CN112291262B - Method and system for establishing account terminal guarantee derivative relationship in zero trust environment - Google Patents
Method and system for establishing account terminal guarantee derivative relationship in zero trust environment Download PDFInfo
- Publication number
- CN112291262B CN112291262B CN202011279440.7A CN202011279440A CN112291262B CN 112291262 B CN112291262 B CN 112291262B CN 202011279440 A CN202011279440 A CN 202011279440A CN 112291262 B CN112291262 B CN 112291262B
- Authority
- CN
- China
- Prior art keywords
- guarantee
- account terminal
- guaranteed
- account
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method and a system for constructing an account terminal guarantee derivative relationship in a zero trust environment, wherein the method is applied to an account terminal to be guaranteed and comprises the following steps: responding to the authentication request, and sending a guarantee request to a guarantee account terminal, wherein the guarantee account terminal is a random account terminal with a fixed number; receiving confirmation guarantee information returned by the guarantee account terminal, and uploading the confirmation guarantee information to the security server, wherein the confirmation guarantee information is obtained by confirming the guarantee request by the guarantee account terminal; and receiving the credibility judgment result of the account terminal to be guaranteed, which is sent by the security server, wherein the credibility judgment result is determined by the quantity of the guarantee confirmation information. Therefore, the credibility authentication method in the social form is established among the account terminals, and the problems of poor universality and poor objectivity existing in the conventional authentication mode are solved.
Description
Technical Field
The invention relates to the technical field of internet security, in particular to a method and a system for constructing an account terminal guarantee derivative relationship in a zero-trust environment.
Background
At present, the authentication method of account identity security mostly adopts a technical route of a single account, namely, the authentication method analyzes according to the historical data of the account so as to determine the credibility of the account.
The method has an unsatisfactory effect on feasibility identification of the account with short registration time: once an account is authenticated, the authentication of the account with a short registration time is difficult due to insufficient historical data. Furthermore, the authentication method of the technical route of the single account has only single authentication standard, and the credibility obtained in the method is lack of objectivity in most cases.
Therefore, a more objective method for identifying account identity security is needed to overcome the problems of poor universality and poor objectivity existing in the existing identification method.
Disclosure of Invention
The invention provides a method and a system for constructing an account terminal guarantee derivative relationship in a zero trust environment, which are used for solving the problems of poor universality and poor objectivity in the existing authentication mode.
In a first aspect, the present invention provides a method for constructing a guarantee derivative relationship of an account terminal in a zero-trust environment, where the method is applied to an account terminal to be guaranteed, and the method includes:
the account terminal to be guaranteed responds to the authentication request, and sends a guarantee request to a guarantee account terminal, wherein the guarantee account terminal is a random account terminal with a fixed number;
the to-be-guaranteed account terminal receives confirmation guarantee information returned by the guarantee account terminal and uploads the confirmation guarantee information to the security server, and the confirmation guarantee information is obtained by confirming the guarantee request by the guarantee account terminal;
and the to-be-guaranteed account terminal receives the credibility judgment result of the to-be-guaranteed account terminal sent by the security server, wherein the credibility judgment result is determined by the quantity of the confirmed guarantee information.
Optionally, the sending, by the account terminal to be vouched for responding to the authentication request sent by the security server, a vouching request to a vouching account terminal, including:
the account terminal to be guaranteed responds to the authentication request sent by the security server or the random terminal, and the account terminal to be guaranteed and the guarantee account terminal are associated in a cascading mode to form a cascading identification;
and the to-be-guaranteed account terminal sequentially sends the guarantee request to the guarantee account terminal based on the cascade connection identifier.
Optionally, each of the vouching account terminals has a corresponding public key and private key; the method comprises the following steps that the to-be-guaranteed account terminal receives confirmation guarantee information returned by the guarantee account terminal and uploads the guarantee information to the security server, and the method comprises the following steps:
the account terminal to be guaranteed receives the guarantee confirmation information in sequence; the guarantee confirmation information is obtained by signing the guarantee request through the private key on the basis of an asymmetric encryption algorithm by the guarantee account terminal;
and the to-be-guaranteed account terminal uploads the confirmed guarantee information to the security server, the security server is used for verifying and signing the confirmed guarantee information through a public key of each guarantee account, and the public key is disclosed when the guarantee account signs.
In a second aspect, the invention provides a method for constructing an account terminal guarantee derivative relationship in a zero-trust environment, which is applied to a guarantee account terminal, and the method includes:
the method comprises the steps that a guarantee account terminal receives a guarantee request, the guarantee request is that a to-be-guaranteed account terminal responds to an authentication request, and the guarantee request is sent to the to-be-guaranteed account terminal according to a cascade identifier, and the cascade identifier is formed by the to-be-guaranteed account terminal and the guarantee account terminal in a correlation mode;
the guarantee account terminal judges whether to send guarantee confirming information to the account terminal to be guaranteed;
if not, automatically ignoring the guarantee request;
if yes, sending guarantee confirmation information to the account terminal to be guaranteed; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to a security server; and the security server is used for determining the credibility of the account terminal to be guaranteed according to the quantity of the confirmed guarantee information.
Optionally, each of the vouching account terminals has a corresponding public key and private key; sending the guarantee confirmation information to the account terminal to be guaranteed, comprising:
the guarantee account terminal obtains the confirmation guarantee information through the signature of the guarantee request of the private key based on the asymmetric encryption algorithm;
the guarantee account terminal sends the confirmed guarantee information to the account terminal to be guaranteed and discloses a corresponding public key; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to the security server; the public key is used for providing the confirmation guarantee information for the security server to check and sign.
In a third aspect, the invention provides a method for constructing an account terminal guarantee derivative relationship in a zero-trust environment, which is applied to a security server, and the method includes:
the security server defines the account terminal with abnormal state as an account terminal to be guaranteed;
the security server sends an authentication request to the account terminal to be guaranteed;
the security server receives the confirmation guarantee information uploaded by the to-be-guaranteed account terminal, wherein the confirmation guarantee information is obtained by signing a guarantee request by a guarantee account terminal through a private key, the guarantee request is sent to the to-be-guaranteed account terminal according to a cascade identifier, and the cascade identifier is formed by the to-be-guaranteed account terminal and the guarantee account terminal in a correlation mode; each guarantee account terminal has a corresponding public key and a corresponding private key;
the security server checks the confirmation guarantee information by using a public key, and determines the credibility of the account terminal to be guaranteed according to the total amount of the confirmation guarantee information, wherein the credibility is the acceptance degree of the guarantee account terminal to the account terminal to be guaranteed; the public key is disclosed for the guarantee account during signature;
and the security server determines the credibility of the account terminal to be guaranteed according to the credibility of the account terminal to be guaranteed.
Optionally, the determining, by the security server, the trustworthiness of the account terminal to be vouched for according to the trustworthiness of the account terminal to be vouched for includes:
the security server judges whether the credibility of the account terminal to be guaranteed is greater than a preset credibility threshold value or not;
if so, the account terminal to be guaranteed judges that the account terminal to be guaranteed is a trusted account terminal;
if not, judging that the account terminal to be guaranteed is an untrusted account terminal.
In a fourth aspect, the present invention provides a system for constructing an account terminal guarantee derivative relationship in a zero trust environment, which is applied to an account terminal to be guaranteed, and the system includes:
the request response module is used for responding to the authentication request and sending a guarantee request to a guarantee account terminal, wherein the guarantee account terminal is a random account terminal with a fixed number;
the security guarantee information receiving module is used for receiving confirmation security guarantee information returned by the security guarantee account terminal and uploading the confirmation security guarantee information to the security server, wherein the confirmation security guarantee information is obtained by confirming the security guarantee request by the security guarantee account terminal;
and the first credibility determining module is used for receiving the credibility judgment result of the account terminal to be guaranteed sent by the security server by the account terminal to be guaranteed, and the credibility judgment result is determined by the quantity of the confirmed guarantee information.
In a fifth aspect, the present invention provides a system for constructing a derivative security relationship of an account terminal in a zero-trust environment, which is applied to a secured account terminal, and includes:
a guarantee request receiving module, configured to receive a guarantee request from a guarantee account terminal, where the guarantee request is a response to an authentication request from a to-be-guaranteed account terminal, and is sent to the to-be-guaranteed account terminal according to a cascade identifier, where the cascade identifier is formed by associating the to-be-guaranteed account terminal with the guarantee account terminal;
the judging module is used for judging whether the terminal needs to send the guarantee confirming information to the account terminal to be guaranteed or not;
if not, automatically ignoring the guarantee request;
if yes, sending guarantee confirmation information to the account terminal to be guaranteed; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to a security server; and the security server is used for determining the credibility of the account terminal to be guaranteed according to the quantity of the confirmed guarantee information.
In a sixth aspect, the present invention provides a system for constructing an account terminal guarantee derivation relationship in a zero trust environment, which is applied to a security server, and the system includes:
the defining module is used for defining the account terminal with the abnormal state as an account terminal to be guaranteed;
the authentication request sending module is used for sending an authentication request to the account terminal to be guaranteed;
the system comprises a guarantee information module, a guarantee account terminal and a guarantee account terminal, wherein the guarantee information module is used for receiving the guarantee information uploaded by the guarantee account terminal to be guaranteed, the guarantee information is obtained by signing a guarantee request by a private key through the guarantee account terminal, the guarantee request is sent to the guarantee account terminal to be guaranteed according to a cascade identifier, and the cascade identifier is formed by the connection between the guarantee account terminal and the guarantee account terminal; each guarantee account terminal has a corresponding public key and a corresponding private key;
the credibility determining module is used for verifying the confirmation guarantee information by using a public key and determining the credibility of the account terminal to be guaranteed according to the total amount of the confirmation guarantee information, wherein the credibility is the acceptance degree of the guarantee account terminal to the account terminal to be guaranteed; the public key is disclosed for the guarantee account during signature;
and the second credibility determining module is used for determining the credibility of the account terminal to be guaranteed according to the credibility of the account terminal to be guaranteed.
According to the technical scheme, the invention has the following advantages:
the invention sends a guarantee request to a guarantee account terminal by responding to the authentication request, wherein the guarantee account terminal is a random account terminal with fixed quantity; receiving confirmation guarantee information returned by the guarantee account terminal, and uploading the confirmation guarantee information to the security server, wherein the confirmation guarantee information is obtained by confirming the guarantee request by the guarantee account terminal; and receiving the credibility judgment result of the account terminal to be guaranteed, which is sent by the security server, wherein the credibility judgment result is determined by the quantity of the confirmation guarantee information. Therefore, the credibility authentication method in the social form is established among the account terminals, and the problems of poor universality and poor objectivity existing in the conventional authentication mode are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without inventive labor.
Fig. 1 is a flowchart of a first step of a method for constructing an account terminal guarantee derivative relationship in a zero trust environment according to a first embodiment of the present invention;
FIG. 2 is a flowchart illustrating steps of a second embodiment of a method for establishing an account terminal guarantee derivative relationship in a zero trust environment according to the present invention;
fig. 3 is a flowchart of a third step of a method for constructing an account terminal guarantee derivative relationship in a zero trust environment according to the present invention;
FIG. 4 is a block diagram illustrating a first embodiment of a system for establishing an account terminal vouch-for derivation relationship in a zero-trust environment according to the present invention;
fig. 5 is a block diagram of a second embodiment of a system for constructing an account terminal guarantee derivative relationship in a zero trust environment according to the present invention;
fig. 6 is a block diagram of a third configuration of a system for constructing an account terminal guarantee derivative relationship in a zero-trust environment according to the present invention.
Detailed Description
The embodiment of the invention provides a method and a system for establishing an account terminal guarantee derivative relationship in a zero trust environment, which are used for establishing a credibility authentication method in a social form and solve the problems of poor universality and poor objectivity in the existing authentication mode.
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a first embodiment, referring to fig. 1, fig. 1 is a flowchart of a first step of a method for constructing a guarantee derivation relationship of an account terminal in a zero trust environment, which is applied to an account terminal to be guaranteed, and specifically includes the following steps:
step S101, the account terminal to be guaranteed responds to the authentication request, and sends a guarantee request to a guarantee account terminal, wherein the guarantee account terminal is a random account terminal with fixed quantity;
in the embodiment of the invention, under the condition that the security server detects the abnormality of the account terminal or the random terminal suspects the abnormality of the current account terminal, the security server defines the account terminal with the abnormality as the account terminal Ub to be guaranteed, and sends the authentication request to the account terminal Ua to be guaranteed.
In a specific implementation, the account terminal Ub to be vouched for sends a vouched-for request to a fixed number of random account terminals according to an authentication request of the security server, and the random account terminal may be an account terminal having the same history data as the account terminal Ub to be vouched for, or may be any account terminal without correlation; the number of random account terminals may be set according to actual situations, for example: if the account terminal is in a zero trust environment, i.e. there is no social authentication before, the number may be set to 50, so that a guarantee relationship may be quickly constructed to realize quick authentication of the account terminal.
In an optional embodiment, the account terminal to be vouched for sending a vouching request to the vouching account terminal in response to the authentication request, comprising:
the account terminal to be guaranteed responds to the authentication request sent by the security server or the random terminal, and the account terminal to be guaranteed and the guarantee account terminal are associated in a cascading mode to form a cascading identification;
and the to-be-guaranteed account terminal sequentially sends the guarantee request to the guarantee account terminal based on the cascade connection identification.
It should be noted that, in computer science, cascade refers to the mapping relationship between multiple objects, and establishes a cascade identifier between data to improve management efficiency.
In the embodiment of the present invention, the account terminal Ub to be vouched for forms a cascade identifier Ub | | Ua after cascading according to the account terminal Ub to be vouched for and the vouched for account terminal Ua, where | | represents cascade, and the vouching request is sent to the vouching account terminal Ua one by one.
Step S102, the to-be-guaranteed account terminal receives the confirmation guarantee information returned by the guarantee account terminal and uploads the confirmation guarantee information to the security server, and the confirmation guarantee information is obtained by confirming the guarantee account terminal to the guarantee request;
in an optional embodiment, the receiving, by the account terminal to be vouched for, confirmation vouching information returned by the vouching account terminal, and uploading the confirmation vouching information to the security server includes:
the account terminal to be guaranteed sequentially receives the guarantee confirmation information; the guarantee confirmation information is obtained by signing the guarantee request through the private key on the basis of an asymmetric encryption algorithm by the guarantee account terminal;
and the to-be-guaranteed account terminal uploads the confirmed guarantee information to the security server, the security server is used for verifying and signing the confirmed guarantee information through a public key of each guarantee account, and the public key is disclosed when the guarantee account signs.
In the embodiment of the invention, after receiving the guarantee request, the guarantee account terminal Ua signs the guarantee request signature = sig (Ub | | | Ua, pa) through a private key based on an asymmetric encryption algorithm, and sends the guarantee confirmation information to the account terminal Ub to be guaranteed, and simultaneously, the public key is disclosed. And the account terminal Ub to be guaranteed receives and saves the signature, and uploads the confirmed guarantee information to the security server, and the security server can check and sign the confirmed guarantee information according to the public key.
Asymmetric encryption refers to encryption and encryption algorithms that use different keys, also known as public-private key encryption.
Step S103, the to-be-secured account terminal receives a credibility determination result of the to-be-secured account terminal sent by the security server, where the credibility determination result is determined by the number of the confirmation security information.
In the embodiment of the invention, after the confirmation guarantee information is checked and signed according to the public key, the security server can determine the credibility of the account terminal Ub to be guaranteed according to the quantity of the confirmation guarantee information sent by the account terminal Ub to be guaranteed, and sends the credibility judgment result to the account terminal Ub to be guaranteed.
In the method for constructing the account terminal guarantee derivative relationship in the zero trust environment, the guarantee request is sent to the guarantee account terminal by responding to the authentication request, and the guarantee account terminal is a random account terminal with fixed quantity; receiving confirmation guarantee information returned by the guarantee account terminal and uploading the confirmation guarantee information to the security server, wherein the confirmation guarantee information is obtained by confirming the guarantee request by the guarantee account terminal; and receiving the credibility judgment result of the account terminal to be guaranteed, which is sent by the security server, wherein the credibility judgment result is determined by the quantity of the confirmation guarantee information. Therefore, the credibility authentication method in the social form is established among the account terminals, and the problems of poor universality and poor objectivity existing in the conventional authentication mode are solved.
In a second embodiment, please refer to fig. 2, which is a flowchart illustrating a second step of a method for constructing a guarantee derivative relationship of an account terminal in a zero-trust environment according to a second embodiment of the present invention, where the method is applied to a guarantee account terminal, and the second step specifically includes:
step S201, the guarantee account terminal receives a guarantee request, the guarantee request is that the account terminal to be guaranteed responds to the authentication request and is sent to the account terminal to be guaranteed according to a cascade identifier, and the cascade identifier is formed by the account terminal to be guaranteed and the guarantee account terminal in a correlation mode;
in a particular implementation, a secured account terminal refers to a fixed number of random account terminals, so in most cases, the number of secured account terminals will not be one.
In the embodiment of the invention, the account terminal to be guaranteed sends a guarantee request to the guarantee account terminal according to the authentication request of the security server, and the forming process of the guarantee request specifically comprises the following steps: the to-be-guaranteed account terminal is connected with the guarantee account terminal in a cascading mode to form a mapping relation between the to-be-guaranteed account terminal and the guarantee account terminal, and then the guarantee request is sent to the guarantee account terminal.
Step S202, the guarantee account terminal judges whether the confirmation guarantee information needs to be sent to the account terminal to be guaranteed;
step S203, if not, automatically ignoring the guarantee request;
step S204, if yes, sending guarantee confirming information to the account terminal to be guaranteed; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to a security server; and the security server is used for determining the credibility of the account terminal to be guaranteed according to the quantity of the confirmed guarantee information.
In the embodiment of the invention, after receiving the guarantee request, the guarantee account terminal which forms the mapping relation with the account terminal to be guaranteed can perform objective fact evaluation according to the actual situation of the account to be guaranteed, so as to determine whether the confirmation guarantee information needs to be sent to the account terminal to be guaranteed.
By way of example: if a certain deal exists between the guarantee account terminal and the account terminal to be guaranteed, for example, users of the respective terminals in real life are mature friends, the guarantee account terminal may send confirmation guarantee information; if the guarantee account terminal does not have an interference with the to-be-guaranteed account terminal, and the to-be-guaranteed account terminal does not have an actual use trace, the guarantee account terminal can completely ignore the guarantee request.
In an optional embodiment, each of the vouched-for account terminals has a corresponding public key and private key; sending the guarantee confirmation information to the account terminal to be guaranteed, comprising:
the guarantee account terminal obtains the confirmation guarantee information through the signature of the guarantee request of the private key based on the asymmetric encryption algorithm;
the guarantee account terminal sends the confirmed guarantee information to the account terminal to be guaranteed and discloses a corresponding public key; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to the security server; the public key is used for providing the confirmation guarantee information for the security server to check and sign.
In the embodiment of the invention, if the guarantee account terminal determines to send the guarantee information to the account terminal to be guaranteed, the guarantee request based on the asymmetric encryption algorithm is signed by using a private key, the guarantee information is sent to the account terminal to be guaranteed, then the guarantee information is all uploaded to the security server at the account terminal to be guaranteed, the security server checks the guarantee information through a public key disclosed by the guarantee account, and then the credibility of the account terminal to be guaranteed is determined through the security server according to the quantity of the guarantee information.
In the method for establishing the account terminal guarantee derivative relationship in the zero-based trust environment, the guarantee request is received, the guarantee request is sent to the account terminal to be guaranteed according to the cascade identification, and the cascade identification is formed by the association of the account terminal to be guaranteed and the guarantee account terminal; judging whether the confirmation guarantee information needs to be sent to the account terminal to be guaranteed or not; if not, automatically ignoring the guarantee request; if yes, sending guarantee confirming information to the account terminal to be guaranteed; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to a security server; and the security server is used for determining the credibility of the account terminal to be guaranteed according to the quantity of the confirmed guarantee information. Therefore, a social form credibility authentication method is established among account terminals, and the problems of poor universality and poor objectivity existing in the conventional authentication mode are solved.
In a third embodiment, please refer to fig. 3, which is a flowchart illustrating a third step of a method for establishing an account terminal guarantee derivation relationship in a zero trust environment according to a third embodiment of the present invention, and the method is applied to a secure server, where the third step specifically includes:
step S301, the security server defines the account terminal with abnormal state as the account terminal to be guaranteed;
in the embodiment of the present invention, the account with the abnormal state may be an account terminal with the abnormal current network state, or an account terminal with the abnormal device login location, which is not limited herein.
Step S302, the security server sends an authentication request to the account terminal to be guaranteed;
in the embodiment of the invention, an authentication request is sent to the account terminal defined as the account to be guaranteed, and the authentication request is used for judging whether the current account terminal is abnormal or not through the authentication between the account terminals.
Step S303, the security server receives the guarantee information uploaded by the to-be-guaranteed account terminal, wherein the guarantee information is obtained by signing a guarantee request by a private key by the to-be-guaranteed account terminal, the guarantee request is sent to the to-be-guaranteed account terminal according to a cascade identifier, and the cascade identifier is formed by associating the to-be-guaranteed account terminal and the guarantee account terminal; each guarantee account terminal has a corresponding public key and a corresponding private key;
step S304, the security server checks the warrant confirmation warrant information by using a public key, and determines the credibility of the account terminal to be warranted according to the total amount of the guarantee confirmation warrant information, wherein the credibility is the acceptance degree of the warrant account terminal to the account terminal to be warranted; the public key is disclosed for the guarantee account during signature;
step S305, the security server determines the credibility of the account terminal to be guaranteed according to the credibility of the account terminal to be guaranteed.
In an optional embodiment, the determining, by the security server, the trustworthiness of the account terminal to be guaranteed according to the trustworthiness of the account terminal to be guaranteed includes:
the security server judges whether the credibility of the account terminal to be guaranteed is greater than a preset credibility threshold value or not;
if so, the account terminal to be guaranteed judges that the account terminal to be guaranteed is a trusted account terminal;
if not, judging that the account terminal to be guaranteed is an untrusted account terminal.
In the method for establishing the account terminal guarantee derivative relationship in the zero-based trust environment, the security server defines an account terminal with an abnormal state as an account terminal to be guaranteed; sending an authentication request to the account terminal to be guaranteed; receiving the confirmation guarantee information uploaded by the to-be-guaranteed account terminal, wherein the confirmation guarantee information is obtained by signing a guarantee request from a guarantee account terminal, the guarantee request is sent to the to-be-guaranteed account terminal according to a cascade identifier, and the cascade identifier is formed by the to-be-guaranteed account terminal and the guarantee account terminal in a correlation mode; verifying the signature of the guarantee information by using a public key, and determining the credibility of the account terminal to be guaranteed according to the total amount of the guarantee information, wherein the credibility is the acceptance degree of the guarantee account terminal to the account terminal to be guaranteed; the public key is disclosed for the guarantee account during signature; and determining the credibility of the account terminal to be guaranteed according to the credibility of the account terminal to be guaranteed. Therefore, the credibility authentication method in the social form is established among the account terminals, and the problems of poor universality and poor objectivity existing in the conventional authentication mode are solved.
Referring to fig. 4, a block diagram of a first embodiment of a system for constructing an account terminal guarantee derivation relationship in a zero-trust environment is shown, and includes the following modules:
a request response module 101, configured to send a guarantee request to a guarantee account terminal in response to the authentication request, where the guarantee account terminal is a random account terminal with a fixed number;
a guarantee information receiving module 102, configured to receive confirmation guarantee information returned by the guarantee account terminal, and upload the confirmation guarantee information to the security server, where the confirmation guarantee information is obtained by the guarantee account terminal in response to the guarantee request;
a first credibility determination module 103, configured to receive, by the to-be-guaranteed account terminal, a credibility determination result of the to-be-guaranteed account terminal sent by the security server, where the credibility determination result is determined by the number of the confirmation guarantee information.
In an optional embodiment, the request response module 101 includes:
a cascade identifier forming submodule, configured to, in response to the authentication request sent by the security server or the random terminal, associate the to-be-vouched account terminal with the vouched account terminal in a cascade manner to form a cascade identifier;
and the sending submodule is used for sequentially sending the guarantee request to the guarantee account terminal based on the cascade connection identification.
In an alternative embodiment, the vouching information receiving module 102 includes:
the label checking sub-module is used for sequentially receiving the confirmation guarantee information; the guarantee confirmation information is obtained by signing the guarantee request through the private key on the basis of an asymmetric encryption algorithm by the guarantee account terminal;
and the uploading sub-module is used for uploading the confirmation guarantee information to the security server, the security server is used for verifying and signing the confirmation guarantee information through a public key of each guarantee account, and the public key is disclosed for the guarantee account during signature.
Referring to fig. 5, a block diagram of a second configuration of a system for constructing an account terminal guarantee derivation relationship in a zero trust environment is shown, and includes the following modules:
a guarantee request receiving module 201, configured to receive a guarantee request, where the guarantee request is a response of a to-be-guaranteed account terminal to an authentication request, and is sent to the to-be-guaranteed account terminal according to a cascade identifier, where the cascade identifier is formed by associating the to-be-guaranteed account terminal with the guarantee account terminal;
the judging module 202 is used for judging whether the confirmation guarantee information needs to be sent to the account terminal to be guaranteed;
if not, automatically ignoring the guarantee request;
if yes, sending guarantee confirming information to the account terminal to be guaranteed; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to a security server; and the security server is used for determining the credibility of the account terminal to be guaranteed according to the quantity of the confirmed guarantee information.
In an alternative embodiment, the determining module 202 includes:
the signature sub-module is used for guaranteeing the signature of the request based on an asymmetric encryption algorithm through the private key to obtain the confirmation guarantee information;
the sending submodule is used for sending the guarantee confirmation information to the account terminal to be guaranteed and disclosing a corresponding public key; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to the security server; the public key is used for providing the confirmation guarantee information for the security server to check and sign.
Referring to fig. 6, a block diagram of a third embodiment of a system for constructing an account terminal guarantee derivation relationship in a zero-based trust environment is shown, including the following modules:
a defining module 301, configured to define an account terminal with an abnormal state as an account terminal to be guaranteed;
an authentication request sending module 302, configured to send an authentication request to the terminal of the account to be vouched for;
a guarantee information module 303, configured to receive the guarantee information uploaded by the to-be-guaranteed account terminal, where the guarantee information is obtained by signing a guarantee request by using a private key by a guarantee account terminal, the guarantee request is sent to the to-be-guaranteed account terminal according to a cascade identifier, and the cascade identifier is formed by associating the to-be-guaranteed account terminal with the guarantee account terminal; each guarantee account terminal has a corresponding public key and a corresponding private key;
a reliability determining module 304, configured to verify the confirmation warranty information by using a public key, and determine, according to a total amount of the confirmation warranty information, a reliability of the to-be-warranty account terminal, where the reliability is an acceptance degree of the to-be-warranty account terminal by the warranty account terminal; the public key is disclosed for the guarantee account during signature;
a second credibility determining module 305, configured to determine the credibility of the account terminal to be guaranteed according to the credibility of the account terminal to be guaranteed.
In an optional embodiment, the second credibility determination module 305 includes:
the comparison submodule is used for judging whether the credibility of the account terminal to be guaranteed is greater than a preset credibility threshold value or not by the security server;
if so, the to-be-guaranteed account terminal judges that the to-be-guaranteed account terminal is a trusted account terminal;
if not, judging that the account terminal to be guaranteed is an untrusted account terminal.
For the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and reference may be made to the partial description of the method embodiment for relevant points.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the system and the module described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, systems or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A construction method of an account terminal guarantee derivative relation in a zero trust environment is characterized in that the construction method is applied to an account terminal to be guaranteed, and the method comprises the following steps:
the account terminal to be guaranteed responds to the authentication request and sends a guarantee request to a guarantee account terminal, wherein the guarantee account terminal is a random account terminal with a fixed number; the random account terminal comprises a first account terminal and a second account terminal, wherein the first account terminal and the second account terminal have the same historical data as the account terminal to be guaranteed;
the to-be-guaranteed account terminal receives confirmation guarantee information returned by the guarantee account terminal and uploads the confirmation guarantee information to the security server, and the confirmation guarantee information is obtained by confirming the guarantee request by the guarantee account terminal;
and the account terminal to be guaranteed receives the credibility judgment result of the account terminal to be guaranteed, which is sent by the security server, wherein the credibility judgment result is determined by the quantity of the guarantee confirmation information.
2. The method for constructing an account terminal guarantee derivative relationship under the zero trust environment according to claim 1, wherein the to-be-guaranteed account terminal sends a guarantee request to the guarantee account terminal in response to the authentication request, and the method comprises the following steps:
the account terminal to be guaranteed responds to the authentication request sent by the security server or the random terminal, and the account terminal to be guaranteed and the guarantee account terminal are associated in a cascading mode to form a cascading identification;
and the to-be-guaranteed account terminal sequentially sends the guarantee request to the guarantee account terminal based on the cascade connection identifier.
3. The method for constructing an account terminal vouching derivation relationship under a zero-trust environment according to claim 2, wherein each vouching account terminal has a corresponding public key and private key; the method comprises the following steps that the to-be-guaranteed account terminal receives the confirmed guarantee information returned by the guarantee account terminal and uploads the confirmed guarantee information to the security server, and the method comprises the following steps:
the account terminal to be guaranteed sequentially receives the guarantee confirmation information; the guarantee confirmation information is obtained by signing the guarantee request through the private key on the basis of an asymmetric encryption algorithm by the guarantee account terminal;
and the to-be-guaranteed account terminal uploads the confirmed guarantee information to the security server, the security server is used for verifying and signing the confirmed guarantee information through a public key of each guarantee account, and the public key is disclosed when the guarantee account signs.
