CN113872986A

CN113872986A - Power distribution terminal authentication method, system, device, computer equipment and storage medium

Info

Publication number: CN113872986A
Application number: CN202111202008.2A
Authority: CN
Inventors: 张伟; 谢虎; 谢型浪; 徐长飞; 杨占杰; 何超林
Original assignee: Southern Power Grid Digital Grid Research Institute Co Ltd
Current assignee: China Southern Power Grid Digital Grid Technology Guangdong Co ltd
Priority date: 2021-10-15
Filing date: 2021-10-15
Publication date: 2021-12-31
Anticipated expiration: 2041-10-15
Also published as: CN113872986B

Abstract

The application relates to a power distribution terminal authentication method, a system, a device, a computer device and a storage medium. Acquiring master node information sent by a to-be-authenticated node corresponding to a to-be-authenticated power distribution terminal; determining a main node corresponding to the main node information, and receiving a storage position sent by the main node; acquiring first terminal attribute information at a storage position, and acquiring second terminal attribute information sent by a node to be authenticated; and comparing the first terminal attribute information with the second terminal attribute information, and determining whether the identity authentication of the node to be authenticated is passed or not according to the comparison result. In this embodiment, since any authenticated node in the private chain network can perform identity authentication on the to-be-authenticated node, the dependence on limited central trusted equipment on identity authentication on a large number of power distribution terminals can be avoided, the authentication speed is increased, and meanwhile, the authentication system aging caused by the failure of single central trusted equipment can be prevented, so that the identity authentication efficiency of the power distribution terminals is effectively improved.

Description

Power distribution terminal authentication method, system, device, computer equipment and storage medium

Technical Field

The present application relates to the field of power grid technologies, and in particular, to a power distribution terminal authentication method, system, apparatus, computer device, and storage medium.

Background

With the development of power grid technology and the continuous promotion of power distribution automation construction, the number of power distribution terminals put into operation is increased in a blowout mode, the coverage area is rapidly enlarged, a large number of power distribution terminals need to be connected into a power distribution automation master station, and hidden dangers are brought to power grid information safety. In order to ensure the safe operation of the distribution automation system, the distribution terminal accessed to the distribution automation system can be authenticated.

In the related art, the authentication function corresponding to the certificate authority of the power distribution terminal can be centrally deployed in a central trusted device, and the central trusted device performs identity authentication on the accessed power distribution terminal.

However, in the above manner, only one central trusted device authenticates the power distribution terminal, and when there are many power distribution terminals requiring authentication, the time consumption of the authentication process is long, and the real-time requirement of the distribution automation system cannot be met, and once a single central trusted device fails, the entire authentication system is easily disabled. Therefore, the related art has the problem that the power distribution terminal identity authentication efficiency is low.

Disclosure of Invention

In view of the above, it is necessary to provide a power distribution terminal authentication method, system, apparatus, computer device, and storage medium for solving the above technical problems.

A power distribution terminal authentication method is applied to an authenticated node corresponding to an authenticated power distribution terminal in a private chain network, and comprises the following steps:

acquiring master node information sent by a to-be-authenticated node corresponding to a to-be-authenticated power distribution terminal;

determining a main node corresponding to the main node information, and receiving a storage position sent by the main node; the master node is a node in the private chain network corresponding to the power distribution master station or the power distribution substation, and the storage position is a position in the private chain network for storing first terminal attribute information corresponding to the power distribution terminal to be authenticated when the master node registers the identity of the node to be authenticated;

acquiring the first terminal attribute information at the storage position, and acquiring second terminal attribute information sent by the node to be authenticated;

and comparing the first terminal attribute information with the second terminal attribute information, and determining whether the identity authentication of the node to be authenticated is passed or not according to a comparison result.

In one embodiment, the obtaining of the second terminal attribute information sent by the node to be authenticated includes:

sending a public key acquisition request aiming at the node to be authenticated to the main node, and receiving a public key corresponding to the node to be authenticated sent by the main node; the public key is obtained when the master node registers the identity of the node to be authenticated;

acquiring encrypted second terminal attribute information sent by the node to be authenticated; the encrypted second terminal attribute information is encrypted through a private key corresponding to the node to be authenticated;

and decrypting the encrypted second terminal attribute information by adopting the public key corresponding to the node to be authenticated to obtain the second terminal attribute information.

In one embodiment, the sending, to the master node, a public key acquisition request for the node to be authenticated includes:

acquiring third terminal attribute information corresponding to the authenticated power distribution terminal, and generating a public key acquisition request containing the third terminal attribute information and aiming at the node to be authenticated;

and sending the public key acquisition request to the master node to trigger the master node to send the public key corresponding to the node to be authenticated to the authenticated node when the third terminal attribute information is matched with the authenticated terminal attribute information corresponding to the authenticated power distribution terminal in the private chain network after receiving the public key acquisition request.

In one embodiment, after the determining whether the identity authentication of the node to be authenticated passes through the identity authentication according to the comparison result, the method further includes:

and when the node to be authenticated is determined to pass identity authentication, taking the second terminal attribute information as authenticated terminal attribute information corresponding to the node to be authenticated, and storing the authenticated terminal attribute information into the private chain network, so that when the node to be authenticated acquires public keys of other nodes to be authenticated from the master node, the master node is triggered to verify the identity of the node to be authenticated based on the terminal attribute information corresponding to the node to be authenticated.

In one embodiment, the obtaining the first terminal attribute information in the storage location includes:

acquiring encrypted first terminal attribute information at the storage position; the encrypted first terminal attribute information is encrypted through a private key corresponding to the main node;

and acquiring a public key corresponding to the master node, and decrypting the encrypted first terminal attribute information by adopting the public key corresponding to the master node to obtain the first terminal attribute information.

In one embodiment, the comparing the first terminal attribute information in the storage location with the second terminal attribute information is a first hash value corresponding to the terminal attribute information of the power distribution terminal to be authenticated, and includes:

and acquiring a second hash value corresponding to the second terminal attribute information, and comparing the first hash value with the second hash value.

A power distribution terminal authentication system comprises a node to be authenticated corresponding to a power distribution terminal to be authenticated in a private chain network, a master node corresponding to a power distribution master station or a power distribution substation, and an authenticated node corresponding to an authenticated power distribution terminal;

the node to be authenticated is used for sending a registration request to the master node, wherein the registration request carries first terminal attribute information corresponding to the power distribution terminal to be authenticated;

the master node is used for registering the identity of the node to be authenticated after receiving the registration request, and storing the first terminal attribute information to a storage position set in the private chain network when the registration is successful;

the node to be authenticated is further configured to send, to the authenticated node, master node information corresponding to the master node and currently acquired second terminal attribute information after the registration is successful;

the authenticated node is configured to determine a master node corresponding to the master node information, acquire the first terminal attribute information from the storage location sent by the master node, compare the first terminal attribute information with the second terminal attribute information, and determine whether the identity authentication of the node to be authenticated is passed according to a comparison result.

A power distribution terminal authentication device is applied to an authenticated node corresponding to an authenticated power distribution terminal in a private chain network, and comprises:

the master node information receiving module is used for acquiring master node information sent by a to-be-authenticated node corresponding to the to-be-authenticated power distribution terminal;

the storage position determining module is used for determining a main node corresponding to the main node information and receiving the storage position sent by the main node; the master node is a node in the private chain network corresponding to the power distribution master station or the power distribution substation, and the storage position is a position in the private chain network for storing first terminal attribute information corresponding to the power distribution terminal to be authenticated when the master node registers the identity of the node to be authenticated;

a terminal attribute information obtaining module, configured to obtain the first terminal attribute information in the storage location, and obtain second terminal attribute information sent by the node to be authenticated;

and the authentication module is used for comparing the first terminal attribute information with the second terminal attribute information and determining whether the identity authentication of the node to be authenticated is passed or not according to a comparison result.

A computer device comprising a memory storing a computer program and a processor implementing the steps of the method as claimed in any one of the above when the computer program is executed.

A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of the preceding claims.

In the power distribution terminal authentication method, the power distribution terminal authentication device, the computer equipment and the storage medium, the authenticated node in the private chain network can acquire the master node information sent by the to-be-authenticated node corresponding to the to-be-authenticated power distribution terminal, determine the master node corresponding to the master node information, receive the storage position sent by the master node, the main node is a node in the private chain network corresponding to the power distribution main station or the power distribution substation, when the storage position is that the main node registers the identity of the node to be authenticated, a location in the private chain network for storing first terminal attribute information corresponding to the power distribution terminal to be authenticated, and the authenticated node can acquire the first terminal attribute information in the storage position, acquire the second terminal attribute information sent by the node to be authenticated, compare the first terminal attribute information with the second terminal attribute information, and determine whether the identity authentication of the node to be authenticated is passed according to the comparison result. In this embodiment, since any authenticated node in the private chain network can perform identity authentication on the to-be-authenticated node, the dependence on limited central trusted equipment on identity authentication on a large number of power distribution terminals can be avoided, the authentication speed is increased, and meanwhile, the authentication system aging caused by the failure of single central trusted equipment can be prevented, so that the identity authentication efficiency of the power distribution terminals is effectively improved.

Drawings

FIG. 1 is a diagram of an exemplary application environment for a method for authenticating a power distribution terminal;

FIG. 2 is a schematic flow chart diagram illustrating a method for authenticating a power distribution terminal in one embodiment;

FIG. 3 is a flowchart illustrating an identity registration procedure of a node to be authenticated according to an embodiment;

FIG. 4 is a flowchart illustrating an identity authentication procedure of a node to be authenticated in another embodiment;

FIG. 5 is a block diagram of a power distribution terminal authentication system in one embodiment;

FIG. 6 is a block diagram of an exemplary power distribution terminal authentication device;

FIG. 7 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

With the development of power grid technology and the continuous promotion of power distribution automation construction, the number of power distribution terminals put into operation is increased in a blowout mode, the coverage area is rapidly enlarged, a large number of power distribution terminals need to be connected into a power distribution automation master station, and hidden dangers are brought to power grid information safety.

Specifically, the power distribution terminal can be accessed to the power distribution automation main station through communication modes such as an optical fiber or a wireless network, when the safety protection measures of the power distribution terminal are relatively weak, or hacker attack means are enhanced, and the power distribution terminal has the point-wide distribution characteristic, an attacker can carry out malicious damage and attack and other illegal operations on the power distribution automation main station through attack forms such as terminal identity counterfeiting and replay attack, so that the power distribution automation main station faces network attack risks from a public network or a private network, and the safe and reliable power supply of a power distribution system to users is further influenced. In order to ensure the safe operation of the distribution automation system, the distribution terminal accessed to the distribution automation system can be authenticated.

In the related art, the authentication function corresponding to the certificate authority of the power distribution terminal can be centrally deployed in a central trusted device, and the central trusted device performs identity authentication on the accessed power distribution terminal. Compared with a traditional public key certificate mechanism in a too complicated deployment mode, the mode can be called as a distributed public key certificate management method, and the central trusted device can realize the authentication of the power distribution terminal under the condition of off-line operation.

However, in the above method, only one central trusted device authenticates the power distribution terminal, and when there are many power distribution terminals requiring authentication, the authentication process takes a long time, and the real-time requirement of the power distribution automation system cannot be satisfied. If a plurality of power distribution terminals need to be authenticated in real time, the central trusted device is required to have higher computing capacity, and the application range of the method is limited to a certain extent. Moreover, once a single central trusted device fails, the whole authentication system is easy to fail.

Therefore, the related art has the problem that the power distribution terminal identity authentication efficiency is low.

Based on the above, the application provides a power distribution terminal authentication method, so as to at least solve the problem of low power distribution terminal identity authentication efficiency in the related art. The power distribution terminal authentication method provided by the application can be applied to an application environment shown in fig. 1, where the application environment may include a private link network and a plurality of network nodes in the private link network, and the plurality of network nodes may at least include an authenticated node corresponding to an authenticated power distribution terminal, a master node corresponding to a power distribution master station or a power distribution substation in a power distribution automation system, and a node to be authenticated corresponding to a power distribution terminal to be authenticated.

The private chain network may be a blockchain network that is only open to the power grid enterprise interior or authorized devices. The authenticated node may be a node corresponding to the power distribution terminal that has been authenticated (i.e., has been authenticated) in the private chain network. The master node may be a node corresponding to a distribution automation master station and/or a substation that directly sends or forwards a regulation instruction in the distribution automation system. The node to be authenticated may be a node corresponding to the power distribution terminal that is not authenticated (i.e., is not authenticated). The authenticated node and the node to be authenticated may be collectively referred to as a general node.

In one embodiment, as shown in fig. 2, a power distribution terminal authentication method is provided, which is described by taking the method as an example for an authenticated node, and may include the following steps:

step 201, obtaining master node information sent by a to-be-authenticated node corresponding to a to-be-authenticated power distribution terminal.

As an example, the master node information may be information for identifying a designated master node in the private-chain network, and may be, for example, a node identifier corresponding to the master node or a network address of the master node in the private-chain network.

In practical application, a node to be authenticated corresponding to the power distribution terminal to be authenticated can send master node information to any authenticated node in the private chain network, so that the authenticated node can obtain the master node information.

Specifically, for example, the node to be authenticated may send an identity authentication request to any authenticated node in the private-link network, for example, the identity authentication request may be sent to the authenticated node closest to the node to be authenticated, or the identity authentication request may be sent to an authenticated node in an idle state and which is not performing identity authentication. The authenticated node may read the master node information from the identity authentication request in acquiring the identity authentication request.

Step 202, determining a host node corresponding to the host node information, and receiving a storage location sent by the host node.

In practical application, before identity registration and identity authentication are carried out on a power distribution terminal, a trusted worker with authority can authenticate a plurality of power distribution automation main stations and/or sub-stations in a power distribution automation system according to the requirements of power distribution automation information safety protection, so that the power distribution automation main stations and/or sub-stations have credibility and become the main nodes in the private chain network. And determining a plurality of distribution automation main stations or sub-stations as main nodes in the private chain network, forming nodes on an initial chain in the private chain network, and ensuring the initial security of the private chain authentication system.

The storage position is a position in the private chain network, which is used for storing the first terminal attribute information corresponding to the power distribution terminal to be authenticated when the master node registers the identity of the node to be authenticated. Specifically, before the node to be authenticated performs identity authentication through the authenticated node, identity registration may be performed in advance in the master node. When identity registration is performed, a node to be authenticated can send first terminal attribute information to a master node, after the master node determines that identity registration is performed on the node to be authenticated, the first terminal attribute information can be stored in a private chain network, the private chain network can perform encrypted storage on the first terminal attribute information, for example, uplink operation is performed on the first terminal attribute information, and then the encrypted and stored storage position of the first terminal attribute information in the private chain network can be returned to the master node.

In a specific implementation, after the authenticated node acquires the master node information, the master node corresponding to the master node information may be determined, and a terminal attribute information acquisition request for the node to be authenticated is sent to the master node, and after receiving the terminal attribute information acquisition request, the master node may send a storage location corresponding to the first terminal attribute information to the authenticated node.

Step 203, obtaining the first terminal attribute information in the storage location, and obtaining the second terminal attribute information sent by the node to be authenticated.

As an example, the first terminal attribute information may be terminal attribute information sent to the master node when the node to be authenticated performs identity registration at the master node. The second terminal attribute information may be terminal attribute information sent to the authenticated node by the node to be authenticated when the authenticated node performs identity authentication.

The first terminal attribute information and/or the second terminal attribute information may include at least one of the following information of the power distribution terminal to be authenticated: the monitoring system comprises a power distribution terminal name, a power distribution terminal identification, a power distribution terminal geographical position and a monitoring object (also called as associated equipment) corresponding to the power distribution terminal.

Specifically, after receiving the storage location returned by the master node, the first terminal attribute information in the storage location may be acquired from the private chain network, and the second terminal attribute information currently sent by the node to be authenticated is acquired.

Step 204, comparing the first terminal attribute information with the second terminal attribute information, and determining whether the identity authentication of the node to be authenticated is passed according to the comparison result.

In practical application, after acquiring first terminal attribute information provided by a node to be authenticated when performing identity registration on a host node and acquiring second terminal attribute information currently sent by the node to be authenticated, the first terminal attribute information and the second terminal attribute information can be compared, and a comparison result of whether the first terminal attribute information and the second terminal attribute information are matched is acquired. And further determining whether the identity authentication of the node to be authenticated is passed or not according to the comparison result.

Specifically, if the first terminal attribute information and the second terminal attribute information are successfully matched, if the first terminal attribute information is the same as the second terminal attribute information, it may be determined that the node to be authenticated, which currently sends the second terminal attribute information for identity authentication, has been successfully registered in the master node, and if the authenticated node does not find that there are other abnormal conditions in the node to be authenticated, it may be determined that the node to be authenticated has passed through identity authentication, and information that identity authentication is successful may be returned to the node to be authenticated.

If the first terminal attribute information and the second terminal attribute information are failed to be matched, for example, the first terminal attribute information is different from the second terminal attribute information, it can be determined that the first terminal attribute information sent by the node to be authenticated when the master node performs identity registration is different from the second terminal attribute information currently sent by the node to be authenticated, it can be determined that the power distribution terminal corresponding to the node to be authenticated is not a power distribution terminal which performs identity registration in the master node in advance, and the power distribution terminal of the node to be authenticated is not verified by the master node, so that it can be determined that the node to be authenticated is not credible, and it can be determined that the node to be authenticated fails to perform identity authentication. And moreover, information of identity authentication failure can be returned to the node to be authenticated.

In this embodiment, an authenticated node in the private link network may obtain master node information sent by a to-be-authenticated node corresponding to a to-be-authenticated power distribution terminal, determine a master node corresponding to the master node information, and receive a storage location sent by the master node, where the master node is a node in the private link network corresponding to a power distribution master station or a power distribution substation, and the storage location is a location in the private link network for storing first terminal attribute information corresponding to the to-be-authenticated power distribution terminal when the master node registers an identity of the to-be-authenticated node, so that the authenticated node may obtain the first terminal attribute information in the storage location, obtain second terminal attribute information sent by the to-be-authenticated node, compare the first terminal attribute information with the second terminal attribute information, and determine whether the to-be-authenticated node passes the identity authentication according to a comparison result. In this embodiment, since any authenticated node in the private chain network can perform identity authentication on the to-be-authenticated node, the dependence on limited central trusted equipment on identity authentication on a large number of power distribution terminals can be avoided, the authentication speed is increased, and meanwhile, the authentication system aging caused by the failure of single central trusted equipment can be prevented, so that the identity authentication efficiency of the power distribution terminals is effectively improved.

In another example, identity authentication may also be performed on a node to be authenticated based on a public link network in a block chain technology, that is, in a certificate application and issuing stage, multipoint distributed verification may be performed by using the public link network, instead of a process in which a conventional certificate authority issues a certificate by using a public and private key, so that a risk of failure of a single certificate authority is avoided.

Specifically, in the certificate use process, trusted identity authentication is performed by relying on a digital certificate stored in a block chain, and data in the block chain is subjected to consensus verification through a plurality of nodes on the chain, so that the reliability is higher than that of a document issuing organization.

When cross-domain authentication is carried out, a multi-certificate authority chain can be introduced into a block chain PKI system, and a certificate user is verified through a root certificate of the certificate authority to which the certificate user belongs. The method has the advantages that the method effectively audits the certificate issued by the certificate issuing organization based on the blockchain technology, reduces operation delay by designing an efficient query method and a forward tracking strategy, solves the vulnerability of the traditional certificate issuing organization, and effectively improves the robustness of the certificate due to the fact that nodes on any blockchain can verify the correctness of certificate operation.

While the embodiment of the application performs decentralized authentication by exerting the distributed characteristic of the block chain technology, compared with a mode of performing identity authentication based on a public chain network, the embodiment performs identity authentication by using internal nodes of a private chain network, can limit the identity authentication qualification of an untrusted node to a node to be authenticated, avoids that any node can read, send or confirm information inside the network, effectively improves the reliability of the identity authentication process and the authentication result of the power distribution terminal, provides safety compliance for power distribution automation, can trace, cannot be tampered, automatically executes the power distribution terminal authentication, and simultaneously prevents the safety attack to data from the inside or the outside.

In an embodiment, the obtaining of the second terminal attribute information sent by the node to be authenticated may include the following steps:

sending a public key acquisition request aiming at the node to be authenticated to the main node, and receiving a public key corresponding to the node to be authenticated sent by the main node; acquiring encrypted second terminal attribute information sent by the node to be authenticated; and decrypting the encrypted second terminal attribute information by adopting the public key corresponding to the node to be authenticated to obtain the second terminal attribute information.

As an example, the public key is obtained when the master node performs identity registration on the node to be authenticated; and the encrypted second terminal attribute information is encrypted through a private key corresponding to the node to be authenticated.

In a specific implementation, before triggering the authenticated node to perform identity authentication on the authenticated node, the node to be authenticated may perform identity registration in advance on the master node.

Specifically, as shown in fig. 3, in step 301, the power distribution terminal to be authenticated may be factory-set before being used, and corresponding terminal attribute information is set.

In step 302, the power distribution terminal to be authenticated serves as a node to be authenticated in the private link network, and sends a registration request to the master node.

In step 303, after receiving the registration request, the master node returns a registration request to the node to be authenticated, where the registration request may be used to prompt the node to be authenticated to generate a corresponding key pair, and return specified terminal attribute information, such as a power distribution terminal name, a power distribution terminal identifier, a power distribution terminal geographic location, and a monitoring object corresponding to the power distribution terminal.

In step 304, after receiving the registration request, the node to be authenticated generates a key pair including a public key and a private key. The key pair may carry terminal identity information corresponding to the node to be authenticated, such as a power distribution terminal identifier, and is unique to the node to be authenticated, the master node, and the private link network.

In step 305, the node to be authenticated replies to the registration request, and sends the public key, the certification material, and the first terminal attribute information corresponding to the node to be authenticated to the master node.

In step 306, the master node verifies whether the identity of the node to be authenticated is legal based on the received certification material, and if so, determines that the identity of the node to be authenticated is verified, and stores the public key corresponding to the node to be authenticated in the master node.

In step 307, the master node performs signature encryption on the first terminal attribute information by using a private key corresponding to the master node, and sends the first terminal attribute information after signature encryption to the private link network.

In step 308, the private-link network encrypts and stores the encrypted signature of the first terminal attribute, for example, generates a corresponding block, and performs uplink operation.

In step 309, the master node returns a registration result to the node to be authenticated, including a registration success or a registration failure.

After the node to be authenticated successfully performs identity registration in the master node, the node to be authenticated may send an identity authentication request to the authenticated node, receive the authenticated node of the identity authentication request, send a public key acquisition request for the node to be authenticated to the master node, and receive a public key corresponding to the node to be authenticated returned by the master node for the public key acquisition request.

And the node to be authenticated can also acquire encrypted second terminal attribute information sent by the node to be authenticated, and the second terminal attribute information can be carried in the identity authentication request. Or after the node to be authenticated sends the identity authentication request, the authenticated node may send an identity authentication requirement to the node to be authenticated, the identity authentication requirement may prompt the node to be authenticated to return specified terminal attribute information, the specified terminal attribute information is the same as the terminal attribute information specified by the master node, and the node to be authenticated that receives the identity authentication requirement may send corresponding second terminal attribute information to the authenticated node. When the node to be authenticated sends the second terminal attribute information, the private key corresponding to the node to be authenticated can be used for signing and encrypting the second terminal attribute information.

After the encrypted second terminal attribute information sent by the node to be authenticated is obtained, the public key corresponding to the node to be authenticated can be adopted to decrypt the encrypted second terminal attribute information, so that the decrypted second terminal attribute information is obtained.

In this embodiment, by obtaining the public key corresponding to the node to be authenticated from the master node and decrypting the encrypted second terminal attribute information sent by the node to be authenticated by using the public key, it can be verified whether the node to be authenticated is a node performing identity registration in the master node, and when the public key can successfully decrypt the encrypted second terminal attribute information, it can be determined that the node to be authenticated is matched with the node sending the public key.

In one embodiment, the sending a public key obtaining request for the node to be authenticated to the master node includes:

acquiring third terminal attribute information corresponding to the authenticated power distribution terminal, and generating a public key acquisition request containing the third terminal attribute information and aiming at the node to be authenticated; and sending the public key acquisition request to the master node to trigger the master node to send the public key corresponding to the node to be authenticated to the authenticated node when the third terminal attribute information is matched with the authenticated terminal attribute information corresponding to the authenticated power distribution terminal in the private chain network after receiving the public key acquisition request.

As an example, the third terminal attribute information may be terminal attribute information currently sent by the authenticated node to the master node, and the third terminal attribute information may include at least one of the following information: the monitoring system comprises a power distribution terminal name, a power distribution terminal identification, a power distribution terminal geographical position and a monitoring object corresponding to the power distribution terminal.

In a specific implementation, the authenticated node may obtain third terminal attribute information corresponding to the authenticated power distribution terminal, and generate a public key obtaining request for the node to be authenticated, where the public key obtaining request includes the third terminal attribute information.

After the public key acquisition request is generated, the authenticated node can send the public key acquisition request to the master node, and after the master node receives the public key acquisition request, the master node can firstly perform identity verification on the authenticated node based on the third terminal attribute information in the public key acquisition request, so as to prevent other nodes from falsely acting as the authenticated node to acquire the public key.

Specifically, after reading the third terminal attribute information in the public key acquisition request, the master node may acquire the authenticated terminal attribute information corresponding to the authenticated power distribution terminal, which is stored in advance, from the private link network, where the authenticated terminal attribute information may be information acquired by other nodes and uploaded to the private link network when the authenticated node performs identity authentication, or may be terminal attribute information acquired when the master node performs identity registration on the authenticated node.

If the third terminal attribute information matches with the terminal attribute information corresponding to the authenticated node currently stored in the private chain network, the master node may return a public key corresponding to the node to be authenticated to the authenticated node; if the two are not matched, the master node can determine that the identity of the authenticated node is not credible, and can refuse to send the public key corresponding to the node to be authenticated to the authenticated node.

In this embodiment, by sending the public key acquisition request including the attribute information of the third terminal to the master node, the master node may be triggered to verify the identity of the authenticated node after receiving the public key acquisition request, and send the public key corresponding to the node to be authenticated after the verification is passed, so that the identity credibility of the authenticated node is improved, meanwhile, the public key of the node to be authenticated is prevented from being stolen by other nodes, and the safety of the power distribution automation system is improved.

In an embodiment, after determining whether the identity authentication of the node to be authenticated is passed according to the comparison result, the method may further include the following steps:

and when the node to be authenticated is determined to pass identity authentication, taking the second terminal attribute information as authenticated terminal attribute information corresponding to the node to be authenticated, and storing the authenticated terminal attribute information into the private chain network, so that when the node to be authenticated acquires public keys of other nodes to be authenticated from the master node, the master node is triggered to verify the identity of the node to be authenticated based on the authenticated terminal attribute information corresponding to the node to be authenticated.

As an example, the authenticated terminal attribute information may be terminal attribute information that is uploaded to the private chain network for storage when an authenticated node in the private chain network performs identity authentication on a node to be authenticated.

After the identity authentication result is obtained, if it is determined that the node to be authenticated passes the identity authentication, the authenticated node may store the second terminal attribute information as authenticated terminal attribute information corresponding to the node to be authenticated in the private chain network.

Specifically, for example, the authenticated node may perform hash processing on the second terminal attribute information sent by the node to be authenticated and sign with a private key to obtain the second terminal attribute information after the hash processing and the signature processing, and the information may further have metadata such as a timestamp, and further may be stored in the private chain network as the authenticated terminal attribute information corresponding to the node to be authenticated.

After storing the authenticated terminal attribute information corresponding to the node to be authenticated in the private chain network, if the node to be authenticated subsequently attempts to obtain the public keys of other nodes to be authenticated from the master node, the master node may be triggered to verify the identity of the node to be authenticated based on the authenticated terminal attribute information corresponding to the node to be authenticated. For example, after determining that the node a to be authenticated passes identity authentication, the authenticated node B may perform the above processing on the second terminal attribute information sent by the node a to be authenticated, and store the processing result as authenticated terminal attribute information a corresponding to the node a to be authenticated in the private link network. When the node a to be authenticated serves as an authenticated node, an identity authentication request of the node C to be authenticated is received, the node a to be authenticated can send a public key acquisition request to the master node, the master node can perform identity authentication on the node a to be authenticated based on the authenticated terminal attribute information a stored in the private chain network, and the public key of the node C to be authenticated is returned after the authentication is passed.

In this embodiment, when it is determined that the node to be authenticated passes the identity authentication, the second terminal attribute information may be stored in the private chain network as authenticated terminal attribute information corresponding to the node to be authenticated, so as to obtain public keys of other nodes from the master node for the subsequent node to be authenticated, and provide an identity certification material.

acquiring encrypted first terminal attribute information at the storage position; and acquiring a public key corresponding to the master node, and decrypting the encrypted first terminal attribute information by adopting the public key corresponding to the master node to obtain the first terminal attribute information.

And the encrypted first terminal attribute information is encrypted through a private key corresponding to the main node.

In practical application, when the host node performs identity registration on the node to be authenticated, the host node may receive the first terminal attribute information sent by the node to be authenticated, and store the first terminal attribute information. Specifically, to avoid occupying a local storage space, the master node may not store the first terminal attribute information in the local terminal, but perform signature processing by using a private key corresponding to the master node to obtain the encrypted first terminal attribute information, and then may send the encrypted first terminal attribute information to the private chain and store the encrypted first terminal attribute information in the corresponding storage location.

When the storage position sent by the main node is received, the authenticated node can acquire the first terminal attribute information encrypted by the main node private key at the storage position from the private chain network, and acquire the public key corresponding to the main node, and then can decrypt the encrypted first terminal attribute information by using the public key corresponding to the main node to obtain the decrypted first terminal attribute information.

In this embodiment, the authenticated node may take the public key corresponding to the master node, and decrypt the encrypted first terminal attribute information by using the public key corresponding to the master node to obtain the first terminal attribute information, so as to provide a data comparison basis for subsequent identity authentication of the node to be authenticated.

In an embodiment, the first terminal attribute information in the storage location may be a hash value corresponding to the terminal attribute information of the power distribution terminal to be authenticated, that is, a first hash value. Specifically, after receiving the first terminal attribute information sent by the node to be authenticated, the master node may perform hash processing on the first terminal attribute information, and store the first terminal attribute information in the form of a first hash value.

The comparing the first terminal attribute information and the second terminal attribute information includes:

After receiving the second terminal attribute information, the authenticated node may perform hash processing on the second terminal attribute information to obtain a second hash value, and compare the first hash value with the second hash value to determine whether the first terminal attribute information and the second terminal attribute information are consistent. For example, when the first hash value is equal to the second hash value, it may be determined that the first terminal attribute information is identical to the second terminal attribute information.

In this embodiment, the authenticated node may quickly determine whether the first terminal attribute information is consistent with the second terminal attribute information by obtaining a second hash value corresponding to the second terminal attribute information and comparing the first hash value with the second hash value, and verify the validity of the second terminal attribute, thereby improving the authentication efficiency of the node to be authenticated.

In one embodiment, in the process of identity registration and identity authentication of a node to be authenticated, information interaction among the node to be authenticated, the authenticated node and a master node can ensure the safety of value transmission through an asymmetric encryption technology, namely, a data sender firstly encrypts and signs information by using a private key of the data sender, then encrypts the signed information by using a public key of a data receiver, and sends the encrypted information to the data receiver. After receiving the information, the data receiver firstly adopts the public key of the data sender to verify, and then uses the private key of the data receiver to decrypt the information.

In order to enable those skilled in the art to better understand the above steps, the following is an example to illustrate the embodiments of the present application, but it should be understood that the embodiments of the present application are not limited thereto.

As shown in fig. 4, in step 401, the node to be authenticated may initiate an identity authentication request to a neighboring authenticated node.

In step 402, after receiving the identity authentication request, the authenticated node may send a challenge code and an authentication requirement to the node to be authenticated, where the authentication requirement may be used to indicate terminal attribute information that needs to be submitted by the node to be authenticated, and in an example, the terminal attribute information of the authentication requirement is the same as the terminal attribute information in the registration requirement in fig. 3.

In step 403, the node to be authenticated may obtain the second terminal attribute information corresponding to the authentication requirement.

In step 404, the node to be authenticated generates a dynamic password corresponding to the challenge code according to the challenge code and a key seed agreed in advance with the authenticated node, signs the dynamic password, and further returns a signed response password corresponding to the challenge code to the authenticated node, the master node information corresponding to the master node performing identity registration on the node to be authenticated, and the second terminal attribute information encrypted by using the private key of the node to be authenticated.

In step 405, the authenticated node searches for a corresponding master node according to the master node information, and sends a public key acquisition request to the master node.

In step 406, the master node sends the public key of the node to be authenticated and the storage location of the first terminal attribute information in the private link network to the authenticated node.

In step 407, the authenticated node looks up the first terminal attribute information in the private-link network according to the storage location.

In step 408, the obtained first terminal attribute information and the second terminal attribute information are compared, and whether the identity authentication of the node to be authenticated passes or not is determined.

In step 409, after the authenticated node determines that the identity authentication is passed, the authenticated node signs the attribute information of the second terminal by using the private key, and stores the attribute information in the private chain network.

In step 410, the authenticated node returns the result of successful identity authentication to the node to be authenticated.

It should be understood that although the various steps in the flow charts of fig. 2-4 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-4 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed in turn or alternately with other steps or at least some of the other steps.

In one embodiment, as shown in fig. 5, a power distribution terminal authentication system is provided, where the system includes a to-be-authenticated node 501 corresponding to a power distribution terminal to be authenticated, a master node 502 corresponding to a power distribution master station or a power distribution substation, and an authenticated node 503 corresponding to an authenticated power distribution terminal in a private chain network.

The node 501 to be authenticated is configured to send a registration request to the master node, where the registration request carries first terminal attribute information corresponding to the power distribution terminal to be authenticated.

Specifically, the node to be authenticated may send a registration request to the master node, where the registration request carries first terminal attribute information corresponding to the power distribution terminal to be authenticated.

The host node 502 is configured to perform identity registration on the node to be authenticated after receiving the registration request, and store the first terminal attribute information to a storage location set in the private chain network when the registration is successful.

In practical application, after receiving the registration request, the master node may perform identity registration on the node to be authenticated in response to the registration request, and store the first terminal attribute information to a storage location set in the private chain network when the registration is successful.

The node 501 to be authenticated is further configured to send, after the registration is successful, the master node information corresponding to the master node and the currently acquired second terminal attribute information to the authenticated node.

In practical application, after the host node successfully registers the identity of the node to be authenticated, the host node may return a registration result to the node to be authenticated, the node to be authenticated may determine whether the registration is successful according to the registration result, and after the registration is determined to be successful, the node to be authenticated may send the host node information corresponding to the host node and the currently acquired second terminal attribute information to the authenticated node.

The authenticated node 503 is configured to determine a master node corresponding to the master node information, acquire the first terminal attribute information from the storage location sent by the master node, compare the first terminal attribute information with the second terminal attribute information, and determine whether the identity authentication of the node to be authenticated is passed according to a comparison result.

After receiving the storage location returned by the master node, the authenticated node may obtain the first terminal attribute information at the storage location from the private chain network, compare the first terminal attribute information with the second terminal attribute information, obtain a comparison result of whether the first terminal attribute information and the second terminal attribute information are matched, and further determine whether the identity authentication of the node to be authenticated passes according to the comparison result.

In this embodiment, a node to be authenticated in a private chain network may send a registration request carrying first terminal attribute information corresponding to a power distribution terminal to be authenticated to a master node, the master node performs identity registration on the node to be authenticated after receiving the registration request, and stores the first terminal attribute information in a storage location set in the private chain network when the registration is successful, after the registration is successful, the node to be authenticated may send master node information corresponding to the master node and second terminal attribute information obtained currently to the authenticated node, and the authenticated node may determine a master node corresponding to the master node information, obtain the first terminal attribute information from the storage location sent by the master node, compare the first terminal attribute information with the second terminal attribute information, and determine whether to pass the identity authentication of the node to be authenticated according to a comparison result. In this embodiment, since any authenticated node in the private chain network can perform identity authentication on the to-be-authenticated node, the dependence on limited central trusted equipment on identity authentication on a large number of power distribution terminals can be avoided, the authentication speed is increased, and meanwhile, the authentication system aging caused by the failure of single central trusted equipment can be prevented, so that the identity authentication efficiency of the power distribution terminals is effectively improved.

In one embodiment, as shown in fig. 6, there is provided a power distribution terminal authentication apparatus, which can be applied to an authenticated node corresponding to an authenticated power distribution terminal in a private chain network, the apparatus including:

the master node information receiving module 601 is used for acquiring master node information sent by a to-be-authenticated node corresponding to the to-be-authenticated power distribution terminal;

a storage location determining module 602, configured to determine a host node corresponding to the host node information, and receive a storage location sent by the host node; the master node is a node in the private chain network corresponding to the power distribution master station or the power distribution substation, and the storage position is a position in the private chain network for storing first terminal attribute information corresponding to the power distribution terminal to be authenticated when the master node registers the identity of the node to be authenticated;

a terminal attribute information obtaining module 603, configured to obtain the first terminal attribute information in the storage location, and obtain second terminal attribute information sent by the node to be authenticated;

the authentication module 604 is configured to compare the first terminal attribute information with the second terminal attribute information, and determine whether the identity authentication of the node to be authenticated is passed according to a comparison result.

In one embodiment, the terminal attribute information obtaining module includes:

the public key acquisition submodule of the node to be authenticated is used for sending a public key acquisition request aiming at the node to be authenticated to the main node and receiving a public key corresponding to the node to be authenticated and sent by the main node; the public key is obtained when the master node registers the identity of the node to be authenticated;

the second encrypted information acquisition submodule is used for acquiring encrypted second terminal attribute information sent by the node to be authenticated; the encrypted second terminal attribute information is encrypted through a private key corresponding to the node to be authenticated;

and the second encrypted information decryption module is used for decrypting the encrypted second terminal attribute information by adopting the public key corresponding to the node to be authenticated to obtain the second terminal attribute information.

In one embodiment, the obtaining sub-module of the public key of the node to be authenticated includes:

the public key acquisition request generating unit is used for acquiring third terminal attribute information corresponding to the authenticated power distribution terminal and generating a public key acquisition request containing the third terminal attribute information and aiming at the node to be authenticated;

a public key obtaining request sending unit, configured to send the public key obtaining request to the master node, so as to trigger the master node to send, after receiving the public key obtaining request, the public key corresponding to the node to be authenticated to the authenticated node when the third terminal attribute information matches authenticated terminal attribute information corresponding to the authenticated power distribution terminal in the private chain network.

In one embodiment, the apparatus further comprises:

and the authentication terminal attribute information storage module is used for taking the second terminal attribute information as authenticated terminal attribute information corresponding to the node to be authenticated when the node to be authenticated is determined to pass identity authentication, storing the authenticated terminal attribute information into the private chain network, and triggering the master node to verify the identity of the node to be authenticated based on the terminal attribute information corresponding to the node to be authenticated when the node to be authenticated acquires public keys of other nodes to be authenticated from the master node.

the first encrypted information acquisition submodule is used for acquiring the encrypted first terminal attribute information in the storage position; the encrypted first terminal attribute information is encrypted through a private key corresponding to the main node;

and the first encrypted information decryption module is used for acquiring a public key corresponding to the main node and decrypting the encrypted first terminal attribute information by adopting the public key corresponding to the main node to obtain the first terminal attribute information.

In an embodiment, the first terminal attribute information in the storage location is a first hash value corresponding to the terminal attribute information of the power distribution terminal to be authenticated, and the authentication module is specifically configured to:

For specific limitations of the power distribution terminal authentication device, reference may be made to the above limitations of the power distribution terminal authentication method, which are not described herein again. All or part of each module in the power distribution terminal authentication device can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 7. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a power distribution terminal authentication method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.

Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:

In one embodiment, the steps in the other embodiments described above are also implemented when the computer program is executed by a processor.

In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:

In one embodiment, the computer program when executed by the processor also performs the steps in the other embodiments described above.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A power distribution terminal authentication method is applied to an authenticated node corresponding to an authenticated power distribution terminal in a private chain network, and comprises the following steps:

2. The method according to claim 1, wherein the obtaining second terminal attribute information sent by the node to be authenticated comprises:

3. The method of claim 2, wherein sending a public key acquisition request for the node to be authenticated to the master node comprises:

4. The method according to claim 3, wherein after determining whether the identity authentication of the node to be authenticated is passed according to the comparison result, the method further comprises:

5. The method according to claim 1, wherein the obtaining the first terminal attribute information in the storage location comprises:

6. The method according to claim 1, wherein the comparing the first terminal attribute information in the storage location with the second terminal attribute information is a first hash value corresponding to the terminal attribute information of the power distribution terminal to be authenticated, and includes:

7. A power distribution terminal authentication system is characterized by comprising a node to be authenticated corresponding to a power distribution terminal to be authenticated, a master node corresponding to a power distribution master station or a power distribution substation and an authenticated node corresponding to an authenticated power distribution terminal in a private chain network;

8. An authentication device for a power distribution terminal, which is applied to an authenticated node corresponding to an authenticated power distribution terminal in a private chain network, the device comprising:

9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 6 when executing the computer program.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.