5a is performed.

Step S602 may be detailed in the embodiment shown in fig. 4, and step S603 may be detailed in the embodiment shown in fig. 5a, which is not described herein again.

Because the embodiment has two different signature modes and the subsequent analysis modes are different due to the different signature modes, the two different signature modes can be distinguished conveniently during the subsequent analysis.

The data structure of the user authentication result may include the following fields:

a signature type field (which may be denoted as HS _ TI) for storing the signature type.

A digital certificate field (which may be represented by HS _ C authoritative enterprise node CERT) for storing a digital certificate generated using a third party certificate authority, the field being empty in the absence of a digital certificate generated using a third party certificate authority.

A signature field (which may be represented by HS _ C authoritative enterprise node SIG) for storing the signature.

The detailed structure of the user authentication result is as follows:

wherein the data value of the signature type field is of a first type or a second type;

a first type, which is used for representing a signature mode for performing signature operation on a common user identifier by means of a secret key generated by IBC; wherein the first type may be represented by HS _ SI.

The second type is used for representing a signature mode for performing signature operation on the common user identification by means of a digital certificate generated by a third-party certification authority; wherein the second type may be represented in HS SIG.

The user authentication result generated in step S602 by using the embodiment shown in fig. 4 as the authoritative enterprise node may be represented as:

wherein, the signature type field (HS _ TI field) is used for storing the first type, i.e. HS _ SI.

A digital certificate field (HS _ C authoritative enterprise node CERT field), no digital certificate so null;

and the signature field (HS-C authoritative enterprise node SIG field) is used for storing signature data (signature data generated after signature operation is carried out in a password identification system IBC mode).

The user authentication result generated in step S603 by using the embodiment shown in fig. 5 as the authoritative enterprise node may be represented as:

wherein the signature type field (HS _ TI field) is used to store a second type, i.e., HS _ SIG.

A digital certificate field (HS _ C authoritative enterprise node CERT field) for storing digital certificate data;

and the signature field (the SIG field of the HS-C authoritative enterprise node) is used for storing signature data (the signature data generated after signature operation is carried out by adopting a digital certificate generated by a third-party certification authority).

Because there are second type users in the internet system that need higher security and there are second type users that do not need to use higher security, a solution is provided that is compatible with the first implementation and the second implementation.

In the third implementation mode, the signature can be performed by adopting a third-party certification authority mode for the second-type user needing higher security, and the signature can be performed by adopting an IBC (identity cryptosystem) for the second-type user with low security.

According to the scheme, the technical idea of the password identification system IBC is utilized, the user identity is used as the private key, namely the user identity and the private key have strong correlation, and a digital certificate is omitted to construct the relationship between the user identity and the private key, so that the storage space for the digital certificate is saved, the processing flow is simplified, and the authentication efficiency is improved.

For the second type users with higher requirements on safety, the signature mode of a third-party certification authority can be compatible on the basis of IBC technical thought, and different safety levels can be set for different second type users.

Next, a first embodiment of a trusted parsing method for physical entities is described, in which a common recursive parsing node 205 in the internet system of this embodiment is described. Referring to fig. 7, the following steps may be included:

step S701: and the common recursive analysis node receives a credible analysis request sent by a current user.

When a current user accesses an authoritative enterprise node through an industrial internet system, in order to ensure safety, a public recursive analysis node usually carries out credible analysis, and the current user is allowed to access data of the authoritative enterprise node after the credible analysis is successful.

The public recursive analysis node may receive a trusted analysis request sent by a first type of user, and may also receive a trusted analysis request sent by a second type of user, so that the trusted analysis request may be an enterprise trusted analysis request (including an enterprise authentication result) for analyzing for the first type of user, and may also be a user trusted analysis request (including a user authentication result) for analyzing for the second type of user.

Step S702: and under the condition that the current user is the first type of user, the public recursive analysis node performs trusted analysis operation on the signature in the enterprise authentication result in the trusted analysis request in a recursive mode to obtain a trusted analysis result.

Step S703: and under the condition that the current user is a second type user, the public recursion analysis node carries out credible analysis operation on the signature information and the signature in the user authentication result in the credible analysis request to obtain a credible analysis result.

