CN112887292A - User access authentication system based on DCS - Google Patents
User access authentication system based on DCS Download PDFInfo
- Publication number
- CN112887292A CN112887292A CN202110079095.0A CN202110079095A CN112887292A CN 112887292 A CN112887292 A CN 112887292A CN 202110079095 A CN202110079095 A CN 202110079095A CN 112887292 A CN112887292 A CN 112887292A
- Authority
- CN
- China
- Prior art keywords
- cpt
- msuaas
- cptuaas
- user access
- computer terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
Abstract
The invention relates to the technical field of user access authentication, and discloses a user access authentication system based on DCS, which comprises: the system comprises a cloud computing server CCSuaas running user access authentication system server side software, and a master station server MSuaas or a computer terminal CPTuaas running user access authentication system user side software; the master station server MSuaas or the computer terminal CPTuaas communicates with a user access authentication system server of the cloud computing server CCSuaas through a user access authentication system client; when a user on the computer terminal CPTuaas requests to access the DCS system or the master station server MSuaas requests to access the DCS system, the user access authentication system authenticates the identity of the master station server MSuas or the computer terminal CPTuaas. The invention solves the problem of how to improve the security of accessing the access users and the master station server into the DCS system.
Description
Technical Field
The invention relates to the technical field of user access authentication, in particular to a user access authentication system based on DCS.
Background
With the development of computer and network technologies, especially the deep integration of informatization and industrialization, industrial control system products increasingly adopt general protocols, general hardware and general software to connect with public networks such as the internet in various ways, threats such as viruses and trojans are spreading to industrial control systems, and the problem of information security of the industrial control systems is increasingly prominent. Distributed Control Systems (DCS), a typical industrial process control system, have evolved from stand-alone distributed toward networked, introducing different types of Information and Communication Technology (ICT), including Internet and wireless technologies, into the network design process. The introduction of these new technologies presents new challenges to the safety of the underlying industries, including the electrical, hydraulic, transportation, and large scale manufacturing industries. Theoretically absolute physical isolation is no longer feasible due to changes in demand and traffic patterns. In the face of the network structure and the safety requirements of a decentralized control system, how to improve the safety of the decentralized control system at each stage and each level and ensure the safe and stable operation of the control system in the energy and infrastructure industry becomes a focus.
The user access authentication is the first gate of the whole DCS information security system and bears the entrance guard function of the whole security system. For the DCS system, it is required to perform security authentication on all access objects, including devices such as a master station, a slave station, a PLC, and a login user. However, the authentication strength of the DCS system to the user login server is generally low, and the DCS system only relies on the user name and password to authenticate the identity of the login user, which is very easy to be stolen by an intruder, and cannot realize the authentication of the user to the master station identity.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a user access authentication system based on DCS, which aims to solve the problem of how to improve the security of accessing users and a master station server into the DCS.
(II) technical scheme
In order to achieve the purpose, the invention provides the following technical scheme:
a DCS-based user access authentication system comprising: the system comprises a cloud computing server CCSuaas running user access authentication system server side software, and a master station server MSuaas or a computer terminal CPTuaas running user access authentication system user side software;
the master station server MSuaas or the computer terminal CPTuaas communicates with a user access authentication system server of the cloud computing server CCSuaas through a user access authentication system client;
the user access authentication system authenticates the identity of the master station server MSuaas or the computer terminal CPTuaas, and the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
the master station server MSuaas or the computer terminal CPTuaas selects the private key d, calculates R ═ dP as the public key, and discloses the public key and the identity ID to the system;
secondly, the master station server MSuaas or the computer terminal CPTuaas selects and selects a random number r belonging to [1, n-1 ]]And calculates H ═ H (R + ID) modn, s ═ ((1+ d)-1(r-d) modn, sending the calculated h, signature value s and own ID to the system;
thirdly, after the system receives h, s and ID sent by the master station server MSuaas or the computer terminal CPTuaas, the system calculates T ═ sR ((1+ d) (r-d)-1)modn;
Judging whether H (T + ID) modn is equal to H or not by the system, and if so, determining that the identity of the master station server MSuaas or the computer terminal CPTuaas is legal, namely finishing authentication.
Further, the user access authentication system authenticates the identity of the user on the computer terminal CPTuaas, and the authentication method is as follows:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
user-selected private key d on computer terminal CPTuaascptCalculating Rcpt=dcptP is used as a public key and discloses the public key and the identity ID to the systemcpt;
② the user on the computer terminal CPTuaas selects the random number rcpt∈[1,n-1]And calculate hcpt=H(Rcpt+IDcpt)modn,scpt=((1+dcpt)-1(rcpt-dcpt) mod n, will calculate the resulting hcptSigned value scptID of oneselfcptSending the data to a system;
thirdly, the system receives h sent by the user on the computer terminal CPTuaascpt、scpt、IDcptThen, T is calculatedcpt=scptRcpt((1+dcpt)(rcpt-dcpt)-1)modn;
System judgment of H (T)cpt+IDcpt) Whether modn equals hcptAnd if the identity is equal, the identity of the user on the computer terminal CPTuaas is determined to be legal, namely the authentication is finished.
Further, the user access authentication system authenticates the identity of the master station server MSuaas, and the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
master station server MSuaas selects private key dmsCalculating Rms=dmsP is used as a public key and discloses the public key and the identity ID to the systemms;
② the master station server MSuaas selects the random number rms∈[1,n-1]And the following calculations were performed:
hms=H(Rms+IDms)modn;
sms=((1+dms)-1(rms-dms)modn;
will calculate the obtained hmsSigned value smsID of oneselfmsSending the data to a system;
thirdly, the system receives h sent by the master station server MSuaasms、sms、IDmsThereafter, the following calculation T was performedms=smsRms((1+dms)(rms-dms)-1)modn;
System judgment of H (T)ms+IDms) Whether modn equals hmsIf the identity of the master station server MSuaas is equal to the identity of the master station server MSuaas, the authentication is finished;
in the user identity authentication stage on the computer terminal CPTuaas, the user accesses the authentication systemUsing h from computer terminal CPTuaascpt、scpt、IDcptStart to calculate TcptAnd by judging equation hcpt=H(Tcpt+IDcpt) If the modn is established, the authentication of the system to the user identity on the computer terminal CPTuaas is completed;
in the authentication stage of the master server MSuaas, the user access authentication system uses h sent by the master server MSuaasms、sms、IDmsStart to calculate TmsBy judging hms=H(Tms+IDms) And if the modn is established, the authentication of the system to the master station server MSuaas is completed.
(III) advantageous technical effects
Compared with the prior art, the invention has the following beneficial technical effects:
when a user on a computer terminal CPTuaas requests to access data on a master station server MSuaas in a DCS system, a user access authentication system running on a cloud computing server CCSuaas authenticates the identity of the user on the computer terminal CPTuaas, and the authentication is zero-knowledge, so that the identity impersonation defect existing in a single-factor authentication mode for verifying the user only through a user password is overcome, and the access request of a malicious attacker on sensitive data can be effectively rejected;
when the master station server MSuaas requests to access into the DCS system, the user access authentication system running on the cloud computing server CCSuaas authenticates the identity of the master station server MSuaas, and the authentication is zero-knowledge, so that the defect that an attacker accesses the DCS system by falsely using the identity of the master station server MSuaas to transmit and generate information in the process of intercepting communication.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A DCS-based user access authentication system comprising: installing and operating user access authentication system server software and a cloud computing server CCSuaas deployed at a remote cloud end, installing and operating user access authentication system user side software and a master station server MSuaas deployed in a DCS, installing and operating user access authentication system user side software and a computer terminal CPTuaas used for requesting a login user to access the DCS;
the master station server MSuaas is in communication connection with a user access authentication system server of the cloud computing server CCSuaas through a user access authentication system client;
the computer terminal CPTuaas is in communication connection with a user access authentication system server side of the cloud computing server CCSuaas through a user access authentication system user side;
the computer terminal CPTuaas is in communication connection with the master station server MSuaas through the network communication equipment;
in order to overcome the defect that a user on a computer terminal CPTuaas can access sensitive data on a master station server MSuaas in a DCS (distributed control system) only by verifying a single-factor authentication mode of the user through a user name and a password, and the identity is falsely used, when the user on the computer terminal CPTuaas requests to access the data on the master station server MSuas in the DCS, a user access authentication system running on a cloud computing server CCSuaas authenticates the identity of the user on the computer terminal CPTuaas, the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
user-selected private key d on computer terminal CPTuaascptCalculating Rcpt=dcptP is used as a public key and discloses the public key and the identity ID to the systemcpt;
② the user on the computer terminal CPTuaas selects the random number rcpt∈[1,n-1]And calculate hcpt=H(Rcpt+IDcpt)modn,scpt=((1+dcpt)-1(rcpt-dcpt) mod n, will calculate the resulting hcptSigned value scptID of oneselfcptSending the data to a system;
thirdly, the system receives h sent by the user on the computer terminal CPTuaascpt、scpt、IDcptThen, T is calculatedcpt=scptRcpt((1+dcpt)(rcpt-dcpt)-1)modn;
System judgment of H (T)cpt+IDcpt) Whether modn equals hcptIf the identity of the user on the computer terminal CPTuaas is equal to the identity of the user on the computer terminal CPTuaas, the authentication is finished;
in order to overcome the problem that an attacker accesses a DCS (distributed control system) to intercept information transmitted and generated in the communication process by falsely using the identity of a master station server MSuas, when the master station server MSuas requests to access the DCS, a user access authentication system running on a cloud computing server CCSuaas authenticates the identity of the master station server MSuas, and the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
master station server MSuaas selects private key dmsCalculating Rms=dmsP is used as a public key and discloses the public key and the identity ID to the systemms;
② the master station server MSuaas selects the random number rms∈[1,n-1]And the following calculations were performed:
hms=H(Rms+IDms)modn;
sms=((1+dms)-1(rms-dms)modn;
will calculate the obtained hmsSigned value smsID of oneselfmsSending the data to a system;
thirdly, the system receives h sent by the master station server MSuaasms、sms、IDmsThereafter, the following calculation T was performedms=smsRms((1+dms)(rms-dms)-1)modn;
System judgment of H (T)ms+IDms) Whether modn equals hmsIf the identity of the master station server MSuaas is equal to the identity of the master station server MSuaas, the authentication is finished;
in the user identity authentication stage on the computer terminal CPTuaas, the user access authentication system uses the h sent by the computer terminal CPTuaascpt、scpt、IDcptStart to calculate TcptAnd by judging equation hcpt=H(Tcpt+IDcpt) If the modn is established, the authentication of the system to the user identity on the computer terminal CPTuaas is completed;
in the authentication stage of the master server MSuaas, the user access authentication system uses h sent by the master server MSuaasms、sms、IDmsStart to calculate TmsBy judging hms=H(Tms+IDms) If the modn is established, the authentication of the system to the master station server MSuaas is completed;
during the whole authentication protocol execution process, an attacker is likely to obtain mutual information: h iscpt、hms、scpt、sms、IDcpt、IDmsHowever, since the entire authentication protocol is based on the SM2 algorithm, the calculated value is based on the elliptic curve E (F)p) The above calculation is carried out, so that it is almost impossible for an attacker to calculate the private key d of the user on the computer terminal CPTuaas through the above informationcptAnd the private key d of the master server MSuaasmsThus, the authentication is zero-knowledge.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (3)
1. A user access authentication system based on DCS, comprising: the system comprises a cloud computing server CCSuaas running user access authentication system server side software, and a master station server MSuaas or a computer terminal CPTuaas running user access authentication system user side software;
the master station server MSuaas or the computer terminal CPTuaas communicates with a user access authentication system server of the cloud computing server CCSuaas through a user access authentication system client;
the user access authentication system authenticates the identity of the master station server MSuaas or the computer terminal CPTuaas, and the authentication method comprises the following steps:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
the master station server MSuaas or the computer terminal CPTuaas selects the private key d, calculates R ═ dP as the public key, and discloses the public key and the identity ID to the system;
secondly, the master station server MSuaas or the computer terminal CPTuaas selects and selects a random number r belonging to [1, n-1 ]]And calculates H ═ H (R + ID) modn, s ═ ((1+ d)-1(r-d) modn, sending the calculated h, signature value s and own ID to the system;
thirdly, after the system receives h, s and ID sent by the master station server MSuaas or the computer terminal CPTuaas, the system calculates T ═ sR ((1+ d) (r-d)-1)modn;
Judging whether H (T + ID) modn is equal to H or not by the system, and if so, determining that the identity of the master station server MSuaas or the computer terminal CPTuaas is legal, namely finishing authentication.
2. The DCS-based user access authentication system of claim 1, wherein the user access authentication system authenticates the identity of the user at the computer terminal CPTuaas, and the authentication method is as follows:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
user-selected private key d on computer terminal CPTuaascptCalculating Rcpt=dcptP is used as a public key and discloses the public key and the identity ID to the systemcpt;
② the user on the computer terminal CPTuaas selects the random number rcpt∈[1,n-1]And calculate hcpt=H(Rcpt+IDcpt)modn,scpt=((1+dcpt)-1(rcpt-dcpt) mod n, will calculate the resulting hcptSigned value scptID of oneselfcptSending the data to a system;
thirdly, the system receives h sent by the user on the computer terminal CPTuaascpt、scpt、IDcptThen, T is calculatedcpt=scptRcpt((1+dcpt)(rcpt-dcpt)-1)modn;
System judgment of H (T)cpt+IDcpt) Whether modn equals hcptAnd if the identity is equal, the identity of the user on the computer terminal CPTuaas is determined to be legal, namely the authentication is finished.
3. The DCS-based user access authentication system of claim 2, wherein the user access authentication system authenticates the identity of the primary station server MSuaas by:
firstly, the user access authentication system carries out the following initialization operation:
in the prime number domain FpSelecting an elliptic curve E (F)p) Selecting E (F)p) The last base point P has the order of n; the secure hash function represented by H is SM3 algorithm, and the signature value represented by s is realized by SM2 algorithm;
master station server MSuaas selects private key dmsCalculating Rms=dmsP is used as a public key and discloses the public key and the identity ID to the systemms;
② the master station server MSuaas selects the random number rms∈[1,n-1]And the following calculations were performed:
hms=H(Rms+IDms)modn;
sms=((1+dms)-1(rms-dms)modn;
will calculate the obtained hmsSigned value smsID of oneselfmsSending the data to a system;
thirdly, the system receives h sent by the master station server MSuaasms、sms、IDmsThereafter, the following calculation T was performedms=smsRms((1+dms)(rms-dms)-1)modn;
System judgment of H (T)ms+IDms) Whether modn equals hmsIf the identity of the master station server MSuaas is equal to the identity of the master station server MSuaas, the authentication is finished;
in the user identity authentication stage on the computer terminal CPTuaas, the user access authentication system uses the h sent by the computer terminal CPTuaascpt、scpt、IDcptStart to calculate TcptAnd by judging equation hcpt=H(Tcpt+IDcpt) If the modn is established, the authentication of the system to the user identity on the computer terminal CPTuaas is completed;
in the authentication stage of the master server MSuaas, the user access authentication system uses h sent by the master server MSuaasms、sms、IDmsStart to calculate TmsBy judging hms=H(Tms+IDms) And if the modn is established, the authentication of the system to the master station server MSuaas is completed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110079095.0A CN112887292A (en) | 2021-01-21 | 2021-01-21 | User access authentication system based on DCS |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110079095.0A CN112887292A (en) | 2021-01-21 | 2021-01-21 | User access authentication system based on DCS |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112887292A true CN112887292A (en) | 2021-06-01 |
Family
ID=76051287
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110079095.0A Pending CN112887292A (en) | 2021-01-21 | 2021-01-21 | User access authentication system based on DCS |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112887292A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106851635A (en) * | 2016-12-15 | 2017-06-13 | 北京三未信安科技发展有限公司 | A kind of distributed signature method and system of identity-based |
CN110336664A (en) * | 2019-07-10 | 2019-10-15 | 西安电子科技大学 | Information service entities cross-domain authentication method based on SM2 cryptographic algorithm |
CN111600713A (en) * | 2020-04-10 | 2020-08-28 | 张谷应 | Security protection system based on cloud computing server |
-
2021
- 2021-01-21 CN CN202110079095.0A patent/CN112887292A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106851635A (en) * | 2016-12-15 | 2017-06-13 | 北京三未信安科技发展有限公司 | A kind of distributed signature method and system of identity-based |
CN110336664A (en) * | 2019-07-10 | 2019-10-15 | 西安电子科技大学 | Information service entities cross-domain authentication method based on SM2 cryptographic algorithm |
CN111600713A (en) * | 2020-04-10 | 2020-08-28 | 张谷应 | Security protection system based on cloud computing server |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1191703C (en) | Safe inserting method of wide-band wireless IP system mobile terminal | |
US8255977B2 (en) | Trusted network connect method based on tri-element peer authentication | |
CN101631113B (en) | Security access control method of wired LAN and system thereof | |
CN112235235B (en) | SDP authentication protocol implementation method based on cryptographic algorithm | |
CN110267270B (en) | Identity authentication method for sensor terminal access edge gateway in transformer substation | |
CN111294352A (en) | Data security authentication method between cloud and edge node | |
CN103517273A (en) | Authentication method, managing platform and Internet-of-Things equipment | |
WO2010083685A1 (en) | Method for realizing authentication center and authentication system | |
CN111490968A (en) | Block chain technology-based alliance multi-node network identity authentication method | |
WO2016188053A1 (en) | Wireless network access method, device, and computer storage medium | |
CN112436940A (en) | Internet of things equipment trusted boot management method based on zero-knowledge proof | |
CN105553666A (en) | Security authentication system and method for smart power terminal | |
CN111130769A (en) | Internet of things terminal encryption method and device | |
WO2023236551A1 (en) | Decentralized trusted access method for cellular base station | |
CN111935067A (en) | Enterprise user identity authentication system based on cloud computing technology | |
WO2008101426A1 (en) | A roaming authentication method based on wapi certificate | |
CN108075895B (en) | Node permission method and system based on block chain | |
CN111901118A (en) | Port enterprise security authentication system based on mobile internet | |
CN101867588A (en) | Access control system based on 802.1x | |
CN111818015A (en) | Security protection system suitable for remote node access | |
CN110891067B (en) | Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system | |
CN112865974A (en) | Safety protection system based on edge computing access equipment | |
CN111865604A (en) | User identity authentication system based on remote control technology | |
CN112887292A (en) | User access authentication system based on DCS | |
CN112910928B (en) | DoS attack defense method based on vehicle authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210601 |