CN112887292A - User access authentication system based on DCS - Google Patents

User access authentication system based on DCS Download PDF

Info

Publication number
CN112887292A
CN112887292A CN202110079095.0A CN202110079095A CN112887292A CN 112887292 A CN112887292 A CN 112887292A CN 202110079095 A CN202110079095 A CN 202110079095A CN 112887292 A CN112887292 A CN 112887292A
Authority
CN
China
Prior art keywords
cpt
msuaas
cptuaas
user access
computer terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110079095.0A
Other languages
Chinese (zh)
Inventor
赵希青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202110079095.0A priority Critical patent/CN112887292A/en
Publication of CN112887292A publication Critical patent/CN112887292A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Abstract

The invention relates to the technical field of user access authentication, and discloses a user access authentication system based on DCS, which comprises: the system comprises a cloud computing server CCSuaas running user access authentication system server side software, and a master station server MSuaas or a computer terminal CPTuaas running user access authentication system user side software; the master station server MSuaas or the computer terminal CPTuaas communicates with a user access authentication system server of the cloud computing server CCSuaas through a user access authentication system client; when a user on the computer terminal CPTuaas requests to access the DCS system or the master station server MSuaas requests to access the DCS system, the user access authentication system authenticates the identity of the master station server MSuas or the computer terminal CPTuaas. The invention solves the problem of how to improve the security of accessing the access users and the master station server into the DCS system.

Description

User access authentication system based on DCS
Technical Field
The invention relates to the technical field of user access authentication, in particular to a user access authentication system based on DCS.
Background
With the development of computer and network technologies, especially the deep integration of informatization and industrialization, industrial control system products increasingly adopt general protocols, general hardware and general software to connect with public networks such as the internet in various ways, threats such as viruses and trojans are spreading to industrial control systems, and the problem of information security of the industrial control systems is increasingly prominent. Distributed Control Systems (DCS), a typical industrial process control system, have evolved from stand-alone distributed toward networked, introducing different types of Information and Communication Technology (ICT), including Internet and wireless technologies, into the network design process. The introduction of these new technologies presents new challenges to the safety of the underlying industries, including the electrical, hydraulic, transportation, and large scale manufacturing industries. Theoretically absolute physical isolation is no longer feasible due to changes in demand and traffic patterns. In the face of the network structure and the safety requirements of a decentralized control system, how to improve the safety of the decentralized control system at each stage and each level and ensure the safe and stable operation of the control system in the energy and infrastructure industry becomes a focus.
The user access authentication is the first gate of the whole DCS information security system and bears the entrance guard function of the whole security system. For the DCS system, it is required to perform security authentication on all access objects, including devices such as a master station, a slave station, a PLC, and a login user. However, the authentication strength of the DCS system to the user login server is generally low, and the DCS system only relies on the user name and password to authenticate the identity of the login user, which is very easy to be stolen by an intruder, and cannot realize the authentication of the user to the master station identity.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a user access authentication system based on DCS, which aims to solve the problem of how to improve the security of accessing users and a master station server into the DCS.
(II) technical scheme
In order to achieve the purpose, the invention provides the following technical scheme:
a DCS-based user access authentication system comprising: the system comprises a cloud computing server CCSuaas running user access authentication system server side software, and a master station server MSuaas or a computer terminal CPTuaas running user access authentication system user side software;
the master station server MSuaas or the computer terminal CPTuaas communicates with a user access authentication system server of the cloud computing server CCSuaas through a user access authentication system client;
the user access authentication system authenticates the identity of the master station server MSuaas or the computer terminal CPTuaas, and the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
the master station server MSuaas or the computer terminal CPTuaas selects the private key d, calculates R ═ dP as the public key, and discloses the public key and the identity ID to the system;
secondly, the master station server MSuaas or the computer terminal CPTuaas selects and selects a random number r belonging to [1, n-1 ]]And calculates H ═ H (R + ID) modn, s ═ ((1+ d)-1(r-d) modn, sending the calculated h, signature value s and own ID to the system;
thirdly, after the system receives h, s and ID sent by the master station server MSuaas or the computer terminal CPTuaas, the system calculates T ═ sR ((1+ d) (r-d)-1)modn;
Judging whether H (T + ID) modn is equal to H or not by the system, and if so, determining that the identity of the master station server MSuaas or the computer terminal CPTuaas is legal, namely finishing authentication.
Further, the user access authentication system authenticates the identity of the user on the computer terminal CPTuaas, and the authentication method is as follows:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
user-selected private key d on computer terminal CPTuaascptCalculating Rcpt=dcptP is used as a public key and discloses the public key and the identity ID to the systemcpt
② the user on the computer terminal CPTuaas selects the random number rcpt∈[1,n-1]And calculate hcpt=H(Rcpt+IDcpt)modn,scpt=((1+dcpt)-1(rcpt-dcpt) mod n, will calculate the resulting hcptSigned value scptID of oneselfcptSending the data to a system;
thirdly, the system receives h sent by the user on the computer terminal CPTuaascpt、scpt、IDcptThen, T is calculatedcpt=scptRcpt((1+dcpt)(rcpt-dcpt)-1)modn;
System judgment of H (T)cpt+IDcpt) Whether modn equals hcptAnd if the identity is equal, the identity of the user on the computer terminal CPTuaas is determined to be legal, namely the authentication is finished.
Further, the user access authentication system authenticates the identity of the master station server MSuaas, and the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
master station server MSuaas selects private key dmsCalculating Rms=dmsP is used as a public key and discloses the public key and the identity ID to the systemms
② the master station server MSuaas selects the random number rms∈[1,n-1]And the following calculations were performed:
hms=H(Rms+IDms)modn;
sms=((1+dms)-1(rms-dms)modn;
will calculate the obtained hmsSigned value smsID of oneselfmsSending the data to a system;
thirdly, the system receives h sent by the master station server MSuaasms、sms、IDmsThereafter, the following calculation T was performedms=smsRms((1+dms)(rms-dms)-1)modn;
System judgment of H (T)ms+IDms) Whether modn equals hmsIf the identity of the master station server MSuaas is equal to the identity of the master station server MSuaas, the authentication is finished;
in the user identity authentication stage on the computer terminal CPTuaas, the user accesses the authentication systemUsing h from computer terminal CPTuaascpt、scpt、IDcptStart to calculate TcptAnd by judging equation hcpt=H(Tcpt+IDcpt) If the modn is established, the authentication of the system to the user identity on the computer terminal CPTuaas is completed;
in the authentication stage of the master server MSuaas, the user access authentication system uses h sent by the master server MSuaasms、sms、IDmsStart to calculate TmsBy judging hms=H(Tms+IDms) And if the modn is established, the authentication of the system to the master station server MSuaas is completed.
(III) advantageous technical effects
Compared with the prior art, the invention has the following beneficial technical effects:
when a user on a computer terminal CPTuaas requests to access data on a master station server MSuaas in a DCS system, a user access authentication system running on a cloud computing server CCSuaas authenticates the identity of the user on the computer terminal CPTuaas, and the authentication is zero-knowledge, so that the identity impersonation defect existing in a single-factor authentication mode for verifying the user only through a user password is overcome, and the access request of a malicious attacker on sensitive data can be effectively rejected;
when the master station server MSuaas requests to access into the DCS system, the user access authentication system running on the cloud computing server CCSuaas authenticates the identity of the master station server MSuaas, and the authentication is zero-knowledge, so that the defect that an attacker accesses the DCS system by falsely using the identity of the master station server MSuaas to transmit and generate information in the process of intercepting communication.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A DCS-based user access authentication system comprising: installing and operating user access authentication system server software and a cloud computing server CCSuaas deployed at a remote cloud end, installing and operating user access authentication system user side software and a master station server MSuaas deployed in a DCS, installing and operating user access authentication system user side software and a computer terminal CPTuaas used for requesting a login user to access the DCS;
the master station server MSuaas is in communication connection with a user access authentication system server of the cloud computing server CCSuaas through a user access authentication system client;
the computer terminal CPTuaas is in communication connection with a user access authentication system server side of the cloud computing server CCSuaas through a user access authentication system user side;
the computer terminal CPTuaas is in communication connection with the master station server MSuaas through the network communication equipment;
in order to overcome the defect that a user on a computer terminal CPTuaas can access sensitive data on a master station server MSuaas in a DCS (distributed control system) only by verifying a single-factor authentication mode of the user through a user name and a password, and the identity is falsely used, when the user on the computer terminal CPTuaas requests to access the data on the master station server MSuas in the DCS, a user access authentication system running on a cloud computing server CCSuaas authenticates the identity of the user on the computer terminal CPTuaas, the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
user-selected private key d on computer terminal CPTuaascptCalculating Rcpt=dcptP is used as a public key and discloses the public key and the identity ID to the systemcpt
② the user on the computer terminal CPTuaas selects the random number rcpt∈[1,n-1]And calculate hcpt=H(Rcpt+IDcpt)modn,scpt=((1+dcpt)-1(rcpt-dcpt) mod n, will calculate the resulting hcptSigned value scptID of oneselfcptSending the data to a system;
thirdly, the system receives h sent by the user on the computer terminal CPTuaascpt、scpt、IDcptThen, T is calculatedcpt=scptRcpt((1+dcpt)(rcpt-dcpt)-1)modn;
System judgment of H (T)cpt+IDcpt) Whether modn equals hcptIf the identity of the user on the computer terminal CPTuaas is equal to the identity of the user on the computer terminal CPTuaas, the authentication is finished;
in order to overcome the problem that an attacker accesses a DCS (distributed control system) to intercept information transmitted and generated in the communication process by falsely using the identity of a master station server MSuas, when the master station server MSuas requests to access the DCS, a user access authentication system running on a cloud computing server CCSuaas authenticates the identity of the master station server MSuas, and the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
master station server MSuaas selects private key dmsCalculating Rms=dmsP is used as a public key and discloses the public key and the identity ID to the systemms
② the master station server MSuaas selects the random number rms∈[1,n-1]And the following calculations were performed:
hms=H(Rms+IDms)modn;
sms=((1+dms)-1(rms-dms)modn;
will calculate the obtained hmsSigned value smsID of oneselfmsSending the data to a system;
thirdly, the system receives h sent by the master station server MSuaasms、sms、IDmsThereafter, the following calculation T was performedms=smsRms((1+dms)(rms-dms)-1)modn;
System judgment of H (T)ms+IDms) Whether modn equals hmsIf the identity of the master station server MSuaas is equal to the identity of the master station server MSuaas, the authentication is finished;
in the user identity authentication stage on the computer terminal CPTuaas, the user access authentication system uses the h sent by the computer terminal CPTuaascpt、scpt、IDcptStart to calculate TcptAnd by judging equation hcpt=H(Tcpt+IDcpt) If the modn is established, the authentication of the system to the user identity on the computer terminal CPTuaas is completed;
in the authentication stage of the master server MSuaas, the user access authentication system uses h sent by the master server MSuaasms、sms、IDmsStart to calculate TmsBy judging hms=H(Tms+IDms) If the modn is established, the authentication of the system to the master station server MSuaas is completed;
during the whole authentication protocol execution process, an attacker is likely to obtain mutual information: h iscpt、hms、scpt、sms、IDcpt、IDmsHowever, since the entire authentication protocol is based on the SM2 algorithm, the calculated value is based on the elliptic curve E (F)p) The above calculation is carried out, so that it is almost impossible for an attacker to calculate the private key d of the user on the computer terminal CPTuaas through the above informationcptAnd the private key d of the master server MSuaasmsThus, the authentication is zero-knowledge.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (3)

1. A user access authentication system based on DCS, comprising: the system comprises a cloud computing server CCSuaas running user access authentication system server side software, and a master station server MSuaas or a computer terminal CPTuaas running user access authentication system user side software;
the master station server MSuaas or the computer terminal CPTuaas communicates with a user access authentication system server of the cloud computing server CCSuaas through a user access authentication system client;
the user access authentication system authenticates the identity of the master station server MSuaas or the computer terminal CPTuaas, and the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
the master station server MSuaas or the computer terminal CPTuaas selects the private key d, calculates R ═ dP as the public key, and discloses the public key and the identity ID to the system;
secondly, the master station server MSuaas or the computer terminal CPTuaas selects and selects a random number r belonging to [1, n-1 ]]And calculates H ═ H (R + ID) modn, s ═ ((1+ d)-1(r-d) modn, sending the calculated h, signature value s and own ID to the system;
thirdly, after the system receives h, s and ID sent by the master station server MSuaas or the computer terminal CPTuaas, the system calculates T ═ sR ((1+ d) (r-d)-1)modn;
Judging whether H (T + ID) modn is equal to H or not by the system, and if so, determining that the identity of the master station server MSuaas or the computer terminal CPTuaas is legal, namely finishing authentication.
2. The DCS-based user access authentication system of claim 1, wherein the user access authentication system authenticates the identity of the user at the computer terminal CPTuaas, and the authentication method is as follows:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
user-selected private key d on computer terminal CPTuaascptCalculating Rcpt=dcptP is used as a public key and discloses the public key and the identity ID to the systemcpt
② the user on the computer terminal CPTuaas selects the random number rcpt∈[1,n-1]And calculate hcpt=H(Rcpt+IDcpt)modn,scpt=((1+dcpt)-1(rcpt-dcpt) mod n, will calculate the resulting hcptSigned value scptID of oneselfcptSending the data to a system;
thirdly, the system receives h sent by the user on the computer terminal CPTuaascpt、scpt、IDcptThen, T is calculatedcpt=scptRcpt((1+dcpt)(rcpt-dcpt)-1)modn;
System judgment of H (T)cpt+IDcpt) Whether modn equals hcptAnd if the identity is equal, the identity of the user on the computer terminal CPTuaas is determined to be legal, namely the authentication is finished.
3. The DCS-based user access authentication system of claim 2, wherein the user access authentication system authenticates the identity of the primary station server MSuaas by:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
master station server MSuaas selects private key dmsCalculating Rms=dmsP is used as a public key and discloses the public key and the identity ID to the systemms
② the master station server MSuaas selects the random number rms∈[1,n-1]And the following calculations were performed:
hms=H(Rms+IDms)modn;
sms=((1+dms)-1(rms-dms)modn;
will calculate the obtained hmsSigned value smsID of oneselfmsSending the data to a system;
thirdly, the system receives h sent by the master station server MSuaasms、sms、IDmsThereafter, the following calculation T was performedms=smsRms((1+dms)(rms-dms)-1)modn;
System judgment of H (T)ms+IDms) Whether modn equals hmsIf the identity of the master station server MSuaas is equal to the identity of the master station server MSuaas, the authentication is finished;
in the user identity authentication stage on the computer terminal CPTuaas, the user access authentication system uses the h sent by the computer terminal CPTuaascpt、scpt、IDcptStart to calculate TcptAnd by judging equation hcpt=H(Tcpt+IDcpt) If the modn is established, the authentication of the system to the user identity on the computer terminal CPTuaas is completed;
in the authentication stage of the master server MSuaas, the user access authentication system uses h sent by the master server MSuaasms、sms、IDmsStart to calculate TmsBy judging hms=H(Tms+IDms) And if the modn is established, the authentication of the system to the master station server MSuaas is completed.
CN202110079095.0A 2021-01-21 2021-01-21 User access authentication system based on DCS Pending CN112887292A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110079095.0A CN112887292A (en) 2021-01-21 2021-01-21 User access authentication system based on DCS

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110079095.0A CN112887292A (en) 2021-01-21 2021-01-21 User access authentication system based on DCS

Publications (1)

Publication Number Publication Date
CN112887292A true CN112887292A (en) 2021-06-01

Family

ID=76051287

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110079095.0A Pending CN112887292A (en) 2021-01-21 2021-01-21 User access authentication system based on DCS

Country Status (1)

Country Link
CN (1) CN112887292A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106851635A (en) * 2016-12-15 2017-06-13 北京三未信安科技发展有限公司 A kind of distributed signature method and system of identity-based
CN110336664A (en) * 2019-07-10 2019-10-15 西安电子科技大学 Information service entities cross-domain authentication method based on SM2 cryptographic algorithm
CN111600713A (en) * 2020-04-10 2020-08-28 张谷应 Security protection system based on cloud computing server

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106851635A (en) * 2016-12-15 2017-06-13 北京三未信安科技发展有限公司 A kind of distributed signature method and system of identity-based
CN110336664A (en) * 2019-07-10 2019-10-15 西安电子科技大学 Information service entities cross-domain authentication method based on SM2 cryptographic algorithm
CN111600713A (en) * 2020-04-10 2020-08-28 张谷应 Security protection system based on cloud computing server

Similar Documents

Publication Publication Date Title
CN1191703C (en) Safe inserting method of wide-band wireless IP system mobile terminal
US8255977B2 (en) Trusted network connect method based on tri-element peer authentication
CN101631113B (en) Security access control method of wired LAN and system thereof
CN112235235B (en) SDP authentication protocol implementation method based on cryptographic algorithm
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
CN111294352A (en) Data security authentication method between cloud and edge node
CN103517273A (en) Authentication method, managing platform and Internet-of-Things equipment
WO2010083685A1 (en) Method for realizing authentication center and authentication system
CN111490968A (en) Block chain technology-based alliance multi-node network identity authentication method
WO2016188053A1 (en) Wireless network access method, device, and computer storage medium
CN112436940A (en) Internet of things equipment trusted boot management method based on zero-knowledge proof
CN105553666A (en) Security authentication system and method for smart power terminal
CN111130769A (en) Internet of things terminal encryption method and device
WO2023236551A1 (en) Decentralized trusted access method for cellular base station
CN111935067A (en) Enterprise user identity authentication system based on cloud computing technology
WO2008101426A1 (en) A roaming authentication method based on wapi certificate
CN108075895B (en) Node permission method and system based on block chain
CN111901118A (en) Port enterprise security authentication system based on mobile internet
CN101867588A (en) Access control system based on 802.1x
CN111818015A (en) Security protection system suitable for remote node access
CN110891067B (en) Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system
CN112865974A (en) Safety protection system based on edge computing access equipment
CN111865604A (en) User identity authentication system based on remote control technology
CN112887292A (en) User access authentication system based on DCS
CN112910928B (en) DoS attack defense method based on vehicle authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210601