And when the current user is a first type of user and the trusted parsing request comprises an enterprise authentication result, the parsing process is explained in detail. The application provides a second embodiment of a trusted analytic method of a physical entity. Referring to fig. 8a or 8b, the method comprises the following steps:

step S800: and the public recursion analysis node judges whether a local cipher machine stores a historical credible analysis result corresponding to the first type of user identification in the credible analysis request. If so, the process proceeds to step S801, otherwise, the process proceeds to step S802.

And if the historical credible analysis result in the credible analysis request is stored and is valid, using the historical credible analysis result as the credible analysis result. If the historical trusted parsing result in the trusted parsing request is not stored, the process proceeds to step S802.

Step S801: and the public recursive analysis node uses the historical credible analysis result as the credible analysis result.

Step S802: the public recursion resolution node inquires a first type user identification from a country top node, and the country top node returns a network address of a second node and a digital certificate of the second node, which are associated with the first type user identification.

The trusted analysis request comprises a first type user identification and an enterprise authentication result, and the enterprise authentication result comprises a signature. The public recursion resolution node queries the top node of the country for the first type of user identification to know that the first type of user identification is under that second node.

Step S803: and the public recursion analysis node determines a secondary node based on the network address of the secondary node, queries the first type user identification in the secondary node, and returns the network address of the first type user and a signature corresponding to the first type user identification.

The secondary node feeds back the network address of the first type user to search the first type user based on the network address, and inquires the related information of the first type user from the first type user to realize data exchange and sharing.

Step S804: and the public recursion analysis node verifies whether the signature in the enterprise authentication result is consistent with the signature corresponding to the first type user identification returned by the secondary node. If yes, the process proceeds to step S805, and if not, the analysis is determined to fail.

Step S805: the public recursion analysis node inquires a root certificate of the country top level node from the country top level node, the root certificate is adopted to verify the digital certificate of the second level node, if the digital certificate passes the verification, the step S806 is carried out, and if the digital certificate does not pass the verification, the analysis is determined to fail.

Step S806: and the public recursion analysis node adopts the digital certificate of the secondary node to verify the signature in the enterprise authentication result, if the signature passes the verification, the analysis is successful, otherwise, the analysis is failed.

Step S807: and correspondingly storing the network address of the secondary node, the network address of the first type user and the credible analysis result and the first type user identification into the local cipher machine.

The public recursion analysis node stores the network address of the secondary node, the network address of the first type user and the credible analysis result into the local cipher machine correspondingly with the first type user identifier, so that the credible analysis result, the network address of the secondary node and the network address of the first type user can be found in the local cipher machine when the first type user carries out credible analysis again next time, the credible analysis process is not required to be executed, and the analysis efficiency can be greatly improved.

Corresponding to the embodiment of the authentication method for a physical entity shown in fig. 4 for an authoritative enterprise node, the third embodiment of the trusted analysis method for a physical entity is provided in the present invention. The method described with reference to fig. 9 comprises the following steps:

step S901: and receiving a trusted analysis request sent by a current user. In this embodiment, the current user is a second type user.

Step S902: and under the condition that the trusted analysis request comprises a user authentication result, taking the user identity in the trusted analysis request as a public key.

In the embodiment corresponding to the authoritative enterprise node in fig. 4, the user id is used for signing, so that the user id is used as a public key in the trusted parsing process to decrypt the signature.

Step S903: and decrypting the signature by using the public key.

Step S904: and if the decryption is successful, determining that the trusted analysis is successful, and if the decryption is failed, determining that the trusted analysis is failed.

Corresponding to the fourth embodiment of the authentication method for a physical entity shown in fig. 5 for an authoritative enterprise node, the fourth embodiment of the trusted resolution method for a physical entity is provided in the present invention. The method described with reference to fig. 10 comprises the following steps:

step S1001: and receiving a trusted analysis request sent by a current user.

Step S1002: and taking the digital certificate as a public key under the condition that the trusted resolution request comprises a user authentication result.

Step S1003: and decrypting the signature by using the public key.

Step S1004: and if the decryption fails, determining that the trusted analysis fails.

Step S1005: and if the decryption is successful, acquiring a root certificate of the third-party certification authority.

Step S1006: and verifying the digital certificate by using the root certificate of the third-party certification authority.

Step S1007: and if the verification is successful, determining that the trusted analysis is successful, otherwise, determining that the trusted analysis is failed.

Corresponding to the fifth embodiment of the authentication method for a physical entity shown in fig. 6, the fifth embodiment of the trusted resolution method for a physical entity is provided in the present invention. Referring to fig. 11a, the method comprises the following steps:

step S1101: and receiving a trusted analysis request sent by a current user.

Step S1102: under the condition that the trusted analysis request comprises a user authentication result, judging whether to execute trusted analysis operation in a digital certificate mode or not; if so, the process proceeds to step S1103, otherwise, the process proceeds to step S1107.

The user authentication result includes a signature type field, a digital certificate field, and a signature field. Wherein the data value of the signature type field is of a first type or a second type.

Therefore, if the signature type in the user authentication result is the first type, the process proceeds to step S1103; if the type is the second type, the process proceeds to step S1107.

Step S1103: extracting a signature from the signature field.

Step S1104: and taking the user identity in the trusted analysis request as a public key.

Step S1105: decrypting the signature by using the public key;

step S1106: and if the decryption is successful, determining that the trusted analysis is successful, otherwise, determining that the trusted analysis is failed.

Step S1107: extracting a signature from the signature field and a digital certificate from the digital certificate field.

Step S1108: taking the digital certificate as a public key, and decrypting the signature by using the public key; and if the decryption fails, determining that the trusted analysis fails.

Step S1109: and if the decryption is successful, acquiring a root certificate of the third-party certification authority.

Step S1110: and verifying the digital certificate by using the root certificate of the third-party certification authority.

Step S1111: and if the verification is successful, determining that the trusted analysis is successful, otherwise, determining that the trusted analysis is failed.

It will be appreciated that authentication and trust resolution are a pair of corresponding processes.

If the user identity is used as the secret key to perform signature in the authentication process, the user identity is correspondingly used as the public key to perform analysis during analysis.

If the digital certificate provided by the designated third-party certification authority is used as the secret key to carry out signature in the certification process, the digital certificate is also used as the public key to carry out analysis in the analysis process.

Corresponding to the fifth embodiment of the authentication method for a physical entity shown in fig. 6, the sixth embodiment of the trusted resolution method for a physical entity is provided in the present invention. Referring to fig. 11b, the method comprises the following steps:

step S0: and receiving a trusted resolution request sent by a second type user.

Step S1: and judging whether the trusted analysis request contains the data of the HS _ TI type. If so, the process proceeds to step S2, otherwise, the process proceeds to step S4.

Step S2: and taking the user identity in the trusted analysis request as a public key verification signature HS-C authoritative enterprise node SIG.

Step S3: and judging whether the verification is successful. If yes, determining that the credible analysis is successful; if not, determining that the credible resolution fails.

Step S4: and judging whether the trusted analysis request contains data of an HS _ TI type and data of a CERT type of an HS _ C authoritative enterprise node, if not, determining that the trusted analysis fails, and if so, entering the step S5.

Step S5: and verifying and signing the HS-C authoritative enterprise node SIG by using the data of the CERT type of the HS-C authoritative enterprise node as a public key.

Step S6: it is determined whether the verification is successful, and if so, the process proceeds to step S7. If not, determining that the credible resolution fails.

Step S7: and acquiring a root certificate of a third-party certification authority, and verifying CERT type data of the HS-C authoritative enterprise node by using the root certificate.

Step S8: judging whether the verification is passed; if so, determining that the trusted analysis is successful, otherwise, determining that the trusted analysis is failed.

Referring to fig. 12, an authentication apparatus of a physical entity includes:

the node confirmer 121 is configured to determine, by an authoritative enterprise node, a current user to be authenticated;

a receiver 122, configured to receive, by an authoritative enterprise node, an enterprise authentication result sent by the secondary node when the current user is the first type user, and send the enterprise authentication result to the first type user; the enterprise authentication result comprises a signature generated by a secondary node performing signature operation on an enterprise prefix identification by using a private key after the enterprise prefix identification is generated;

the node authenticator 123 is configured to authenticate the second type user by an authoritative enterprise node to generate a common user identifier and determine signature information corresponding to the second type user when the current user is the second type user;

an authentication result builder 124 for building a user authentication result based on the common user identifier and the signature information, and sending the user authentication result to the second type user; the user authentication result comprises the signature information and a signature generated by performing signature operation on the common user identifier by using the signature information.

Referring to fig. 13, the present application provides a trusted parsing apparatus for a physical entity, including:

a receiver 131, configured to receive, by a common recursive analytic node, a trusted analytic request sent by a current user;

the recursion analyzer 132 is configured to, when the current user is a first type of user, perform a trusted analysis operation on a signature in an enterprise authentication result in the trusted analysis request by using a common recursion analysis node in a recursion manner to obtain a trusted analysis result;

and the trusted analyzer 133 is configured to, when the current user is a second-type user, perform trusted analysis operation on the signature information and the signature in the user authentication result in the trusted analysis request by using the public recursive analysis node to obtain a trusted analysis result.

Referring to fig. 1a, the present application provides an industrial internet system comprising:

Referring to fig. 1a, if an authoritative enterprise node is integrated with an identity cryptosystem IBC, the determining the subscription information corresponding to the second type of user includes:

acquiring a user identity corresponding to the second type user;

based on an identity cryptosystem IBC, taking the user identity as a secret key, and taking the secret key as the signature information; the signature generated by performing a signature operation on the common user identifier by using the signature information includes: and executing a signature operation on the common user identifier by using the secret key to obtain a signature.

Referring to fig. 1b, if the system is connected to a third-party certification authority connected to an authoritative enterprise node, the determining the subscription information corresponding to the second type of user includes:

receiving a digital certificate generated and sent by a third-party certification authority aiming at the second type of user, and taking the digital certificate as the signature information;

The physical entity identification application system comprises:

an enterprise application APP connected to the authoritative enterprise node;

a plurality of users of a second type connected to the authoritative enterprise node.

Referring to fig. 1c, if the authoritative enterprise node is integrated with an identity cryptosystem IBC, and the system further includes a third-party certificate authority connected to the authoritative enterprise node, the determining the subscription information corresponding to the second type of user includes:

judging whether the second type user designates a signature mode of a third-party certification authority or not;

a physical entity identification application system 100 and a physical entity identification service system 200;

wherein, the physical entity identification service system comprises: the system comprises an international root node, a national root node connected with the international root node, a secondary node connected with the national root node, an authoritative enterprise node connected with the secondary node, and a public recursion resolution node connected with the national root node, the secondary node and the authoritative enterprise node.

The public recursive analysis node is used for receiving a trusted analysis request sent by a current user;

under the condition that the current user is a first type of user, performing trusted analysis operation on the signature in the enterprise authentication result in the trusted analysis request in a recursive mode to obtain a trusted analysis result;

and under the condition that the current user is a second type user, performing trusted analysis operation on the signature information and the signature in the user authentication result in the trusted analysis request to obtain a trusted analysis result.

Referring to fig. 1a, the common recursive analysis node is integrated with a cryptographic engine, and is configured to correspondingly store the first type user identifier and the historical trusted analysis result;

the public recursion resolution node performs a credible resolution operation on the signature in the enterprise authentication result in the credible resolution request in a recursion manner, and before obtaining the credible resolution result, the public recursion resolution node is further configured to:

judging whether a historical credible analysis result corresponding to the first type of user identification in the credible analysis request is stored in the local cipher machine;

Referring to fig. 1a, the authoritative enterprise node is integrated with an identity code system IBC, and if the user authentication result adopts a signature mode of the code identity system IBC, the trusted resolution operation is performed on the signature information and the signature in the user authentication result in the public recursive resolution node, and the process of obtaining the trusted resolution result specifically includes:

taking the user identity in the trusted analysis request as a public key;

decrypting the signature by using the public key;

Referring to fig. 1b, the authoritative enterprise node is connected to the third-party certification authority, and if the user certification result adopts the signature mode of the third-party certification authority, the trusted parsing operation is performed on the signature information and the signature in the user certification result in the public recursive parsing node, and the process of obtaining the trusted parsing result specifically includes:

taking the digital certificate as a public key;

decrypting the signature by using the public key;

Referring to fig. 1c, if the authoritative enterprise node is integrated with an identity key cryptosystem IBC and connected to a third-party certification authority, and the user certification result in the public recursive analysis node includes a signature type field, a digital certificate field, and a signature field, the trusted analysis operation is performed on the signature information and the signature in the user certification result, and the process of obtaining the trusted analysis result specifically includes:

The functions described in the method of the present embodiment, if implemented in the form of software functional units and sold or used as independent products, may be stored in a storage medium readable by a computing device. Based on such understanding, part of the contribution to the prior art of the embodiments of the present application or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A method of authenticating a physical entity, comprising:

2. The method of claim 1, prior to the authoritative enterprise node receiving the enterprise authentication results sent by the secondary node, further comprising:

3. The method of claim 1, wherein the authoritative enterprise node incorporates an identity password system, and wherein said determining subscription information corresponding to the second type of user comprises:

acquiring a user identity corresponding to the second type user;

4. The method of claim 1, wherein said authoritative enterprise node is connected to a third party certification authority, said determining subscription information corresponding to said second type of user comprising:

5. The method of claim 1, wherein the authoritative enterprise node is integrated with an identity cryptosystem and is connected to a third party certification authority, and wherein said determining the subscription information corresponding to the second type of user comprises:

if the second type user does not designate a signature mode of a third-party certification authority, an authoritative enterprise node acquires a user identity corresponding to the second type user; based on an identification cryptosystem, taking the user identity identification as a secret key, and taking the secret key as the signature information;

the signature generated by performing a signature operation on the common user identifier by using the signature information includes: executing signature operation on the common user identifier by using the secret key to obtain a signature;

if the second type user designates a signature mode of a third-party certification authority, the authoritative enterprise node sends a certification request to the third-party certification authority, wherein the certification request comprises second type user information of the second type user; receiving a digital certificate generated and sent by a third-party certification authority aiming at the second type of user, and taking the digital certificate as the signature information;

6. The method of claim 5, wherein the user authentication result further comprises a signature type; the signature type is a first type or a second type;

the data structure of the user authentication result includes:

a signature type field for storing the signature type;

a signature field for storing a signature.

7. A trusted parsing method for a physical entity, comprising:

under the condition that the current user is a first type of user, the public recursive analysis node performs trusted analysis operation on the signature in the enterprise authentication result in the trusted analysis request in a recursive mode to obtain a trusted analysis result, and the method comprises the following steps: a public recursion analysis node queries a first type user identifier of the first type user from a top node of a country; if the country top level node inquires the first type user identification, the network address of the second level node and the digital certificate of the second level node which are associated with the first type user identification are returned; the public recursion analysis node inquires the first type user identification from a secondary node corresponding to the network address of the secondary node; if the second-level node inquires the first-type user identification, a network address corresponding to the first-type user identification and a signature corresponding to the first-type user identification are returned; the public recursion analysis node verifies whether the signature in the enterprise authentication result is consistent with the signature corresponding to the first type user identification returned by the secondary node; if not, determining that the credible analysis fails; if the two digital certificates are consistent, inquiring a root certificate of the national top node from the national top node, and verifying the digital certificate of the second node by adopting the root certificate; if the verification fails, determining that the trusted analysis fails; if the verification is passed, verifying the signature in the enterprise authentication result by using a digital certificate of the secondary node, if the verification is passed, indicating that the trusted analysis is successful, otherwise, indicating that the trusted analysis is failed; if the credibility analysis is successful, the network address of the secondary node, the network address of the first type user and the credibility analysis result are correspondingly stored into the local cipher machine together with the first type user identification;

8. The method of claim 7, wherein before the public recursive resolution node performs a trusted resolution operation on the signature in the enterprise authentication result in the trusted resolution request in a recursive manner, and obtains a trusted resolution result, the method further comprises:

9. The method of claim 7, wherein if the user authentication result adopts a signature manner of a password identification system, the public recursive analysis node performs a trusted analysis operation on signature information and a signature in the user authentication result in the trusted analysis request, and obtaining the trusted analysis result comprises:

decrypting the signature by using the public key;

10. The method of claim 7, wherein if the user authentication result adopts a signature manner of a third-party certificate authority, the public recursive analysis node performs a trusted analysis operation on signature information and a signature in the user authentication result in the trusted analysis request, and obtaining the trusted analysis result comprises:

decrypting the signature by using the public key;

11. The method of claim 7, wherein if the user authentication result includes a signature type field, a digital certificate field, and a signature field, then the public recursive resolution node performs a trusted resolution operation on the signature information and the signature in the user authentication result in the trusted resolution request, and obtaining the trusted resolution result includes:

12. An apparatus for authenticating a physical entity, comprising:

13. An industrial internet system, comprising:

14. An apparatus for trusted resolution of a physical entity, comprising:

the credible analyzer is used for carrying out credible analysis operation on the signature information and the signature in the user authentication result in the credible analysis request by the public recursive analysis node under the condition that the current user is the second type user to obtain a credible analysis result;

the recursive analyzer is specifically used for inquiring a first type user identifier of the first type user from a top node of a country by a public recursive analysis node; if the country top level node inquires the first type user identification, the network address of the second level node and the digital certificate of the second level node which are associated with the first type user identification are returned; the public recursion analysis node inquires the first type user identification from a secondary node corresponding to the network address of the secondary node; if the second-level node inquires the first-type user identification, a network address corresponding to the first-type user identification and a signature corresponding to the first-type user identification are returned; the public recursion analysis node verifies whether the signature in the enterprise authentication result is consistent with the signature corresponding to the first type user identification returned by the secondary node; if not, determining that the credible analysis fails; if the two digital certificates are consistent, inquiring a root certificate of the national top node from the national top node, and verifying the digital certificate of the second node by adopting the root certificate; if the verification fails, determining that the trusted analysis fails; if the verification is passed, verifying the signature in the enterprise authentication result by using a digital certificate of the secondary node, if the verification is passed, indicating that the trusted analysis is successful, otherwise, indicating that the trusted analysis is failed; if the credibility analysis is successful, the network address of the secondary node, the network address of the first type user and the credibility analysis result are correspondingly stored in the local cipher machine together with the first type user identification.

15. An industrial internet system, comprising:

the public recursion analysis node is used for receiving a credible analysis request sent by a current user, and under the condition that the current user is a first type of user, the public recursion analysis node performs credible analysis operation on a signature in an enterprise authentication result in the credible analysis request in a recursion mode to obtain a credible analysis result; when the current user is a second type user, the public recursion analysis node carries out credible analysis operation on signature information and a signature in the user authentication result in the credible analysis request to obtain a credible analysis result;

wherein, when the current user is a first type of user, the public recursion analysis node performs a credible analysis operation on the signature in the enterprise authentication result in the credible analysis request in a recursion manner to obtain a credible analysis result, and the method includes: a public recursion analysis node queries a first type user identifier of the first type user from a top node of a country; if the country top level node inquires the first type user identification, the network address of the second level node and the digital certificate of the second level node which are associated with the first type user identification are returned; the public recursion analysis node inquires the first type user identification from a secondary node corresponding to the network address of the secondary node; if the second-level node inquires the first-type user identification, a network address corresponding to the first-type user identification and a signature corresponding to the first-type user identification are returned; the public recursion analysis node verifies whether the signature in the enterprise authentication result is consistent with the signature corresponding to the first type user identification returned by the secondary node; if not, determining that the credible analysis fails; if the two digital certificates are consistent, inquiring a root certificate of the national top node from the national top node, and verifying the digital certificate of the second node by adopting the root certificate; if the verification fails, determining that the trusted analysis fails; if the verification is passed, verifying the signature in the enterprise authentication result by using a digital certificate of the secondary node, if the verification is passed, indicating that the trusted analysis is successful, otherwise, indicating that the trusted analysis is failed; if the credibility analysis is successful, the network address of the secondary node, the network address of the first type user and the credibility analysis result are correspondingly stored in the local cipher machine together with the first type user identification.