4. A construction method of an account terminal guarantee derivative relation in a zero trust environment is characterized by being applied to a guarantee account terminal, and the method comprises the following steps:
the method comprises the steps that a guarantee account terminal receives a guarantee request, the guarantee request is that a to-be-guaranteed account terminal responds to an authentication request and is sent to the to-be-guaranteed account terminal according to a cascade identifier, and the cascade identifier is formed by the to-be-guaranteed account terminal and the guarantee account terminal in a correlation mode; the guarantee account terminal comprises a first account terminal and a second account terminal, wherein the first account terminal and the second account terminal have the same historical data as the to-be-guaranteed account terminal, and the second account terminal is not related to the to-be-guaranteed account terminal;
the guarantee account terminal judges whether to send guarantee confirming information to the account terminal to be guaranteed;
if not, automatically ignoring the guarantee request;
if yes, sending guarantee confirmation information to the account terminal to be guaranteed; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to a security server; and the security server is used for determining the credibility of the account terminal to be guaranteed according to the quantity of the confirmed guarantee information.
5. The method for constructing the account terminal guarantee derivative relationship in the zero trust environment according to claim 4, wherein each guarantee account terminal has a corresponding public key and a corresponding private key; sending guarantee confirmation information to the account terminal to be guaranteed, wherein the guarantee confirmation information comprises the following steps:
the guarantee account terminal obtains the confirmation guarantee information through the signature of the guarantee request of the private key based on the asymmetric encryption algorithm;
the guarantee account terminal sends the confirmed guarantee information to the account terminal to be guaranteed and discloses a corresponding public key; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to the security server; the public key is used for providing the security server to check and sign the confirmation guarantee information.
6. A method for constructing an account terminal guarantee derivative relationship in a zero-trust environment is characterized by being applied to a security server, and comprises the following steps:
the security server defines the account terminal with abnormal state as an account terminal to be guaranteed;
the security server sends an authentication request to the account terminal to be guaranteed;
the security server receives confirmation guarantee information uploaded by the to-be-guaranteed account terminal, wherein the confirmation guarantee information is obtained by signing a guarantee request by the to-be-guaranteed account terminal through a private key, the guarantee request is sent to the to-be-guaranteed account terminal by the to-be-guaranteed account terminal according to a cascade identifier, and the cascade identifier is formed by the to-be-guaranteed account terminal and the guarantee account terminal in a correlated mode; each guarantee account terminal has a corresponding public key and a corresponding private key; the guarantee account terminal comprises a first account terminal with the same historical data as the account terminal to be guaranteed;
the security server checks the warrant confirmation warrant information by using a public key, and determines the credibility of the account terminal to be warranted according to the total amount of the guarantee confirmation warrant information, wherein the credibility is the acceptance degree of the guarantee account terminal to the account terminal to be warranted; the public key is disclosed for the guarantee account during signature;
and the security server determines the credibility of the account terminal to be guaranteed according to the credibility of the account terminal to be guaranteed.
7. The method for constructing an account terminal guarantee derivative relationship under the zero trust environment according to claim 6, wherein the step of determining the credibility of the account terminal to be guaranteed by the security server according to the credibility of the account terminal to be guaranteed comprises the following steps:
the security server judges whether the credibility of the account terminal to be guaranteed is greater than a preset credibility threshold value or not;
if so, the to-be-guaranteed account terminal judges that the to-be-guaranteed account terminal is a trusted account terminal;
if not, judging that the account terminal to be guaranteed is an untrusted account terminal.
8. A construction system of an account terminal guarantee derivative relationship in a zero trust environment is characterized in that the system is applied to an account terminal to be guaranteed, and the system comprises:
the request response module is used for responding to the authentication request and sending a guarantee request to a guarantee account terminal, wherein the guarantee account terminal is a random account terminal with fixed quantity; the random account terminal comprises a first account terminal and a second account terminal, wherein the first account terminal and the second account terminal have the same historical data as the account terminal to be guaranteed, and the second account terminal is not related to the account terminal to be guaranteed;
the guarantee information receiving module is used for receiving confirmation guarantee information returned by the guarantee account terminal and uploading the confirmation guarantee information to a security server, and the confirmation guarantee information is obtained by confirming the guarantee request by the guarantee account terminal;
and the first credibility determining module is used for receiving the credibility judgment result of the account terminal to be guaranteed sent by the security server by the account terminal to be guaranteed, and the credibility judgment result is determined by the quantity of the confirmed guarantee information.
9. A construction system of account terminal guarantee derivative relation in zero trust environment is characterized in that the construction system is applied to guarantee account terminals, and the system comprises:
a guarantee request receiving module, configured to receive a guarantee request by the guarantee account terminal, where the guarantee request is a response of the to-be-guaranteed account terminal to an authentication request, and is sent to the to-be-guaranteed account terminal according to a cascade identifier, where the cascade identifier is formed by associating the to-be-guaranteed account terminal with the guarantee account terminal; the guarantee account terminal comprises a first account terminal and a second account terminal, wherein the first account terminal and the second account terminal have the same historical data as the to-be-guaranteed account terminal, and the second account terminal is not related to the to-be-guaranteed account terminal;
the judging module is used for judging whether the terminal needs to send the guarantee confirming information to the account terminal to be guaranteed or not;
if not, automatically ignoring the guarantee request;
if yes, sending guarantee confirmation information to the account terminal to be guaranteed; the account terminal to be guaranteed is used for uploading the confirmed guarantee information to a security server; and the security server is used for determining the credibility of the account terminal to be guaranteed according to the quantity of the confirmed guarantee information.
10. A construction system of account terminal guarantee derivation relation in zero trust environment is characterized in that the construction system is applied to a security server, and the system comprises:
the defining module is used for defining the account terminal with the abnormal state as an account terminal to be guaranteed;
the authentication request sending module is used for sending an authentication request to the account terminal to be guaranteed;
the system comprises a guarantee information module, a guarantee account terminal and a guarantee account terminal, wherein the guarantee information module is used for receiving the guarantee information uploaded by the guarantee account terminal to be guaranteed, the guarantee information is obtained by signing a guarantee request by a private key through the guarantee account terminal, the guarantee request is sent to the guarantee account terminal to be guaranteed according to a cascade identifier, and the cascade identifier is formed by the connection between the guarantee account terminal and the guarantee account terminal; each guarantee account terminal has a corresponding public key and a corresponding private key; the guarantee account terminal comprises a first account terminal with the same historical data as the account terminal to be guaranteed;
a credibility determining module, configured to verify the confirmation guarantee information by using a public key, and determine, according to a total amount of the confirmation guarantee information, a credibility of the to-be-guaranteed account terminal, where the credibility is an acceptance degree of the to-be-guaranteed account terminal by the guarantee account terminal; the public key is disclosed for the guarantee account during signature;
and the second credibility determining module is used for determining the credibility of the account terminal to be guaranteed according to the credibility of the account terminal to be guaranteed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011279440.7A CN112291262B (en) | 2020-11-16 | 2020-11-16 | Method and system for establishing account terminal guarantee derivative relationship in zero trust environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011279440.7A CN112291262B (en) | 2020-11-16 | 2020-11-16 | Method and system for establishing account terminal guarantee derivative relationship in zero trust environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112291262A CN112291262A (en) | 2021-01-29 |
| CN112291262B true CN112291262B (en) | 2022-10-14 |
Family
ID=74398099
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011279440.7A Active CN112291262B (en) | 2020-11-16 | 2020-11-16 | Method and system for establishing account terminal guarantee derivative relationship in zero trust environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112291262B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104966229A (en) * | 2014-12-30 | 2015-10-07 | 腾讯科技(深圳)有限公司 | Information processing method and credit platform |
| CN106778109A (en) * | 2016-11-24 | 2017-05-31 | 江苏通付盾科技有限公司 | A kind of certification authority evaluation method and device based on intelligent contract |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10367797B2 (en) * | 2013-10-28 | 2019-07-30 | The Trustees Of Columbia University In The City Of New York | Methods, systems, and media for authenticating users using multiple services |
| CN110706059B (en) * | 2019-09-06 | 2023-01-24 | 创新先进技术有限公司 | Method, equipment and system for realizing online pre-sale based on credit guarantee |
-
2020
- 2020-11-16 CN CN202011279440.7A patent/CN112291262B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104966229A (en) * | 2014-12-30 | 2015-10-07 | 腾讯科技(深圳)有限公司 | Information processing method and credit platform |
| CN106778109A (en) * | 2016-11-24 | 2017-05-31 | 江苏通付盾科技有限公司 | A kind of certification authority evaluation method and device based on intelligent contract |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112291262A (en) | 2021-01-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111163182B (en) | Block chain-based device registration method and apparatus, electronic device, and storage medium | |
| CN108805571B (en) | Data protection method, platform, block chain node, system and storage medium | |
| CN113055176B (en) | Terminal authentication method and system, terminal device, P2P verification platform and medium | |
| EP3598333B1 (en) | Electronic device update management | |
| CN111461720B (en) | Identity verification method and device based on blockchain, storage medium and electronic equipment | |
| CN112468465B (en) | Guarantee derivation-based terminal account identity authentication method and system in zero trust environment | |
| CN111614548A (en) | Message pushing method and device, computer equipment and storage medium | |
| CN112261003A (en) | Safety authentication method and system for industrial internet edge computing node | |
| CN112651044B (en) | Business transaction method, system and storage medium based on block chain technology | |
| US20200195682A1 (en) | System and method for protection of computer networks against man-in-the-middle attacks | |
| WO2022057106A1 (en) | Credibility verification system for digital asset data packet | |
| CN111245799B (en) | Information monitoring method and device and readable storage medium | |
| CN112291262B (en) | Method and system for establishing account terminal guarantee derivative relationship in zero trust environment | |
| CN112235290A (en) | Block chain-based Internet of things equipment management method and first Internet of things equipment | |
| CN110839037A (en) | Attack scene mining method and system for SDN network | |
| CN110855693A (en) | Network authentication method and system based on CNN | |
| CN114401091B (en) | Device cross-domain authentication management method and device based on block chain | |
| CN116112216A (en) | Cloud data verification method and device, electronic equipment and nonvolatile storage medium | |
| CN112465516B (en) | Block chain network-based device management method, related device and storage medium | |
| CN112637855B (en) | Machine-card binding method based on block chain and server | |
| CN105357185B (en) | Shared account login verification method, device and system | |
| CN114567678A (en) | Resource calling method and device of cloud security service and electronic equipment | |
| CN109948326B (en) | Abnormal state backtracking method and terminal | |
| CN114679284A (en) | Trusted remote attestation system, storage method, verification method and storage medium thereof | |
| CN113486375B (en) | Storage method and device of equipment information, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |