CN114050899A - Full life cycle monitoring method and system based on certificate distribution - Google Patents

Full life cycle monitoring method and system based on certificate distribution Download PDF

Info

Publication number
CN114050899A
CN114050899A CN202210025218.7A CN202210025218A CN114050899A CN 114050899 A CN114050899 A CN 114050899A CN 202210025218 A CN202210025218 A CN 202210025218A CN 114050899 A CN114050899 A CN 114050899A
Authority
CN
China
Prior art keywords
certificate distribution
certificate
life cycle
distributed
full
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210025218.7A
Other languages
Chinese (zh)
Other versions
CN114050899B (en
Inventor
戚建淮
周杰
宋晶
杜玲禧
刘建辉
张莉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Y&D Electronics Information Co Ltd
Original Assignee
Shenzhen Y&D Electronics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Y&D Electronics Information Co Ltd filed Critical Shenzhen Y&D Electronics Information Co Ltd
Priority to CN202210025218.7A priority Critical patent/CN114050899B/en
Publication of CN114050899A publication Critical patent/CN114050899A/en
Application granted granted Critical
Publication of CN114050899B publication Critical patent/CN114050899B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention relates to a full life cycle monitoring method based on certificate distribution, which comprises the steps of constructing a fully-connected distributed certificate distribution network, wherein each node device of the distributed certificate distribution network is provided with a certificate distribution management system for receiving and sending certificates; monitoring the full life cycle condition of each node device through the distributed certificate distribution network; and monitoring the operation conditions of all the node devices through the certificate and optimizing a certificate distribution strategy based on the operation conditions. The invention also relates to a full lifecycle management system based on certificate distribution. According to the invention, each node device is implanted into a certificate distribution mechanism and a fully-connected distributed certificate distribution network is constructed, the full-life-cycle condition of each node device is monitored, and the running conditions of all the node devices are monitored through the certificates, so that the full-life-cycle monitoring and management of all the devices are realized.

Description

Full life cycle monitoring method and system based on certificate distribution
Technical Field
The invention relates to the field of information security, in particular to a full life cycle monitoring method and system based on certificate distribution.
Background
Most of the existing Public Key Infrastructure (PKI) systems are applied to the field of information security, and are mainly used for constructing Public Key infrastructures. PKI systems are typically composed of a number of subsystems, including: certificate Authority (CA), certificate library, Web secure communication platform, Registration Authority (RA), issuing system, application interface system, etc. Where a CA is an authoritative entity that is responsible for managing the certificates of all users under a PKI authority as a PKI management entity and a provider of services, including the work of creating, issuing, updating, revoking, authenticating, etc. of a user's keys or certificates. In the current PKI system, the CA is the only entity in the PKI framework that can create, revoke and maintain the lifetime of the certificate, so that the certificate issuing equipment of the existing PKI system is independent and single. In the existing PKI system, the certificate issuing process is an independent link of part of equipment, and the whole life cycle of all the equipment cannot be monitored.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and a system for monitoring a full life cycle based on certificate distribution, which aim at the above-mentioned defects of the prior art, and implement monitoring and management of the full life cycle of all devices by implanting each node device into a certificate distribution mechanism and constructing a fully-connected distributed certificate distribution network, monitoring the full life cycle condition of each node device and monitoring the operation conditions of all node devices through the certificate.
The technical scheme adopted for solving the technical problem is to construct a full life cycle monitoring method based on certificate distribution, which comprises the following steps:
s1, constructing a fully-connected distributed certificate distribution network, wherein each node device of the distributed certificate distribution network is provided with a certificate distribution management system for receiving and sending certificates;
s2, monitoring the full life cycle condition of each node device through the distributed certificate distribution network;
and S3, monitoring the operation conditions of all the node devices through the certificate and optimizing a certificate distribution strategy based on the operation conditions.
In the full lifecycle monitoring method based on certificate distribution according to the present invention, the step S1 includes the following steps:
s11, deploying a certificate distribution management system on each node device and fully connecting different certificate distribution management systems through an SDN/NFV network structure to form a node certificate distribution sub-network;
s12, connecting the plurality of node certificate distribution sub-networks with an authentication management center in a communication way to form an authentication certificate distribution sub-network;
and S13, the authentication management centers of the plurality of authentication certificate distribution sub-networks are connected with each other in a communication mode to form a distributed certificate distribution network.
In the full lifecycle monitoring method based on certificate distribution according to the present invention, the step S1 further includes the following steps:
s14, verifying the distributed certificate distribution network by adopting a Petri network based on the certificate life cycle workflow.
In the full lifecycle monitoring method based on certificate distribution according to the present invention, the step S14 includes the following steps:
s141, establishing a certificate life cycle workflow based on the distributed certificate distribution network
Figure DEST_PATH_IMAGE001
WhereinPA representation of the workflow repository is shown,Ta workflow transition is represented that is a function of,Frepresenting a workflow;
s142, constructing a state reachable flow chart of the certificate life cycle workflow;
s143, verifying the distributed certificate distribution network based on the Petri network theorem and the state reachable flow chart;
and S144, verifying the node equipment based on the state reachable flow chart.
In the full lifecycle monitoring method based on certificate distribution according to the present invention, the step S144 includes the following steps:
s1441, verifying adjacent nodes in the same authentication management center based on the state reachable flow chart and the workflow library;
s1442, verifying non-adjacent nodes in the same authentication management center based on the state reachable flow chart and the workflow library;
s1443, verifying the nodes in different authentication management centers based on the state reachable flow chart and the workflow library.
In the method for monitoring a full lifecycle based on certificate distribution according to the present invention, in the step S143, it is verified whether the distributed certificate distribution network is active and bounded based on the state reachable flowchart, and if so, it is determined that the distributed certificate distribution network is secure, and the step S144 is performed.
In the full lifecycle monitoring method based on certificate distribution according to the present invention, the step S2 includes: and monitoring all information transmitted by the node equipment, all using processes of the node equipment and access processes among different node equipment in the process of distributing the certificate through the distributed certificate distribution network according to the workflow based on the certificate life cycle.
In the full lifecycle monitoring method based on certificate distribution according to the present invention, the step S3 includes the following steps:
s31, monitoring the operation conditions of all node devices in the certificates issued by the distributed certificate distribution network;
s32, optimizing the certificate distribution strategy based on the operation condition;
and S33, distributing the certificate based on the optimized certificate distribution strategy.
In the full lifecycle monitoring method based on certificate distribution according to the present invention, in step S31, the operation condition includes operation time, status, risk level, right control, access information, and access information.
Another technical solution adopted by the present invention to solve the technical problem is to construct a full-lifecycle management system based on certificate distribution, including a distributed certificate distribution network, where a computer program is stored on the distributed certificate distribution network, and when executed by a processor, the computer program implements the full-lifecycle monitoring method based on certificate distribution.
By implementing the distributed certificate distribution network and the distributed certificate distribution system, each node device is implanted into a certificate distribution mechanism and a fully-connected distributed certificate distribution network is constructed, the full-life-cycle condition of each node device is monitored, the running conditions of all the node devices are monitored through the certificates, and the full-life-cycle monitoring and management of all the devices are realized. Furthermore, full connection and layered construction are carried out through an SDN/NFV network structure, and the controllability, the variability and the adjustability of the whole distributed certificate distribution network can be realized. Before the distributed certificate distribution network is operated, the Petri network is adopted to verify the distributed certificate distribution network based on the certificate life cycle workflow, all links of certificate distribution can be linked, and the dynamic management of the whole life cycle of the distributed certificate distribution network is realized. Furthermore, the operation conditions of all the node devices are monitored through the certificate, so that a certificate distribution strategy can be optimized based on the operation conditions, and the dynamic control of the whole system is realized.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a flow diagram of a preferred embodiment of a certificate distribution based full lifecycle monitoring method of the present invention;
fig. 2 is a schematic diagram of an authentication certificate distribution sub-network according to a preferred embodiment of the present invention;
FIG. 3 is a schematic diagram of a distributed certificate distribution network in accordance with a preferred embodiment of the present invention;
FIG. 4 is a schematic diagram of a Petri net based certificate lifecycle workflow model;
fig. 5 is a state reachable flow diagram of the certificate lifecycle workflow shown in fig. 4.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a full life cycle monitoring method based on certificate distribution, which is characterized in that each node device is embedded into a certificate distribution mechanism, and each node device can be a sender of a certificate and also can be a receiver of the certificate. The full-life cycle condition of each node device is monitored through the fully-connected distributed certificate distribution network, and the running condition of all the node devices is monitored through the certificate, so that the full-life cycle tracing, management and control of each node device are realized.
Fig. 1 is a flow chart of a preferred embodiment of the certificate distribution-based full-life cycle monitoring method of the present invention. As shown in fig. 1, in step S1, a fully-connected distributed certificate distribution network is constructed, each node apparatus of which sets a certificate distribution management system for transceiving a certificate. In a preferred embodiment of the present invention, a certificate distribution management system may be deployed on each node device first and different certificate distribution management systems are fully connected through an SDN/NFV network structure to form a node certificate distribution subnet. Then, a plurality of node certificate distribution subnets are communicatively connected to one authentication management center to form an authentication certificate distribution subnet. Finally, the authentication management centers of the plurality of authentication certificate distribution subnets are communicatively connected to each other to form a distributed certificate distribution network.
Fig. 2 is a schematic diagram of an authentication certificate distribution subnet according to a preferred embodiment of the present invention. As shown in fig. 2, the node apparatuses 1 to 9 each set a certificate distribution management system CA. Thus, each device node may be the sender of the certificate, or may be the recipient of the certificate. The node devices 1-3 are fully connected through the SDN/NFV network structure to form a first node certificate distribution sub-network. The node devices 4-7 are fully connected through the SDN/NFV network structure to form a second node certificate distribution sub-network. The node devices 8-9 are fully connected through the SDN/NFV network structure to form a third node certificate distribution sub-network. Because the SDN/NFV network structure is adopted for full connection, the node certificate distribution sub-network is a dynamic self-organizing network, and the number of node devices is adjustable. The first node certificate distribution subnet, the second node certificate distribution subnet, and the third node certificate distribution subnet are all in communication connection with the authentication management center 100 to form an authentication certificate distribution subnet. Generally, one authentication management center 100 is connected with 3-5 node certificate distribution sub-networks, and the structures of different node certificate distribution sub-networks are variable, controllable and adjustable.
Fig. 3 is a schematic diagram of a distributed certificate distribution network according to a preferred embodiment of the present invention, and as shown in fig. 3, authentication management centers of a plurality of authentication certificate distribution subnets are communicatively connected to each other to form the distributed certificate distribution network. As shown in fig. 3, the distributed certificate distribution network includes a plurality of node certificate distribution subnetworks constructed around an authentication management center l, k, n, t, m, h, g, q, s, p, and the like, each of the node certificate distribution subnetworks being constructed by a plurality of node apparatuses being all connected.
In a further preferred embodiment of the present invention, after the distributed certificate distribution network is built, the distributed certificate distribution network may be verified based on the certificate life cycle workflow using a Petri network. In a preferred embodiment of the invention, a certificate lifecycle workflow is built based on the distributed certificate distribution network
Figure 909754DEST_PATH_IMAGE001
WhereinPA representation of the workflow repository is shown,Ta workflow transition is represented that is a function of,Frepresenting a workflow; then, constructing a state reachable flow chart of the certificate life cycle workflow, and finally verifying the distributed certificate distribution based on the Petri network theorem and the state reachable flow chartA network. And after verifying the distributed certificate distribution network, the node device may be further verified based on the state reachable flow diagram. And the verification of the node device may include verifying neighboring nodes in the same authentication management center based on the state-reachable flow graph and the workflow library; verifying non-adjacent nodes in the same authentication management center based on the state reachable flow diagram and the workflow library; verifying nodes in different authentication management centers based on the state reachable flow graph and the workflow library.
Fig. 4 is a schematic diagram of a Petri net-based certificate lifecycle workflow model. Fig. 5 is a state reachable flow diagram of the certificate lifecycle workflow shown in fig. 4. The specific process of verifying the distributed certificate distribution network based on the certificate life cycle workflow by using the Petri network will be described below with reference to fig. 4 to 5.
Certificate lifecycle workflow:
Figure 401915DEST_PATH_IMAGE002
Pa representation of the workflow repository is shown,Ta workflow transition is represented that is a function of,Frepresenting a workflow, a repository therein
Figure 643540DEST_PATH_IMAGE003
Change of
Figure 918664DEST_PATH_IMAGE004
. Libraries and transitions are identified. Specifically, T1 denotes key pair generation, T2 denotes authentication of the current certificate authority, T3 denotes authentication of the intermediate certificate authority, T4 denotes authentication of the access certificate authority, T5 denotes authentication of the access node, T6 denotes certificate suspension, T7 denotes certificate recovery, and T8 denotes certificate revocation. P1 represents node equipment needing PKI authentication, P2 represents registered node equipment, P3 represents node equipment successfully authenticated by the current authentication management center, P4 represents node equipment successfully authenticated by the intermediate authentication management center, P5 represents node equipment successfully authenticated by the access authentication management center, and P6 represents node equipment successfully authenticated by the access node equipmentP7 denotes a suspended node device, and P8 denotes an invalid node device.
By the petri net theorem: a workflow net is reasonable if and only if it is active and bounded.
Activity: a Petri net, if fromM 0 Any label that is reachable, for any transition, can eventually cause the transition to occur through a transition occurrence sequence, and the Petri net is called active.
The characteristics of the bounding: for any P, there are
Figure 562135DEST_PATH_IMAGE005
And n is a positive integer, the Petri net n is called bounded or bounded for short. In particular, when n =1, the Petri net is said to be safe.
Namely, the judgment rule is:
1、
Figure 897301DEST_PATH_IMAGE006
,
Figure 937807DEST_PATH_IMAGE007
so that
Figure 16622DEST_PATH_IMAGE008
Then the network is active;
2、
Figure 514599DEST_PATH_IMAGE009
to make
Figure 348563DEST_PATH_IMAGE010
The network is bounded and secure.
Substituting the petri net theorem into the state of the certificate lifecycle workflow shown in fig. 5 can reach the values of M0-M7 in the flow chart, and it can be obtained that the distributed certificate distribution network of the present invention is active and bounded. At this point, we consider the distributed certificate distribution network secure and can perform the subsequent steps. The security of the distributed certificate distribution network is judged by introducing the petri net theorem, so that the security of the whole system can be improved.
After the distributed certificate distribution network security is verified, each device node can be verified again. The specific verification process comprises the following verification:
1. verifying neighboring nodes in the same authentication management center based on the state-reachable flow graph and the workflow library:
Figure 299202DEST_PATH_IMAGE011
the certificate revocation is invalid after the certificate is suspended once;
Figure 181707DEST_PATH_IMAGE012
the certificate is invalid after revocation, which indicates that the registration authentication is successful;
Figure 534191DEST_PATH_IMAGE013
the registration authentication is successful, and the registration authentication is recovered once after being suspended once and is invalid after being cancelled once.
2. Verifying non-adjacent nodes in the same authentication management center based on the state reachable flow graph and the workflow library:
Figure 289788DEST_PATH_IMAGE014
the certificate revocation is invalid after the certificate is suspended once;
Figure 727723DEST_PATH_IMAGE015
the certificate is invalid after revocation, which indicates that the registration authentication is successful;
Figure 148340DEST_PATH_IMAGE016
the registration authentication is successful, the registration authentication is suspended once, the registration authentication is recovered once, and the registration authentication is invalid after the registration authentication is cancelled.
3. Verifying nodes in different authentication management centers based on the state reachable flow graph and the workflow library:
Figure 683227DEST_PATH_IMAGE017
the certificate revocation is invalid after the certificate is suspended once;
Figure 796676DEST_PATH_IMAGE018
the certificate is invalid after revocation, which indicates that the registration authentication is successful;
Figure 721907DEST_PATH_IMAGE019
the verification result shows that the registration authentication is successful, and the verification result shows that the verification is suspended once, restored once and invalid after the revocation.
After the authentication is completed, returning to fig. 1, step S2 is performed to monitor the full life cycle condition of each node device through the distributed certificate distribution network. Preferably, the step S2 includes monitoring all information transmitted by the node device, all usage processes of the node device, and access processes between different node devices during distribution of the certificate according to the certificate lifecycle-based workflow through the distributed certificate distribution network.
In a further preferred embodiment of the present invention, in a normal operation process of the system, when a certificate is distributed according to a certificate lifecycle-based workflow through a fully-connected distributed certificate distribution network, monitoring a full lifecycle condition of each node device specifically includes: all information transmitted by the node equipment, all using processes of the node equipment, access processes among different node equipment and the like. Here, a workflow for distributing certificates according to a certificate lifecycle workflow may refer to the certificate lifecycle workflow model diagram of fig. 4. Controlling the environment according to the workflow module can ensure that each environment of the whole life cycle of the certificate is controlled. By adopting the certificate life cycle workflow technology, the problem of an independent link in the certificate circulation process can be solved, and all links in the whole certificate distribution process can be linked together, so that the processing result of the previous link automatically enters the next link, and the dynamic management of the whole certificate life cycle is realized.
In step S3, the operating conditions of all node devices are monitored by the certificate and a certificate distribution policy is optimized based on the operating conditions. In a preferred embodiment of the present invention, the operating conditions of all node devices are monitored in the certificates issued by the distributed certificate distribution network; optimizing the certificate distribution policy based on the operating conditions; and performing certificate distribution based on the optimized certificate distribution strategy. Preferably, the operating conditions include operating time, status, risk level, right control, access information and access information. Here, a person skilled in the art may adjust the certificate distribution policy according to actual needs according to the received operating conditions. Such as changing a key algorithm, changing a system firewall, etc., when the network risk is found to be increased.
By implementing the distributed certificate distribution network and the distributed certificate distribution system, each node device is implanted into a certificate distribution mechanism and a fully-connected distributed certificate distribution network is constructed, the full-life-cycle condition of each node device is monitored, the running conditions of all the node devices are monitored through the certificates, and the full-life-cycle monitoring and management of all the devices are realized. Furthermore, full connection and layered construction are carried out through an SDN/NFV network structure, and the controllability, the changeability, the adjustability and the manageability of the whole distributed certificate distribution network can be realized. Before the distributed certificate distribution network is operated, the Petri network is adopted to verify the distributed certificate distribution network based on the certificate life cycle workflow, all links of certificate distribution can be linked, and the dynamic management of the whole life cycle of the distributed certificate distribution network is realized. Furthermore, the operation conditions of all the node devices are monitored through the certificate, so that a certificate distribution strategy can be optimized based on the operation conditions, and the dynamic control of the whole system is realized.
The invention also relates to a full life cycle management system based on certificate distribution, which comprises a distributed certificate distribution network, wherein a computer program is stored on the distributed certificate distribution network, and when being executed by a processor, the computer program realizes the full life cycle monitoring method based on certificate distribution. Accordingly, the present invention can be realized in hardware, software, or a combination of hardware and software. The present invention can be realized in a centralized fashion in at least one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods of the present invention is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
The present invention may also be implemented by a computer program product, comprising all the features enabling the implementation of the methods of the invention, when loaded in a computer system. The computer program in this document refers to: any expression, in any programming language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: a) conversion to other languages, codes or symbols; b) reproduced in a different format.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (10)

1. A full life cycle monitoring method based on certificate distribution is characterized by comprising the following steps:
s1, constructing a fully-connected distributed certificate distribution network, wherein each node device of the distributed certificate distribution network is provided with a certificate distribution management system for receiving and sending certificates;
s2, monitoring the full life cycle condition of each node device through the distributed certificate distribution network;
and S3, monitoring the operation conditions of all the node devices through the certificate and optimizing a certificate distribution strategy based on the operation conditions.
2. The certificate distribution-based full-life cycle monitoring method according to claim 1, wherein the step S1 comprises the steps of:
s11, deploying a certificate distribution management system on each node device and fully connecting different certificate distribution management systems through an SDN/NFV network structure to form a node certificate distribution sub-network;
s12, connecting the plurality of node certificate distribution sub-networks with an authentication management center in a communication way to form an authentication certificate distribution sub-network;
s13, the authentication management centers of a plurality of authentication certificate distribution sub-networks are connected with each other in a communication mode to form the distributed certificate distribution network.
3. The certificate distribution-based full-life cycle monitoring method according to claim 2, wherein the step S1 further comprises the steps of:
s14, verifying the distributed certificate distribution network by adopting a Petri network based on the certificate life cycle workflow.
4. The certificate distribution-based full-life cycle monitoring method according to claim 3, wherein the step S14 comprises the steps of:
s141, establishing a certificate life cycle workflow based on the distributed certificate distribution network
Figure 84122DEST_PATH_IMAGE001
WhereinPA representation of the workflow repository is shown,Ta workflow transition is represented that is a function of,Frepresenting a workflow;
s142, constructing a state reachable flow chart of the certificate life cycle workflow;
s143, verifying the distributed certificate distribution network based on the Petri network theorem and the state reachable flow chart;
and S144, verifying the node equipment based on the state reachable flow chart.
5. The certificate distribution-based full-life cycle monitoring method according to claim 4, wherein the step S144 comprises the steps of:
s1441, verifying adjacent nodes in the same authentication management center based on the state reachable flow chart and the workflow library;
s1442, verifying non-adjacent nodes in the same authentication management center based on the state reachable flow chart and the workflow library;
s1443, verifying the nodes in different authentication management centers based on the state reachable flow chart and the workflow library.
6. The certificate distribution-based full-lifecycle monitoring method according to claim 5, wherein in the step S143, it is verified whether the distributed certificate distribution network is active and bounded based on the state reachable flowchart, and if so, it is determined that the distributed certificate distribution network is secure, and the step S144 is executed.
7. The certificate distribution-based full-life cycle monitoring method according to any of claims 1-6, wherein the step S2 includes: and monitoring all information transmitted by the node equipment, all using processes of the node equipment and access processes among different node equipment in the process of distributing the certificate through the distributed certificate distribution network according to the workflow based on the certificate life cycle.
8. The certificate distribution-based full-life cycle monitoring method according to any of claims 1-6, wherein the step S3 comprises the following steps:
s31, monitoring the operation conditions of all node devices in the certificates issued by the distributed certificate distribution network;
s32, optimizing the certificate distribution strategy based on the operation condition;
and S33, distributing the certificate based on the optimized certificate distribution strategy.
9. The certificate distribution-based full-life cycle monitoring method according to claim 8, wherein in the step S31, the operation condition includes operation time, status, risk level, authority control, access information and access information.
10. A full lifecycle management system based on certificate distribution, comprising a distributed certificate distribution network, characterized in that the distributed certificate distribution network stores thereon a computer program which, when executed by a processor, implements a full lifecycle monitoring method based on certificate distribution according to any of claims 1-9.
CN202210025218.7A 2022-01-11 2022-01-11 Full life cycle monitoring method and system based on certificate distribution Active CN114050899B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210025218.7A CN114050899B (en) 2022-01-11 2022-01-11 Full life cycle monitoring method and system based on certificate distribution

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210025218.7A CN114050899B (en) 2022-01-11 2022-01-11 Full life cycle monitoring method and system based on certificate distribution

Publications (2)

Publication Number Publication Date
CN114050899A true CN114050899A (en) 2022-02-15
CN114050899B CN114050899B (en) 2022-07-12

Family

ID=80196220

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210025218.7A Active CN114050899B (en) 2022-01-11 2022-01-11 Full life cycle monitoring method and system based on certificate distribution

Country Status (1)

Country Link
CN (1) CN114050899B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580403A (en) * 2022-12-09 2023-01-06 深圳市永达电子信息股份有限公司 PKI-based computing node access control method

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667914A (en) * 2008-09-05 2010-03-10 华为技术有限公司 Method and equipment for managing public key certificate
US20110231662A1 (en) * 2010-03-17 2011-09-22 Hitachi, Ltd. Certificate validation method and validation server
CN108702617A (en) * 2017-02-10 2018-10-23 华为技术有限公司 A kind of method, relevant device and the system of update certificate authority person's public key
WO2019162290A1 (en) * 2018-02-20 2019-08-29 Dekra Exam Gmbh Monitoring system for a protective device and protective device
CN111884815A (en) * 2020-08-07 2020-11-03 上海格尔安全科技有限公司 Block chain-based distributed digital certificate authentication system
WO2021115602A1 (en) * 2019-12-12 2021-06-17 Huawei Technologies Duesseldorf Gmbh Server for issuing a digital certificate and device for verifying authentication
CN113014546A (en) * 2021-01-29 2021-06-22 深圳市风云实业有限公司 Certificate-based authentication registration state management method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101667914A (en) * 2008-09-05 2010-03-10 华为技术有限公司 Method and equipment for managing public key certificate
US20110231662A1 (en) * 2010-03-17 2011-09-22 Hitachi, Ltd. Certificate validation method and validation server
CN108702617A (en) * 2017-02-10 2018-10-23 华为技术有限公司 A kind of method, relevant device and the system of update certificate authority person's public key
WO2019162290A1 (en) * 2018-02-20 2019-08-29 Dekra Exam Gmbh Monitoring system for a protective device and protective device
WO2021115602A1 (en) * 2019-12-12 2021-06-17 Huawei Technologies Duesseldorf Gmbh Server for issuing a digital certificate and device for verifying authentication
CN111884815A (en) * 2020-08-07 2020-11-03 上海格尔安全科技有限公司 Block chain-based distributed digital certificate authentication system
CN113014546A (en) * 2021-01-29 2021-06-22 深圳市风云实业有限公司 Certificate-based authentication registration state management method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
杜广荣 等: "基于Petri网的证书生命周期管理流程分析", 《微机发展》 *
罗可人: "基于区块链共识机制的SDWAN零信任网络架构", 《集成电路应用》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115580403A (en) * 2022-12-09 2023-01-06 深圳市永达电子信息股份有限公司 PKI-based computing node access control method

Also Published As

Publication number Publication date
CN114050899B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
CN102017514B (en) Authentication information management method in home network and an apparatus therefor
CN113194469B (en) 5G unmanned aerial vehicle cross-domain identity authentication method, system and terminal based on block chain
EP1966929B1 (en) Methods and system for managing security keys within a wireless network
RU2611020C2 (en) METHOD AND SYSTEM FOR ESTABLISHING IPSec TUNNEL
EP2965465B1 (en) Handling of digital certificates
JP4197031B2 (en) Message authentication system and message authentication method
WO2019004480A1 (en) Consensus-forming method in network, and node for configuring network
RU2010113354A (en) NETWORK AND METHOD FOR INSTALLING NETWORK SECURITY
CN114050899B (en) Full life cycle monitoring method and system based on certificate distribution
US20120237033A1 (en) Node, a root node, and a computer readable medium
CN110635904B (en) Remote attestation method and system for software-defined Internet of things node
Hadjichristofi et al. A framework for key management in mobile ad hoc networks
RU2432692C2 (en) Systems and methods for determining time delay for sending key update request
CN104604295B (en) For in a wireless communication system by server management of terminal to the method and its equipment of the access rights of resource
CN115134086A (en) Method and device for dynamic committee secret sharing and updating of asynchronous network
CN114935915A (en) Security grouping consistency control method of heterogeneous unmanned system under DoS attack
Chan et al. Efficient security primitives derived from a secure aggregation algorithm
WO2021237098A1 (en) Devices, systems, and methods for providing security to iot networks and sensors
CN112699136A (en) Cross-link certificate storage method and related device
CN116455578A (en) Vehicle mobile ad hoc network security authentication method based on blockchain technology
CN107295015B (en) Traffic signal machine communication method
Ghaderi et al. Topology Discovery in Autonomic Networks
Caballero-Gil et al. Self-organized authentication in mobile ad-hoc networks
CN117097488B (en) Equipment group security verification method based on node path finding
CN117134998B (en) SDN-based power information authentication method of Gossip blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant