CN113612771B - Protection method and device based on Internet of things authentication - Google Patents

Protection method and device based on Internet of things authentication Download PDF

Info

Publication number
CN113612771B
CN113612771B CN202110883275.4A CN202110883275A CN113612771B CN 113612771 B CN113612771 B CN 113612771B CN 202110883275 A CN202110883275 A CN 202110883275A CN 113612771 B CN113612771 B CN 113612771B
Authority
CN
China
Prior art keywords
authentication
equipment
risk
information
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110883275.4A
Other languages
Chinese (zh)
Other versions
CN113612771A (en
Inventor
贺思阳
饶旭
余昌乐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fiberhome Telecommunication Technologies Co Ltd
Original Assignee
Fiberhome Telecommunication Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fiberhome Telecommunication Technologies Co Ltd filed Critical Fiberhome Telecommunication Technologies Co Ltd
Priority to CN202110883275.4A priority Critical patent/CN113612771B/en
Publication of CN113612771A publication Critical patent/CN113612771A/en
Application granted granted Critical
Publication of CN113612771B publication Critical patent/CN113612771B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to a protection method and device based on Internet of things authentication. The method mainly comprises the following steps: the equipment uploads the identity authentication information of the equipment to record the identity authentication information into an equipment identity voucher table, and dynamic registration of the equipment identity authentication information is completed; the equipment acquires an authentication mode issued according to the trigger type when the authentication service is triggered; the equipment acquires the required identity authentication information according to the authentication mode and reports the identity authentication information for authentication; and an authentication strategy is appointed through an authentication mode, the identity authentication information of the equipment is authenticated, the risk coefficient is counted, a safety control strategy is generated according to the risk coefficient, and the equipment is subjected to safety control. The method and the device can ensure the data safety of key devices of the multi-device equipment and synchronously improve the operation efficiency of the equipment under the condition of ensuring the data safety.

Description

Protection method and device based on Internet of things authentication
[ technical field ] A method for producing a semiconductor device
The invention relates to the field of industrial Internet of things terminal equipment, in particular to a protection method and device based on Internet of things authentication.
[ background ] A method for producing a semiconductor device
With the gradual maturity Of Cloud technologies and Internet Of Things, IOT technologies, the Internet Of Things Technology is also developing toward diversification with the progress Of society, and a Cloud platform is used to unify serial resources such as hardware, software, and network Of the Internet Of Things so as to realize hot spots and trends in the field Of data hosting technologies Of computing, storing, processing and sharing. The application of the internet of things system based on the cloud platform has become an important direction in the application development of the internet of things technology.
The internet of things gateway is a multi-device business scene, has the characteristics of multiple devices, multiple data, frequent interaction and the like, and the required data interaction is more and more frequent along with the rapid development of the internet of things gateway, so that the data security of the devices is very important. For the existing internet of things gateway, not only the data security of multiple key devices of the equipment needs to be improved, but also the operation efficiency of the equipment needs to be ensured, so that the internet of things gateway needs to introduce a proper strategy for monitoring the replacement and tampering of the equipment so as to ensure the data security and the operation efficiency of the internet of things gateway.
With the development of industrial internet of things gateways, an existing industrial internet of things terminal can be accessed to a current industrial internet of things network in various interface forms for data acquisition and remote control, and meanwhile, the types of peripheral Communication devices are increasing, and various detachable devices such as Wifi5/6, RF (Radio Frequency), 5G, HPLC (High Power Line Communication, high-speed broadband Power Line carrier), zigbee (wireless internet protocol module for fast short-distance transmission), LORA (Low Power Wide Area network), AC (AC sampling, collection), TF card (traflash, storage file System), GNSS (Global Navigation Satellite System), and the like exist in the existing internet of things terminal device.
In view of this, how to overcome the defects existing in the prior art and solve the above technical problems is a difficult problem to be solved in the technical field.
[ summary of the invention ]
Aiming at the defects or improvement requirements in the prior art, the invention provides a protection method and a device based on internet of things authentication, and the authentication and management method of device and device data in the safety protection function is customized based on a cloud platform and the internet of things, so that the safety of key device data of multi-device equipment is ensured, and the operation efficiency of the equipment is synchronously improved under the condition of ensuring the data safety.
The embodiment of the invention adopts the following technical scheme:
in a first aspect, the present invention provides a protection method based on internet of things authentication, including:
the equipment uploads the identity authentication information of the equipment to record the identity authentication information into an equipment identity voucher table, and dynamic registration of the equipment identity authentication information is completed;
the equipment acquires an authentication mode issued according to the trigger type when the authentication service is triggered;
the equipment collects the required identity authentication information according to the authentication mode and reports the identity authentication information for authentication;
and an authentication strategy is appointed through an authentication mode, the identity authentication information of the equipment is authenticated, the risk coefficient is counted, a safety control strategy is generated according to the risk coefficient, and the equipment is subjected to safety control.
Further, the equipment identity credential table is a sub-table derived through a platform summary table, and the platform summary table includes a summary device list, a service list supported by devices, a data plan, and an associated service management and control policy.
Further, the authentication service comprises a manual authentication service and an automatic authentication service, and when the manual authentication service is triggered, the equipment acquires a corresponding issued manual authentication mode; and when the automatic authentication service is triggered, the equipment acquires the correspondingly issued automatic authentication mode.
Further, the manual authentication mode comprises a single device authentication mode, a group authentication mode and a custom authentication mode; the automatic authentication mode comprises a timing reporting mode and a timing acquisition mode.
Further, the acquiring, by the device, the required identity authentication information according to the authentication mode and reporting the identity authentication information for authentication specifically includes:
the equipment opens an authentication service, and the authentication service creates a device list needing authentication by referring to an authentication mode;
and obtaining and reporting the identity authentication information through the device list to authenticate.
Further, the specifying an authentication policy through the authentication mode, authenticating the identity authentication information of the device and counting a risk coefficient, generating a security management and control policy according to the risk coefficient, and performing security management and control on the device specifically includes:
an authentication strategy is appointed through an authentication mode, and identity authentication information of the equipment is authenticated through the authentication strategy;
after the authentication is finished, counting an authentication result to obtain a risk grading coefficient, and judging the risk grading level of the equipment according to the risk grading coefficient;
and issuing a safety control strategy corresponding to the risk classification grade according to the different risk classification grades to perform safety control on the equipment.
Further, the authentication policy includes a device authentication policy, a feature device authentication policy, and a full device authentication policy, where:
the device authentication policy specifically includes: extracting the information of the authentication device to form an authentication list, retrieving the name of the current authentication device through an equipment identity certificate table, and extracting the retrieved information to generate the authentication certificate list;
the feature device authentication policy specifically includes: extracting the characteristics of the authentication device, filtering a device list according to the characteristics of the device through an equipment identity voucher table, and generating an authentication voucher list;
the full-quantity device authentication strategy specifically comprises the following steps: and extracting the information of the equipment identity certificate table to generate a cloud platform device authentication certificate list.
Further, the risk classification grades comprise a low risk classification grade, a medium risk classification grade and a high risk classification grade, wherein:
the security management and control policy issued according to the low risk classification specifically includes: executing low risk treatment on the risk-involved device, performing risk-involved marking on the treatment device in the equipment identity certificate table, and performing low risk marking on the equipment;
the security management and control strategy issued according to the medium risk level specifically comprises the following steps: performing risk disposal on the risk-involved device, performing risk marking on the disposal device in the equipment identity certificate table, and performing risk marking on the equipment;
the security management and control policy issued according to the high risk classification specifically includes: and issuing a high-risk control instruction to the risk-involved device, performing risk-involved marking on the risk-involved device in the equipment identity certificate table, and performing high-risk marking on the equipment.
In a second aspect, the present invention further provides a protection method based on internet of things authentication, including:
the cloud platform acquires equipment identity authentication information, inputs the equipment identity authentication information into an equipment identity voucher table, and completes dynamic registration of the equipment identity authentication information;
the cloud platform triggers the authentication service, selects an authentication mode according to the trigger type and issues the authentication mode to the equipment;
the equipment acquires the required identity authentication information according to the authentication mode and reports the identity authentication information to the cloud platform for authentication;
the cloud platform appoints an authentication strategy through an authentication mode, authenticates the identity authentication information of the equipment, counts risk coefficients, generates a security control strategy according to the risk coefficients and performs security control on the equipment.
In a third aspect, the present invention further provides a protection device based on the internet of things authentication, specifically: the protection method based on the internet of things authentication comprises at least one processor and a memory, wherein the at least one processor and the memory are connected through a data bus, the memory stores instructions capable of being executed by the at least one processor, and the instructions are used for completing the protection method based on the internet of things authentication in the first aspect and the second aspect after being executed by the processor.
Compared with the prior art, the embodiment of the invention has the beneficial effects that: the cloud platform is used for carrying out equipment safety opening access authentication, service protection is carried out on authentication of all detachable device modules (5G, wifi5/6, GPS, HPLC, zigbee, AC, RF, TF cards, SIM cards, bluetooth and the like) of the industrial Internet of things equipment, and potential safety hazards that external industrial interface devices or modules are possibly replaced, tampered and the like due to the fact that the quantity of the Internet of things equipment is increased and the types are different are eliminated; in addition, the cloud platform executes personalized identity authentication access policies of key device information with different risk levels and control policies with different policy levels such as low, medium and high levels on different security authentication comparison results, issues the control policies of the management platform under abnormal conditions to the internet of things service module related to the device designated device, and can perform different policy handling according to the abnormality of different suspicious devices.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a flowchart of a protection method based on internet of things authentication according to embodiment 1 of the present invention;
fig. 2 is a flowchart of a protection method based on internet of things authentication according to embodiment 2 of the present invention;
FIG. 3 is a flowchart illustrating a step 100 provided in embodiment 2 of the present invention;
FIG. 4 is a flowchart specifically illustrating the step 200 provided in embodiment 2 of the present invention;
FIG. 5 is a flowchart illustrating a step 300 according to embodiment 2 of the present invention;
FIG. 6 is a flowchart specifically illustrating the steps 400 provided in embodiment 2 of the present invention;
fig. 7 is a flowchart of acquiring device identity authentication information according to embodiment 2 of the present invention;
fig. 8 is a block diagram of a protection system based on internet of things authentication according to embodiment 3 of the present invention;
fig. 9 is a schematic structural diagram of a protection device based on internet of things authentication according to embodiment 4 of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The present invention is a system structure of a specific function system, so the functional logic relationship of each structural module is mainly explained in the specific embodiment, and the specific software and hardware implementation is not limited.
In addition, the technical features involved in the respective embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other. The invention will now be described in detail with reference to the figures and examples.
Example 1:
as shown in fig. 1, an embodiment of the present invention provides a protection method based on internet of things authentication, which includes the following specific steps.
Step 1: the equipment uploads the identity authentication information of the equipment to record the identity authentication information into an equipment identity voucher table, and dynamic registration of the equipment identity authentication information is completed;
and 2, step: the equipment acquires an authentication mode issued according to the trigger type when the authentication service is triggered;
and step 3: the equipment collects the required identity authentication information according to the authentication mode and reports the identity authentication information for authentication;
and 4, step 4: and an authentication strategy is designated through an authentication mode, the identity authentication information of the equipment is authenticated, the risk coefficient is counted, a safety control strategy is generated according to the risk coefficient, and the safety control of the equipment is carried out.
The above steps are described in terms of the device, and a method for performing internet of things authentication and protection on the device is described.
In step 1, the equipment identity credential table is a sub-table derived from a platform summary table, where the platform summary table includes a summary device list, a service list supported by devices, a data plan, and an associated service management and control policy.
In the step 2, the authentication service includes a manual authentication service and an automatic authentication service, and when the manual authentication service is triggered, the device acquires a corresponding issued manual authentication mode; and when the automatic authentication service is triggered, the equipment acquires the correspondingly issued automatic authentication mode. In addition, the manual authentication mode comprises a single device authentication mode, a grouping authentication mode and a self-defined authentication mode; the automatic authentication mode comprises a timing reporting mode and a timing acquisition mode.
The step 3 can be specifically expanded as follows: the equipment opens an authentication service, and the authentication service creates a device list needing authentication by referring to an authentication mode; and acquiring and reporting the identity authentication information through the device list for authentication.
The step 4 can be specifically expanded as follows: an authentication strategy is appointed through an authentication mode, and identity authentication information of the equipment is authenticated through the authentication strategy; after the authentication is finished, counting an authentication result to obtain a risk grading coefficient, and judging the risk grading level of the equipment according to the risk grading coefficient; and issuing a safety control strategy corresponding to the risk classification grade according to the different risk classification grades, and carrying out safety control on the equipment.
In the step 4, the authentication policy includes a device authentication policy, a feature device authentication policy, and a full device authentication policy, where: the device authentication policy specifically includes: extracting information of the authentication device to form an authentication list, retrieving the name of the current authentication device through an equipment identity certificate table, and extracting the retrieved information to generate the authentication certificate list; the feature device authentication policy specifically includes: extracting the features of the authentication device, filtering a device list according to the features of the device through an equipment identity voucher table, and generating an authentication voucher list; the full-quantity device authentication strategy specifically comprises the following steps: and extracting the information of the equipment identity certificate table to generate a cloud platform device authentication certificate list.
In step 4, the risk classification grades include a low risk classification grade, a medium risk classification grade, and a high risk classification grade, where the security management and control policy issued according to the low risk classification grade specifically includes: executing low risk treatment on the risk-involved device, performing risk-involved marking on the treatment device in the equipment identity certificate table, and performing low risk marking on the equipment; the security management and control strategy issued according to the medium risk level specifically comprises the following steps: performing risk disposal on the risk-involved device, performing risk marking on the disposal device in the equipment identity certificate table, and performing risk marking on the equipment; the security management and control strategy issued according to the high risk classification specifically comprises the following steps: and issuing a high-risk control instruction to the risk-involved device, performing risk-involved marking on the risk-involved device in the equipment identity certificate table, and performing high-risk marking on the equipment.
The device in this embodiment is an industrial internet of things device, which includes detachable device modules, for example: 5G, wifi5/6, GPS, HPLC, zigbee, AC, RF, TF card, SIM card, bluetooth, etc. Through the embodiment, the service protection can be carried out on the authentication of the equipment, and the potential safety hazards that external industrial interface devices or modules are possibly replaced, tampered and the like due to more and more internet of things equipment and different types are eliminated; in addition, the method can also execute personalized identity authentication access policies of key device information with different risk levels and control policies with different policy levels such as low, medium and high levels on security authentication comparison results of different devices, issue the control policies of the management platform under abnormal conditions to the internet of things service module related to the device designated by the device, and can perform different policy handling according to the abnormality of different suspicious devices.
Example 2:
as shown in fig. 2, the present invention provides a protection method based on internet of things authentication by introducing a cloud platform for managing devices and by means of interaction between the cloud platform and the devices, based on embodiment 1, and the specific steps are as follows.
Step 100: and the cloud platform acquires the equipment identity authentication information, inputs the equipment identity authentication information into an equipment identity voucher table and completes the dynamic registration of the equipment identity authentication information.
Step 200: the cloud platform triggers the authentication service, selects an authentication mode according to the trigger type and issues the authentication mode to the equipment.
Step 300: and the equipment acquires the required identity authentication information according to the authentication mode and reports the identity authentication information to the cloud platform for authentication.
Step 400: the cloud platform appoints an authentication strategy through an authentication mode, authenticates the identity authentication information of the equipment, counts risk coefficients, generates a security control strategy according to the risk coefficients and performs security control on the equipment.
Through the steps, the embodiment of the invention detects the device security authentication of the industrial internet of things equipment in the cloud platform environment on the basis of the industrial internet of things terminal (IIOT), and uses a multi-risk strategy and performs the limitation and authentication of the cloud platform device application by the aid of the platform control instruction under the abnormal condition. In the following, several typical types of industrial devices and interfaces will be described as examples. ( For example, the access device includes pluggable device devices such as 5G, wifi5/6, HPLC, zigbee, AC, TF card, LORA, RF, GNSS, etc. And it should be noted that the present invention is not limited to the current device examples, nor to the current device types when applied. )
As shown in fig. 3, in the preferred embodiment, the step 100 specifically includes the following steps:
step 101: the cloud platform constructs an equipment identity voucher table through the platform summary table and carries out bidirectional synchronous requests on the equipment.
Step 102: and the equipment acquires the identity authentication information of the equipment according to the bidirectional synchronization request and reports the identity authentication information to the cloud platform.
Step 103: and the cloud platform inputs the equipment identity authentication information into an equipment identity voucher table to complete the dynamic registration of the equipment identity authentication information.
In step 101, the platform summary table is a configuration list of the cloud platform for the device support and the device support, including a total device list, a service list supported by the device, an associated service management and control policy, and data planning, and in addition, the platform summary table also performs template grouping on the device identity credential resources according to the feature information and records the APP authentication certificates thereof. For example: device list [5G (device support service: 104 service, 698 service, low risk limit service: 104 service, medium risk limit service: 104 service, 698 service, high risk limit service: lock), AC (device support service: statistics service, collection service, low risk limit service: collection service, medium risk limit service: collection service, high risk limit service: lock), HPLC (device support service: 645 service, 698 service, low risk limit service: 645 service, medium risk limit service: 645 service, 698 service, high risk limit service: lock, etc.) ], data and range planning [ accurate spatial information: (latitude and longitude: xxx, xxx, height: xxx, range: maximum, minimum), etc. ], grouping template information [ templates instantiated by a device identity credential table, etc. ], APP authentication certificates.
The equipment identity voucher table is derived through a platform general table and is used for equipment, when the equipment reports construction information, the cloud platform extracts a construction device list in the construction information, inherits information of relevant fields of the general device list of the platform general table, information reliability, associated services, associated service control strategies under medium-low high risk, blacklists (device names: xxx and service: xxx), whitelists (device names: xxx and service: xxx), APP authentication certificates, data planning and the like, and the equipment identity voucher table for the reported equipment is formed. For example: 5G (relevant field information: firmware information: xxx, SIM card information: xxx, device support services: 104 services, 698 services, access level (medium), information reliability: medium, low risk limit services: 104 services, medium risk limit services: 104 services, 698 services, high risk limit services: locking machine); AC (relevant field information: firmware information: xxx, baseboard acquisition information: xxx, device support service: statistical service, acquisition service, access level (high), information reliability: high, low risk limit service: acquisition service, medium risk limit service: acquisition service, high risk limit service: lock), HPLC (relevant field information: firmware information: xxx, device identifier: xxx, device support service: 645 service, 698 service, access level (low), information reliability: low, low risk limit service: 645 service, medium risk limit service: 645 service, 698 service, high risk limit service: lock, etc.), white list (HPLC module), black list (AC module), data and range planning [ accurate space information: (longitude and latitude: xxx, xxx, height: xxx, range: max, min) ], APP authentication certificates.
On the basis of establishing the platform summary table and the equipment identity voucher table, equipment is connected to a cloud platform through an MQTT protocol, equipment authentication is carried out through an APP authentication certificate after the cloud platform and the equipment are subjected to bidirectional authentication, and a bidirectional synchronous request of authentication information of the cloud platform and the equipment is carried out if the authentication passes.
In the preferred embodiment, the triggering action of the bidirectional synchronization request is divided into: automatic requests and manual requests. Wherein, the manual request is manually applied for replacing the device, the known information of the device is manually input, and authentication is added; the automatic request is automatically triggered and reported by equipment through a series of preset automatic triggering actions such as events, conditions and the like, so that the application of the identity authentication synchronous request of the device is realized.
For example: the equipment is accessed to the cloud platform for the first time, and the equipment identity certificate table is managed and constructed. Wherein the first access event of the device triggers an automatic request: retrieving whether the current access information has an equipment identity voucher table template, if the template information can be directly inherited, if the template information does not exist, matching the access information with a platform summary table on a cloud platform to generate an equipment identity voucher table, registering basic information of devices (device list related fields, associated services, associated service control strategies under medium-low high risk, blacklists and whitelists), and grouping according to information such as categories and functions (for example, equipment model division (equipment in an internet of things A, equipment in an internet of things B and the like), equipment function division (equipment in an internet of things, electric power equipment and the like), and user-defined grouping (user-defined grouping)) for grouping authentication, and mapping the equipment identity voucher table to a summary table grouping template information field. After the grouping processing and the template storage are finished, a construction request (for example, request type: all-interval request) is created for the equipment information.
When the management and the construction of the equipment identity certificate table are triggered by a manual request: and initiating a single device replacement request or a device abnormal state recovery request by the cloud, and grouping the replacement devices. After the replacement is completed, new and old marks need to be carried out on the devices before and after the replacement, and the new and old marks are used for subsequent authentication aiming at the replaced devices. In addition, partial device management requests (for example, request device: 5G; request type: single device request; request mode: replacement) need to be made. After the request is constructed or managed, the current request type is recorded in the module, and a device detailed information acquisition request is initiated to the equipment by using the cloud platform for perfecting the detailed information of the equipment identity voucher table.
Step 102 in this embodiment is specifically expanded as follows: the method comprises the steps that the equipment senses a data request of a cloud platform, extracts an APP authentication certificate in data request information to carry out authentication, carries out legal authentication on device data, carries out high-risk management and control on the equipment if the authentication is not passed, extracts required authentication devices in the request data to form a list if the authentication is passed, traverses the list and equipment configuration words (including device configuration information of the equipment), and obtains identity authentication information by using the equipment configuration words and equipment configuration files. And responding the device detailed information acquisition request initiated by the cloud platform by using the identity authentication information.
Wherein the device configuration word comprises: device related field information, device information acquisition mode, device access mode information and device risk-related marks in the storage equipment. For example: 5G (device related field information: a unique identifier: xxx, SIM card information: xxx and the like, the information acquisition mode is that a nonvolatile memory interface is read, an danger mark 0 (the value '0' represents no danger) and access mode information is 2 (the value '2' represents reading configuration information)); AC (device related field information: xxx, firmware information: xxx and the like, information acquisition mode: proprietary protocol encapsulation interface, risk-involved mark 0 (the value '0' represents no risk), access mode information: 1 (the value '1' represents proprietary protocol transmission)); HPLC (device-related field information: unique identifier: xxx, firmware information: xxx, etc., information acquisition mode: read register interface, risk-involved flag 0 (where value "0" represents no risk), access mode information: 3 (where value "3" represents read register information)).
The equipment configuration file belongs to the configuration file of the security access module, and records the information of the current equipment risk coefficient, the equipment state, the equipment model and the equipment number. For example: the equipment model is as follows: xxxx; equipment number: xxxx; the equipment state: 1 (where the value "1" represents normal access); current equipment risk factor: 1 (where a value of "1" represents a low risk classification).
Step 103 in this embodiment is specifically expanded as follows: when the cloud platform receives response information of the equipment about a device detailed information acquisition request, equipment information is extracted to generate an equipment information identity certificate synchronization list, data authentication is carried out on an APP authentication certificate and device data (for example, whether GNSS space information is in a legal access range is judged), the type of the request recorded in the module is judged, and whether the identity certificate synchronization action type belongs to the first access of the equipment or the updating of the device is judged.
If the synchronous action type is the first access of the equipment: the cloud platform completes the input of the detailed information of the equipment identity voucher table through response information input device information, device safety protection level, equipment state and device access mode, and performs safety certification management. After the integral input of the identity certificate table is completed, an authentication service and a security policy processing service are created, a timing authentication service is started to report regularly, and the equipment automatically reports the authentication information regularly. The device safety protection level can be divided into three risk levels of low, medium and high according to the importance of device data and information, for example, a GNSS module is only applied to space information positioning of equipment, and can be divided into low-risk devices; the 5G masters the main communication function of the equipment and can divide the equipment into dangerous devices; the TF card contains the file system of the system and its importance, which is classified as a high risk device.
If the synchronization action type is device update (device replacement or recovery): the cloud platform judges whether the request information of the equipment is replaced or recovered by analyzing the request information of the equipment, if the request information is replaced, the equipment information in the request information is extracted, an equipment identity voucher table of the current equipment is retrieved through the equipment information, a device which is currently replaced by the equipment identity voucher table is searched, the manually input device information is authenticated to judge whether the device is a device which needs to be replaced by the cloud platform, and if the device is not replaced, the device is not input; if yes, the device information is added into the device information list and marked as a new device, the original device information is marked as an old device, and the time limit which can be authenticated by the old device is added on the old device through the time information. And if the request information is recovered, issuing a device control instruction for recovery, and resetting the abnormal zone bit of the device. And after the authentication management is finished, the cloud platform reads the grouping information of the grouping equipment template and updates the replacement device in the grouping information. And after the equipment identity certificate table is updated to the latest information of the equipment, waiting for the triggering of the authentication service for authentication.
As shown in fig. 4, in the preferred embodiment, the step 200 includes, according to the different trigger types (manual authentication, automatic authentication):
step 201: the cloud platform triggers the manual authentication service, selects a manual authentication mode and sends the required identity authentication information to the equipment;
step 202: the cloud platform triggers the automatic authentication service, selects the automatic authentication mode and sends the required identity authentication information to the equipment.
Wherein, the manual authentication mode includes: a single device authentication mode (for authenticating an individual device), a group authentication mode (for performing group authentication on devices or devices with uniform characteristics), a custom authentication mode (for performing customized authentication by a user), and a series of authentication modes triggered manually. The automatic authentication includes: and a series of automatically triggered authentication modes such as timed reporting (timed reporting by equipment), timed acquisition (timed acquisition by a cloud platform) and the like. Different identity authentication request information is sent in various authentication request modes, required authentication component information in different authentication services is extracted, an authentication request consisting of the required authentication component information and the authentication modes is sent to equipment through a cloud platform, and request information is sent to a designated Topic (information transmission intermediary of the equipment and the cloud platform) to acquire detailed identity authentication information for authentication.
As shown in fig. 5, in the preferred embodiment, step 300 specifically includes:
step 301: the equipment opens an authentication service, and the authentication service creates a device list needing authentication by referring to an authentication mode;
step 302: and obtaining identity authentication information through the device list and reporting the identity authentication information to the cloud platform for authentication.
The specific extension of step 301 and step 302 is as follows: the equipment designates the Topic sensing equipment authentication request information through an MQTT protocol, and opens an authentication service, the authentication service creates a device list needing authentication by quoting an authentication mode, acquires information such as a device information method, a device access mode, an authentication device list and a related field of risk-related marks through equipment configuration words, acquires information such as equipment state, equipment model and equipment number through an equipment configuration file, and acquires identity authentication information by using the device list. And after the identity authentication information is acquired, reporting the identity authentication information to a cloud platform for authentication. (for example: security authentication information: equipment information: [ equipment model: a; equipment number: 1; equipment state: 0 (where the value "0" represents not managed), time and date: 20210601.
As shown in fig. 6, in the preferred embodiment, step 400 specifically includes:
step 401: the cloud platform appoints an authentication strategy through an authentication mode, and authenticates the identity authentication information of the equipment through the authentication strategy;
step 402: after the authentication is finished, counting an authentication result to obtain a risk grading coefficient, and judging the risk grading level of the equipment according to the risk grading coefficient;
step 403: and issuing a safety control strategy corresponding to the risk classification grade according to the different risk classification grades, and carrying out safety control on the equipment.
Wherein, step 401 may be specifically expanded to: the cloud platform receives the authentication information field through the Topic, analyzes the device to be authenticated, the authentication field and the certificate of the safety access module, extracts the safety access certificate (APP authentication certificate) of the safety access module in the authentication information field, and performs authentication of the reporting module. After the authentication is passed, extracting the devices needing to be authenticated to form an authentication list, reading an authentication mode of the cloud platform, and using the authentication mode to designate an authentication strategy, wherein the authentication strategy comprises the following steps: device authentication strategy, characteristic device authentication strategy and full-quantity device authentication strategy. Specifically, the device authentication policy specifically includes: extracting information of the authentication device to form an authentication list, retrieving the name of the current authentication device through an equipment identity certificate table, and extracting the retrieved information to generate the authentication certificate list; the feature device authentication policy specifically includes: extracting the features of the authentication device, filtering a device list according to the features of the device through an equipment identity voucher table, and generating an authentication voucher list; the full-scale device authentication strategy specifically comprises: and extracting the information of the equipment identity certificate table to generate a cloud platform device authentication certificate list.
After the authentication strategy is determined, traversing matching authentication of information such as device association information, device association field equipment information and the like is carried out on the authentication list and the device authentication voucher list field, when two pieces of authentication information exist for a replaced device which is not overtime, the field with an old device mark in the field needs to be determined, the effective time of the field is checked, if overtime is caused, the field is not judged, the field is deleted, if overtime is not caused, the two fields are authenticated at the same time, and one field is matched if passing.
Step 402 may be specifically extended to: and counting results after the authentication is finished, and respectively processing matching and mismatching. Wherein, the device with unmatched field is added into the risk-related device table and carries the device information grade (low, medium and high), and abnormal field table statistics is carried out. And acquiring the risk coefficient of the current equipment according to the rule that one low-risk device information/data, one medium-risk device information/data, one high-risk device information/data and one medium-risk weight are generated according to the risk coefficient and the low-risk weight. Judging the risk level of the equipment risk coefficient, and setting the current risk level to be low when the equipment risk coefficient is larger than 0 and smaller than the threshold value of the medium risk coefficient; when the equipment risk coefficient is greater than or equal to the medium risk coefficient threshold and is smaller than the high risk coefficient threshold, setting the current risk level as medium; and when the equipment risk coefficient is greater than or equal to the high risk coefficient threshold value, setting the current risk level to be high, and generating a security management and control strategy by using a multi-risk strategy mode.
The matching fields are processed as follows: the equipment information credibility in the current authentication information is counted by a hardware information extraction method (accessing a register to read the equipment information, the credibility level is low, reading the information obtained by nonvolatile storage configuration, the credibility level is in the credibility level, the information is obtained by a private protocol, and the credibility level is high), and the credibility is added into an identity authentication equipment information credibility field of an equipment identity certificate table.
Step 403 may be specifically extended as:
and (4) aiming at low risk grading treatment: and extracting white list, black list and related devices and services thereof in the equipment identity certificate list. Traversing and extracting the acquisition service of the risk-related device list device in the equipment identity certificate table, executing low-risk processing on the risk-related device table, generating processing information, wherein the processing information comprises processing service and service processing states, adding the risk-related device list device and all related acquisition services thereof into the processing information, adding devices in a white list and related services under the devices, deleting the related services under the devices in a black list, and setting all service states to be in a control state. In addition, risk marking is carried out on the disposal device in the equipment identity certificate table, and low risk marking is carried out on the equipment. For example: treatment information: (device information: HPLC; list of regulated traffic: 645, 698; traffic disposition status: 0 (where a value of "0" represents closed traffic)). And marking the abnormal HPLC acquisition correlation function of the single device, limiting the characteristic service or closing low strategy management and control without influencing other Internet of things services such as WIFI, AC, RF and the like.
Aiming at the medium risk level processing: extracting acquisition services under devices in a non-white list in a device list of the equipment certificate table, disposing the acquisition service list, generating disposal information, wherein the disposal information comprises disposal services and service disposal states, traversing the service list, adding the service list into the disposal services, setting the states to be control states, performing risk-related marking on the disposal devices in the equipment certificate table, and performing risk-related marking on the equipment; for example: treatment information: (device information: HPLC; list of regulated traffic: 645, 698; traffic disposition state: 0 (where value "0" represents closing traffic), device information: 5G; list of regulated traffic: 104, 698; traffic disposition state: 0 (where value "0" represents closing traffic)). When multiple devices are abnormal, such as GPS/BD configuration information, 5G configuration information and WIFI5/6 configuration information, multiple pieces of low-risk information are abnormal, all devices of the equipment are subjected to related function marking, service collection limitation or closing, and core component operation is not affected, such as devices of an equipment network, a kernel and the like.
And (3) processing aiming at high risk grades: extracting device information of the risk-involved device list, performing risk-involved marking on the risk-involved device in the equipment identity certificate list, and issuing a high-risk control instruction. For example: and directly sending a locking machine control instruction. For the replacement condition of a TF card file system or an extended memory card, when serious safety abnormal conditions such as short-distance illegal transfer risk exist in GNSS three-dimensional space (horizontal and vertical space information) detection equipment, a high-risk control instruction is adopted to issue the following steps: locking the machine, canceling equipment authentication login, closing core service and other control measures.
On the basis of the step 403, the cloud platform responds to the risk control command issued by the multi-risk strategy mode, closes the risk-involved service interface, and performs equipment data security protection; the policy-processed topoc receives the subscription information, analyzes and reads the device risk-involved device mark of the device and the management and control (off/on) state of the associated service and service which the device needs to manage and control through the security policy processing service, identifies the mark of the device to which the management and control service belongs through the device mark, manages the current service state through the mark, the service, the state and the service interface, marks the device to which the management and control and risk-involved device and records the marked device into the device configuration word.
As shown in fig. 7, in the preferred embodiment, the obtaining of the identity authentication information of the device in each process specifically includes the following steps:
step 501: and establishing an identity authentication model with multiple devices and multiple access modes through the data request information and the equipment configuration words. Specifically, when the device requests identity authentication information acquisition, a required authentication device list in the data request is extracted, the device configuration word is traversed through the required authentication device list, and data/device information of each device in the required authentication list, a data/device information acquisition mode and an access mode supported by the device are extracted to generate information such as authentication service and identity authentication. And classifying the device access modes (supporting private communication, reading nonvolatile storage configuration and reading registers).
Step 502: checking whether the device access mode of the current device supports the private communication, and if the protocol supports the private communication, jumping to step 504 (for example, handing over to the adoption of the bottom board).
Step 503: checking whether the equipment access mode of the current device supports reading of the nonvolatile memory configuration, and if the equipment access mode supports reading of the nonvolatile memory configuration, entering a step 505 (for example, a 5G module); if not, then the authentication direct access device reads, and step 506 is entered (e.g., GNSS module).
And after the device access mode is confirmed, acquiring device information according to the access mode.
Step 504: the device information is read through private communication. Specifically, the identity authentication information is extracted, the data/device information acquisition mode is extracted to support an encryption communication protocol, the encryption communication protocol acquires such fields (for example, device name: alternate acquisition backplane, device version: 20210601, device model: A, device identification: 0x1234, information reliability: 3), the high-level information reliability is authenticated and marked through the method, and the high-level information reliability is stored in the related fields in the identity authentication information.
Step 505: device information in the nonvolatile memory is read. Specifically, identity authentication information is extracted, a data/device information acquisition mode is extracted to support device storage configuration in a nonvolatile memory, the device storage configuration in the nonvolatile memory acquires such fields (for example, a device name: 5G module, a device version: 20210602, a device model: B, and information reliability: 2), and the middle-level information reliability is authenticated and marked through the mode and is stored in related fields in the identity authentication information.
Step 506: the read register obtains device information. Specifically, identity authentication information is extracted, a field of a register is directly read by a data/device information acquisition mode, the current register information is directly read to acquire the field (for example, a device name: 5G module, a device version: 20210603, a device model: A, and information reliability: 1), primary information reliability is authenticated and marked through the mode, and the primary information reliability is stored in a related field in the identity authentication information.
Step 507: and combining the data information, the device information, the equipment information, the authentication information and the configuration information to generate identity authentication information. (e.g., device information [ device model: A; device number: 1; device state: 0 (where the value "0" represents not regulated), [ time date: 20210601.
After the device information and the data information thereof are acquired by using the information acquisition method, equipment information is extracted or the APP interface is used for acquiring the equipment information through a security access module configuration file, and the data of the APP data information, time and date, the current equipment risk coefficient, the equipment state, the equipment model and the equipment number information in the identity authentication information is completed; and reading the safety access APP certificate in the safety access module, and counting the information credibility to complete the data of the identity authentication field. And extracting the issuing type of the authentication request information, finishing the data of the reported type field by using the data, finishing the extraction of the identity authentication information and terminating the step.
Through the embodiment, the cloud platform is used for carrying out equipment safety opening access authentication, service protection is carried out on authentication of all detachable device modules (5G, wifi5/6, GPS, HPLC, zigbee, AC, RF, TF card, SIM card, bluetooth and the like) of the industrial internet of things equipment, and potential safety hazards that external industrial interface devices or modules are possibly replaced, tampered and the like caused by more and more internet of things equipment and different types are eliminated; in addition, the invention mainly comes from the cloud platform for monitoring legal data, the legal module authentication information mainly comes from the acquisition of each module, then the safety access legal data range of equipment and devices is planned, after the equipment is connected to the cloud platform, the key information authentication of the modules and the devices is carried out, the equipment reports the device modules and additional software and hardware authentication information to the cloud platform, the cloud platform executes the personalized identity authentication access policies of the key device information with different risk levels and the control policies of different policy levels such as low, medium and high on different safety authentication comparison results, the control policies of the management platform under abnormal conditions are issued to the related internet of things service modules of the specified devices of the equipment, and different policy dispositions can be carried out according to the abnormality of different suspicious devices.
The invention can mark the device abnormity such as AC strong electric alternating current data acquisition correlation function, limit the characteristic service or close the low strategy management and control without influencing other internet of things services such as Wifi5/6, HPLC, RF and the like; or for authentication of several types of devices such as 5G, wifi5/6, HPLC, zigbee and the like, and meanwhile, taking management and control measures such as medium risk (for example, a platform limits all acquisition control instructions) or high risk (for example, locking a machine) and the like; or for the replacement of the TF card file system or the expansion memory card, all acquisition control instructions are limited, and for the serious security authentication abnormity such as illegal close-range moving of the GNSS three-dimensional space, high-risk (such as locking) and other management and control measures are taken, so that the service function can be ensured to be operated safely and efficiently as much as possible when different device-level security abnormity conditions occur. In summary, the present invention is a protection method for a service security authentication mechanism that optimizes device management and access management, and has the function of improving the security capability of the internet of things service.
Example 3:
based on the protection method based on the internet of things authentication provided in embodiment 2, embodiment 3 provides a protection system based on the internet of things authentication corresponding to embodiment 2, and as shown in fig. 8, the system is a typical application scenario of an internet of things device with a kernel, a protocol, and a cloud platform. This edge thing of industry allies oneself with terminal as edge thing allies oneself with equipment, mounts multiple thing on the hardware and allies oneself with key device, for example in the figure: 5G, wifi5/6, HPLC, zigbee, AC, TF cards, LORA, RF, GNSS and the like, software depends on core services such as a kernel driving system, an MQTT (message queue telemetry transport) protocol, a cloud platform and the like, and various industrial protocols, data interaction modules and application APPs need to be operated and deployed on business.
In this embodiment, the security between the cloud platform and the internet of things is ensured through a security access module, where the security access module includes three modules, namely a multi-key-device authentication information extraction module, an identity authentication module, and a security policy processing module. Each module extracts information of each peripheral by using the kernel/driver, various types of information are reported to the cloud platform according to different function composition fields, and the cloud platform issues different strategies.
The functions of the modules are introduced as follows:
the multi-key device authentication information extraction module: and acquiring device information aiming at a device and equipment access method. And the information credibility of the authentication information of the current device is generated by using the difference of the safety of the current method, and statistics is made.
An identity authentication module: the system comprises an identity certificate management and construction module and an authentication module, wherein the identity certificate management and construction module is used for: and managing and constructing replacement and recovery of the designated device, and synchronizing the cloud platform equipment list. The authentication module is to: and designating single authentication, grouping authentication and total authentication types, acquiring device information, generating identity authentication information and reporting.
The identity authentication information generation method comprises the following steps: 1. and performing equipment authentication according to the equipment information, the equipment state and the field of the security access certificate (APP authentication certificate). 2. The device status group is the status and data of the device provided by each module, and performs the relevant authentication of the device, for example: GNSS three-dimensional spatial information (for detecting close-range illegal relocation of a device). 3. The device information group is the key information of the module provided by each device. The key information of the module is the key information of a series of peripheral devices such as a 5G, wifi5/6, HPLC, zigbee, AC, TF card, LORA, RF, GNSS, SIM card and the like.
Interpretation of each field of identity authentication:
1. security admission certificate (APP authentication certificate): the information is information solidified inside the security access module and is used for being matched with the cloud platform.
2. Device information: is the main safety authentication information in the equipment and consists of the following 2.1-2.9.
2.1, time and date: and accurate information acquired by using the GPS/BD.
2.2, equipment number: the equipment number of the equipment curing can be obtained through the configuration file.
2.3, equipment model: the equipment model of the equipment curing can be obtained through the configuration file.
2.4, device information: the core authentication data is used for device authentication and consists of four fields of device information, data information, device types and information credibility. Three acquisition modes can be adopted: the reliability of the current mode information of an acquisition interface of the device information is low; configuring devices in a nonvolatile memory of the device, wherein the reliability of the current mode information is medium; the device information is communicated privately, and the information credibility of the current mode is high; if the authentication is not passed, the authentication is not trusted.
2.5, device firmware information: device version, device model, device identification, information reliability, and the like; supported by devices and not exemplified here.
2.6, device data information: unique information in the device and device data levels; for example, the spatial information, devices, and information in the GPS/BD are different, which is not exemplified herein.
2.7, device state: and recording the current device management and control state.
2.8, a device access mode: classifying according to different device information obtaining modes; the category data segment may be obtained via a device profile.
2.9, software data information: authentication information generated by an internal APP of the device; obtainable through the device APP.
3. The equipment state: and recording the current risk management and control level.
A security policy processing module: and executing the disposal strategy issued by the cloud platform, and closing the corresponding service interface. And dividing the comprehensive authentication information of the safety authentication of each internet of things device into low, medium and high levels of different strategy grades, analyzing the authentication result of the equipment, and performing low, medium and high levels of risk strategies on the equipment when abnormal conditions occur.
In this embodiment, the modules perform cooperative processing to implement functions such as device authentication, device management, risk management and control, thereby improving the security capability of the internet of things service. The details of the flow and steps of the cooperative processing among the modules are shown in embodiment 2, and are not described herein again.
Example 4:
on the basis of the protection method and system based on the internet of things authentication provided in embodiments 1 to 3, the present invention further provides a protection device based on the internet of things authentication, which can be used for implementing the method and system, as shown in fig. 9, is a schematic diagram of a device architecture in an embodiment of the present invention. The protection device based on the internet of things authentication of the embodiment comprises one or more processors 21 and a memory 22. In fig. 9, one processor 21 is taken as an example.
The processor 21 and the memory 22 may be connected by a bus or other means, and fig. 9 illustrates the connection by a bus as an example.
The memory 22, as a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as the protection method and system based on the internet of things authentication in embodiments 1 to 2. The processor 21 executes various functional applications and data processing of the protection device based on the internet of things authentication by running the nonvolatile software program, instructions and modules stored in the memory 22, that is, implements the protection method and system based on the internet of things authentication in embodiments 1 to 3.
The memory 22 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 22 may optionally include memory located remotely from the processor 21, and these remote memories may be connected to the processor 21 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The program instructions/modules are stored in the memory 22, and when executed by the one or more processors 21, perform the protection method and system based on the internet of things authentication in the above embodiments 1 to 2, for example, perform the above-described steps shown in fig. 1 and 7.
Those of ordinary skill in the art will appreciate that all or part of the steps of the various methods of the embodiments may be implemented by associated hardware as instructed by a program, which may be stored on a computer-readable storage medium, which may include: a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (9)

1. A protection method based on Internet of things authentication is characterized by comprising the following steps:
the equipment uploads the identity authentication information of the equipment to record the identity authentication information into an equipment identity voucher table, and dynamic registration of the equipment identity authentication information is completed; the equipment identity voucher table is a sub-table which is derived through a platform general table and aims at equipment, and the platform general table comprises a general device list, a service list supported by devices, a data plan and an associated service management and control strategy; the obtaining of the identity authentication information comprises: acquiring identity authentication information by using an equipment configuration word and an equipment configuration file, wherein the equipment configuration word comprises device related field information, a device information acquisition mode, device access mode information and a device risk mark in storage equipment; the equipment configuration file comprises the current equipment risk coefficient, equipment state, equipment model and equipment number information;
the method comprises the steps that equipment obtains an authentication mode issued according to a trigger type when a cloud platform triggers an authentication service;
the equipment collects the required identity authentication information according to the authentication mode and reports the identity authentication information for authentication;
an authentication strategy is specified through an authentication mode, the cloud platform authenticates identity authentication information of the equipment and counts risk coefficients, a security control strategy is generated according to the risk coefficients, and the equipment is safely controlled; wherein the statistics of the risk coefficients comprise: and after the authentication is finished, counting results, and respectively processing matching and mismatching, wherein a risk-involved device table is added to the device with the mismatching field, the device information grade is carried, abnormal field table counting is carried out, and a risk coefficient and a low risk weight value are used for obtaining a risk coefficient of the current equipment according to the rule that a low risk device information/data, a risk coefficient and a low risk weight value are generated, a medium risk device information/data, a risk coefficient and a medium risk weight value are generated, a high risk device information/data is generated, and the risk coefficient and the high risk weight value are generated.
2. The protection method based on the internet of things authentication according to claim 1, wherein the authentication service comprises a manual authentication service and an automatic authentication service, and when the manual authentication service is triggered, the equipment acquires a corresponding issued manual authentication mode; and when the automatic authentication service is triggered, the equipment acquires the correspondingly issued automatic authentication mode.
3. The protection method based on the internet of things authentication as claimed in claim 2, wherein the manual authentication mode comprises a single device authentication mode, a group authentication mode and a custom authentication mode; the automatic authentication mode comprises a timing reporting mode and a timing acquisition mode.
4. The protection method based on the internet of things authentication as claimed in claim 1, wherein the step of collecting the required identity authentication information by the device according to the authentication mode and reporting the identity authentication information for authentication specifically comprises the steps of:
the equipment opens an authentication service, and the authentication service creates a device list needing authentication by referring to an authentication mode;
and obtaining and reporting the identity authentication information through the device list to authenticate.
5. The protection method based on the internet of things authentication according to claim 1, wherein the specifying an authentication policy through an authentication mode, authenticating identity authentication information of the device and counting a risk coefficient, and generating a security management and control policy according to the risk coefficient and performing security management and control on the device specifically comprises:
an authentication strategy is appointed through an authentication mode, and identity authentication information of the equipment is authenticated through the authentication strategy;
after the authentication is finished, counting the authentication result to obtain a risk grading coefficient, and judging the risk grading level of the equipment according to the risk grading coefficient;
and issuing a safety control strategy corresponding to the risk classification grade according to the different risk classification grades to perform safety control on the equipment.
6. The protection method based on the internet of things authentication of claim 5, wherein the authentication policies comprise a device authentication policy, a feature device authentication policy, and a full-scale device authentication policy, wherein:
the device authentication policy specifically includes: extracting information of the authentication device to form an authentication list, retrieving the name of the current authentication device through an equipment identity certificate table, and extracting the retrieved information to generate the authentication certificate list;
the feature device authentication policy specifically includes: extracting the characteristics of the authentication device, filtering a device list according to the characteristics of the device through an equipment identity voucher table, and generating an authentication voucher list;
the full-scale device authentication strategy specifically comprises: and extracting the information of the equipment identity certificate table to generate a cloud platform device authentication certificate list.
7. The protection method based on the internet of things authentication according to claim 5, wherein the risk classification levels comprise a low risk classification level, a medium risk classification level and a high risk classification level, wherein:
the security management and control policy issued according to the low risk classification specifically includes: executing low risk treatment on the risk-involved device, performing risk-involved marking on the treatment device in the equipment identity certificate table, and performing low risk marking on the equipment;
the security management and control strategy issued according to the medium risk level specifically comprises the following steps: performing risk disposal on the risk-involved device, performing risk marking on the disposal device in the equipment identity certificate table, and performing risk marking on the equipment;
the security management and control strategy issued according to the high risk classification specifically comprises the following steps: and issuing a high-risk control instruction to the risk-involved device, performing risk-involved marking on the risk-involved device in the equipment identity certificate table, and performing high-risk marking on the equipment.
8. A protection method based on Internet of things authentication is characterized by comprising the following steps:
the cloud platform acquires equipment identity authentication information, inputs the equipment identity authentication information into an equipment identity voucher table, and completes dynamic registration of the equipment identity authentication information; the equipment identity voucher table is a sub-table which is derived through a platform general table and aims at equipment, and the platform general table comprises a general device list, a service list supported by devices, a data plan and an associated service management and control strategy; the obtaining of the identity authentication information comprises: acquiring identity authentication information by using an equipment configuration word and an equipment configuration file, wherein the equipment configuration word comprises device related field information, a device information acquisition mode, device access mode information and a device risk mark in storage equipment; the equipment configuration file comprises the current equipment risk coefficient, equipment state, equipment model and equipment number information;
the cloud platform triggers the authentication service, and selects an authentication mode according to the trigger type and sends the authentication mode to the equipment;
the equipment acquires the required identity authentication information according to the authentication mode and reports the identity authentication information to the cloud platform for authentication;
the cloud platform appoints an authentication strategy through an authentication mode, authenticates identity authentication information of the equipment and counts risk coefficients, generates a security control strategy according to the risk coefficients and performs security control on the equipment; wherein the statistics of the risk coefficients comprise: and after the authentication is finished, counting results, and respectively processing matching and mismatching, wherein a risk-related device table is added to the device with the mismatching field, the device information grade is carried, abnormal field table counting is carried out, and according to the condition that one piece of low-risk device information/data appears, the risk coefficient and a low-risk weight value appear, one piece of middle-risk device information/data appears, the risk coefficient and a middle-risk weight value appear, one piece of high-risk device information/data appears, and the risk coefficient and the high-risk weight value obtain the risk coefficient of the current equipment.
9. A protection device based on thing allies oneself with authentication which characterized in that:
the system comprises at least one processor and a memory, wherein the at least one processor and the memory are connected through a data bus, and the memory stores instructions capable of being executed by the at least one processor, and the instructions are used for completing the protection method based on the internet of things authentication according to any one of claims 1-8 after being executed by the processor.
CN202110883275.4A 2021-08-03 2021-08-03 Protection method and device based on Internet of things authentication Active CN113612771B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110883275.4A CN113612771B (en) 2021-08-03 2021-08-03 Protection method and device based on Internet of things authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110883275.4A CN113612771B (en) 2021-08-03 2021-08-03 Protection method and device based on Internet of things authentication

Publications (2)

Publication Number Publication Date
CN113612771A CN113612771A (en) 2021-11-05
CN113612771B true CN113612771B (en) 2023-04-18

Family

ID=78306543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110883275.4A Active CN113612771B (en) 2021-08-03 2021-08-03 Protection method and device based on Internet of things authentication

Country Status (1)

Country Link
CN (1) CN113612771B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114268508B (en) * 2021-12-30 2023-08-18 天翼物联科技有限公司 Internet of things equipment security access method, device, equipment and medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113067797A (en) * 2021-02-01 2021-07-02 上海金融期货信息技术有限公司 Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103888418B (en) * 2012-12-21 2017-09-15 中国电信股份有限公司 Tactful authentication method and system
CN108471400B (en) * 2018-02-07 2020-08-04 阿里巴巴集团控股有限公司 Authentication method, device and system
CN109450959A (en) * 2019-01-08 2019-03-08 四川九洲电器集团有限责任公司 A kind of multiple-factor identity identifying method based on threat level
CN110855709A (en) * 2019-11-26 2020-02-28 中国建设银行股份有限公司 Access control method, device, equipment and medium for security access gateway

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113067797A (en) * 2021-02-01 2021-07-02 上海金融期货信息技术有限公司 Identity authentication and authorization system supporting multiple terminals and multiple certificates in cross-network area

Also Published As

Publication number Publication date
CN113612771A (en) 2021-11-05

Similar Documents

Publication Publication Date Title
CN108173850B (en) Identity authentication system and identity authentication method based on block chain intelligent contract
CN114902627B (en) Defining wide area network policies for internet of things endpoint automation software
EP3895105A1 (en) Communication network node, methods, and a mobile terminal
CN104240342A (en) Access control method and device
JP2016505942A (en) Method and apparatus for access authorization authentication in a wireless communication system
CN101668293A (en) Control method and system of network access authority in WLAN
US11310643B2 (en) Subject matching for distributed access control scenarios
CN113973275B (en) Data processing method, device and medium
Wu et al. Efficient fingerprinting-based android device identification with zero-permission identifiers
CN112256682B (en) Data quality detection method and device for multi-dimensional heterogeneous data
CN113612771B (en) Protection method and device based on Internet of things authentication
CN110213290A (en) Data capture method, API gateway and storage medium
CN110825776B (en) Air quality detection report processing method and device, computing equipment and storage medium
CN110175437A (en) It is a kind of for access terminal authorization control method, apparatus and host terminal
CN113468276A (en) Trusted data acquisition method and device of on-chain prediction machine and electronic equipment
EP2887703A1 (en) Application protection in a mobile telecommunication device
CN109523661A (en) Security monitoring method, device, system, server and readable storage medium
CN116166839B (en) Core drilling process supervision system, method, medium and computer
CN111866993A (en) Wireless local area network connection management method, device, software program and storage medium
CN116346432A (en) Access control system, electronic equipment and storage medium of energy industry internet
CN112118256B (en) Industrial control equipment fingerprint normalization method and device, computer equipment and storage medium
CN111324796A (en) Domain name crawling method and device based on block chain and SDN edge computing network system
CN108664778A (en) Method for authenticating user identity, device and electronic equipment
EP3955557B1 (en) Control apparatus, control method, and program
CN113162985B (en) Edge resource lightweight containerization integration and hierarchical domain sharing method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant