CN114398612B - ICT virtual operation safety access control method based on micro-service - Google Patents
ICT virtual operation safety access control method based on micro-service Download PDFInfo
- Publication number
- CN114398612B CN114398612B CN202111489302.6A CN202111489302A CN114398612B CN 114398612 B CN114398612 B CN 114398612B CN 202111489302 A CN202111489302 A CN 202111489302A CN 114398612 B CN114398612 B CN 114398612B
- Authority
- CN
- China
- Prior art keywords
- service
- certificate
- micro
- access
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000008569 process Effects 0.000 claims abstract description 15
- 238000013475 authorization Methods 0.000 claims abstract description 12
- 238000004891 communication Methods 0.000 claims abstract description 9
- 238000005516 engineering process Methods 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 9
- 101000759879 Homo sapiens Tetraspanin-10 Proteins 0.000 claims description 3
- 102100024990 Tetraspanin-10 Human genes 0.000 claims description 3
- 230000008014 freezing Effects 0.000 claims description 3
- 238000007710 freezing Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000010257 thawing Methods 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 3
- 230000001960 triggered effect Effects 0.000 claims description 3
- 238000009472 formulation Methods 0.000 claims 1
- 239000000203 mixture Substances 0.000 claims 1
- 230000007246 mechanism Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 8
- 238000011161 development Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
Abstract
The invention provides an ICT virtual operation safety access control method based on micro-services. The ICT virtual operation safety access control method based on the micro-service comprises the following operation steps: s1, after the connection between the micro service architecture system and the power grid terminal is established, the access control micro service unit is used for permitting or limiting the access capability of the power grid terminal. The invention provides an ICT virtual operation safety access control method based on micro-service, which is a method capable of developing a single application program into a group of small-sized services by using a micro-service architecture, so that each service operates in a process of the service, the inter-service communication adopts a lightweight communication mechanism, the service is constructed around service capability and can be independently deployed by a full-automatic deployment mechanism, and simultaneously, the expandability of a system and the high availability of authentication service are further improved when a large number of terminals are accessed, and a plurality of terminals need different authentication and authorization strategies and the like due to different service scenes.
Description
Technical Field
The invention relates to the field of power grid ICT, in particular to an ICT virtual operation safety access control method based on micro-services.
Background
The intelligent power grid built on the basis of the new generation information communication technology can realize the intellectualization of energy production, storage, transmission and sharing, is closely connected with society economy, assists the future development of intelligent traffic, intelligent communities, intelligent cities and the like, plays the role of a social public management service platform, represents the important direction of value innovation transformation of the power industry, integrates the modern communication information technology, the automatic control technology, the decision support technology and the advanced power technology, has the characteristics of informatization, automation and interactivity, and has the novel ICT technologies of cloud computing, big data, internet of things, mobility and the like, flexibly accesses and withdraws various power supplies and power utilization facilities, realizes user-friendly interaction, has intelligent response and system self-healing, and further improves the safety reliability and the operation efficiency of the power system.
With new power system reform and new technology breakthrough, the comprehensive energy service is a novel energy service form derived, the essence of the novel energy service form is that the novel energy service form is characterized in that the market is used as traction, multidimensional coordinated interaction is propelled by a digital technology, multiple targets such as energy efficiency, energy safety, service accuracy, ecological coordination, economy and the like are realized, the ICT virtual operation platform is the brain of the comprehensive energy service, the construction of the platform relates to the operational success and economic benefit of the project, the intelligent energy platform uses technologies such as big data, cloud computing and the like, intelligent analysis of user demands, load prediction, equipment management, informatization management, distribution operation and maintenance, demand response and the like are provided, and finally an intelligent and optimized solution is provided.
From the aspect of terminal access, the platform is required to support large-batch access of various intelligent terminals, in the prior art, in the scene of virtual operation of the power grid ICT, the method for terminal access authentication is not ideal in terms of system expandability, high availability of authentication service, easy deployment of service and various convenience performances such as different authentication and authorization strategies required by various terminals due to different service scenes when a large number of terminals are accessed, and further the system failure rate is high easily, and great challenges are brought to the safety of the whole power grid.
Therefore, it is necessary to provide an ICT virtual operation security access control method based on micro services to solve the above technical problems.
Disclosure of Invention
The invention provides an ICT virtual operation security access control method based on micro-services, which solves the problems of poor expandability of a system and poor high availability of authentication services when a mass of terminals are accessed.
In order to solve the technical problems, the ICT virtual operation security access control method based on the micro-service provided by the invention comprises the following operation steps:
S1, after a micro service architecture system is connected with a power grid terminal, access control is carried out on the power grid terminal resources by an access control micro service unit to grant or limit the access capability of the power grid terminal, and access control is carried out on the power grid terminal resources by the access control micro service unit by adopting a plurality of access control modes including an access control list, a capability list, autonomous access control, forced access control and role-based access control, wherein the micro service architecture system comprises a micro service gateway, a micro service module and a security policy management module, the micro service module is divided into a registration and discovery micro service unit, a terminal authentication micro service unit, an access control micro service unit and other service units, and the security policy management module comprises a digital certificate management unit and an authorization management unit;
S2, when the power grid terminal is accessed to a request, firstly, registering and finding out information of a micro service unit registration terminal, and providing the address and various information of the terminal, so that a caller of the service subscribes to the service through the provided address and various information, and then, the registration and finding out micro service unit sends a relevant address list of the service to the service caller, and the caller of the service finds out a target service;
S3, after the caller of the service enters the power grid terminal, the caller of the service is authenticated through the terminal authentication micro-service unit, after the authentication is passed, the caller of the service accesses the internal resource, otherwise, the caller of the service is not allowed to continue to access, and the micro-service module is used for controlling the service to be accessed, so that the normal operation of the access service is ensured.
Preferably, in the step S1, before the connection between the micro service architecture system and the power grid terminal is established, authentication needs to be performed on the micro service architecture system, and according to the digital certificate information embedded in the power grid terminal, a technology based on public key authentication is adopted, so that the power grid terminal performs identity authentication through an authentication server, and after the micro service architecture system passes the identity authentication of the power grid terminal, connection can be further established with the power grid terminal.
Preferably, after the micro service architecture system is built, the terminal authentication micro service unit adopts a technology based on public key authentication according to digital certificate information embedded in the power grid terminal, so that the power grid terminal performs identity authentication through an authentication server, and after the micro service architecture system passes the power grid terminal identity authentication, connection with the power grid terminal can be further established.
Preferably, the specific authentication process of the digital certificate of the terminal authentication micro service unit is as follows:
a. Verifying whether the public key of the issuer CA can correctly unlock the digital signature of the issuer in the client entity certificate, and after exchange transfer, unpacking the two certificates to see whether the two certificates can be unpacked or not, and if the two certificates can be correctly unlock, outputting the result as the public key of the user;
b. tracing back to the root of the trusted CA through a certificate chain to verify whether the CA issuing the user entity certificate is an authoritative trusted CA, wherein the requirement of the certificate chain verification is that each certificate in the path is valid from the final entity to the root certificate, and each certificate correctly corresponds to the authoritative trusted CA issuing the certificate;
c. Checking whether the serial number of the signing entity in the entity certificate is consistent with the serial number of the issuer certificate, verifying the authenticity of the certificate, wherein the verification operation process is as follows: the public key identification extension item certificate serial number in the user entity certificate, namely the serial number of the issuing certificate, checks the certificate serial number in the CA certificate and the certificate serial number, and the two are consistent, otherwise, the certificate is not issued by a trusted Certification Authority (CA);
d. The validity period verification is to check whether the date of using the user certificate is legal or not, and the specific method is as follows: the validity period of the user entity certificate and the validity period d of the private key are within the validity date of the CA certificate; the user entity certificate validity period has no date before the starting time of the private key validity period private key usagc period date of the CA certificate, otherwise, the certificate is unsafe;
e. The certificate revocation list inquiry is to check whether the user certificate is revoked and issue the certificate revocation list, and the CA issues the certificate in an X.500 format to a certificate library in real time through an LDAP standard protocol so as to perform open inquiry among entities during access;
f. That is, the setting of the certificate policy in the bridge CA system in the user entity certificate should be a list of certificate policies acknowledged by the CA, which is defined by a special extension domain to specify policies applicable to the user certificate, these policies should be explicitly specified in the CPS of the CA, the object identifier is not more than 200 characters, and the user certificate cannot be executed without the policy acknowledged by the CA;
g. and then the certificate of the internal administrator of the certification authority issued by the CA is distinguished from the end user entity certificate, so that the end user entity certificate is finally confirmed, and the certification is completed.
Preferably, in the method for accessing a control list in S1, each object is associated with an ACL, where a subject allowed to access the object and an allowed access operation thereof are recorded, which is equivalent to storing an access matrix by column, where the ACL method can easily check all subjects capable of accessing an object, and can easily revoke access rights of all subjects to the object; the capability list is a description of the access capabilities of the subjects, and each subject is associated with a CL according to the CL method, where the CL lists all objects that the subject is allowed to access and the corresponding access operations.
Preferably, in the step S1, the autonomous access control is a control policy for determining an access mode and defining access according to the identity and authorization of the visitor on the basis of confirming the identity of the subject and the group to which the subject belongs, and the DAC allows the subject having control rights to the subject to explicitly designate the access rights of other subjects to the subject, and the DAC allows the legitimate user to access the subject specified by the policy with the identity of the user or the group of users while preventing the unauthorized user from accessing the subject.
Preferably, in the step S1, the mandatory access control is to determine whether the subject has access to the object according to security levels of the subject and the object, the mandatory access control is essentially based on a rule, each process, each file and each IPC object in the system is assigned with a corresponding security attribute, and the access control based on the role is to grant the access to the object to the role instead of directly granting the user by introducing the concept of the role, then assign the role to the user, the user obtains the access to the object through the role, and the RBAC model associates the authority with the role through the role.
Preferably, the micro service gateway is used for shielding the internal service externally, and simultaneously has the functions of completing some current limiting and fault tolerance, monitoring logs and reversely mapping external requests to a specific micro service internally.
Preferably, the security policy management module operates in real time, and updates the security policy to the terminal identity authentication service unit and the access control micro service unit through the micro service interface according to the security plan manually formulated or triggered after the system receives the notification of the security situation awareness system, so as to update the real-time information of the system.
Preferably, the digital certificate management unit includes the following services: a. certificate status service, the certificate catalogue is updated and issued in real time, and the OCSP inquiry function is satisfied; b. the user certificate service meets the requirements of the whole-flow service of certificates such as certificate application, certificate downloading, certificate updating, certificate revocation, freezing/thawing, online unlocking and the like.
Compared with the related art, the ICT virtual operation security access control method based on the micro-service has the following beneficial effects:
The invention provides an ICT virtual operation safety access control method based on micro-service, which is a method capable of developing a single application program into a group of small-sized services by using a micro-service architecture, so that each service operates in a process of the service, the inter-service communication adopts a lightweight communication mechanism, the service is constructed around service capability and can be independently deployed by a full-automatic deployment mechanism, and further, each service is highly decoupled, no dependence on codes and deployment is caused, so that the failure rate is greatly reduced, meanwhile, flexible and rapid development can be realized in the actual development process, only a specific service function is concerned by adopting one micro-service, the service boundary is clear, the service is easy to maintain, in addition, each micro-service realizes high decoupling, each service is independently deployed, the deployment is simpler, and simultaneously, the expandability of a system, the easy deployment of the authentication service, the multiple terminals of the service, different authentication and authorization strategies and other convenience are further improved due to different service scenes, and the like when a large number of terminals are accessed, and further, the use requirements of people are better met.
Drawings
FIG. 1 is a diagram of a micro-service architecture in an ICT virtual operation security access control method based on micro-services provided by the invention;
FIG. 2 is a block diagram of service and registration operations in the ICT virtual operation security access control method based on micro-service provided by the invention;
FIG. 3 is a block diagram illustrating the operation of a service gateway in the security access control method for micro-service based ICT virtual operation provided by the present invention;
fig. 4 is a block diagram of operations performed when a load is uniform in the method for managing and controlling ICT virtual operation security access based on micro-services provided by the present invention.
Detailed Description
The invention will be further described with reference to the drawings and embodiments. Referring to fig. 1, fig. 2, fig. 3, and fig. 4 in combination, fig. 1 is a structural diagram of a micro-service architecture in an ICT virtual operation security access management and control method based on micro-service provided by the present invention; FIG. 2 is a block diagram of service and registration operations in the ICT virtual operation security access control method based on micro-service provided by the invention; FIG. 3 is a block diagram illustrating the operation of a service gateway in the security access control method for micro-service based ICT virtual operation provided by the present invention; fig. 4 is a block diagram of operations performed when a load is uniform in the method for managing and controlling ICT virtual operation security access based on micro-services provided by the present invention.
The ICT virtual operation safety access control method based on the micro-service comprises the following operation steps:
S1, after a micro service architecture system is connected with a power grid terminal, access control is carried out on the power grid terminal resources by an access control micro service unit to grant or limit the access capability of the power grid terminal, and access control is carried out on the power grid terminal resources by the access control micro service unit by adopting a plurality of access control modes including an access control list, a capability list, autonomous access control, forced access control and role-based access control, wherein the micro service architecture system comprises a micro service gateway, a micro service module and a security policy management module, the micro service module is divided into a registration and discovery micro service unit, a terminal authentication micro service unit, an access control micro service unit and other service units, and the security policy management module comprises a digital certificate management unit and an authorization management unit;
S2, when the power grid terminal is accessed to a request, firstly, registering and finding out information of a micro service unit registration terminal, and providing the address and various information of the terminal, so that a caller of the service subscribes to the service through the provided address and various information, and then, the registration and finding out micro service unit sends a relevant address list of the service to the service caller, and the caller of the service finds out a target service;
S3, after the caller of the service enters the power grid terminal, the caller of the service is authenticated through the terminal authentication micro-service unit, after the authentication is passed, the caller of the service accesses the internal resource, otherwise, the caller of the service is not allowed to continue to access, and the micro-service module is used for controlling the service to be accessed, so that the normal operation of the access service is ensured.
In the step S1, before the connection between the micro service architecture system and the power grid terminal is established in the step S1, the micro service architecture system needs to be authenticated, and according to the digital certificate information embedded in the power grid terminal, a public key authentication-based technology is adopted to enable the power grid terminal to perform identity authentication through an authentication server, and after the micro service architecture system passes the identity authentication of the power grid terminal, the connection with the power grid terminal can be established.
The specific authentication process of the digital certificate of the terminal authentication micro-service unit is as follows:
a. Verifying whether the public key of the issuer CA can correctly unlock the digital signature of the issuer in the client entity certificate, and after exchange transfer, unpacking the two certificates to see whether the two certificates can be unpacked or not, and if the two certificates can be correctly unlock, outputting the result as the public key of the user;
b. tracing back to the root of the trusted CA through a certificate chain to verify whether the CA issuing the user entity certificate is an authoritative trusted CA, wherein the requirement of the certificate chain verification is that each certificate in the path is valid from the final entity to the root certificate, and each certificate correctly corresponds to the authoritative trusted CA issuing the certificate;
c. Checking whether the serial number of the signing entity in the entity certificate is consistent with the serial number of the issuer certificate, verifying the authenticity of the certificate, wherein the verification operation process is as follows: the public key identification extension item certificate serial number in the user entity certificate, namely the serial number of the issuing certificate, checks the certificate serial number in the CA certificate and the certificate serial number, and the two are consistent, otherwise, the certificate is not issued by a trusted Certification Authority (CA);
d. The validity period verification is to check whether the date of using the user certificate is legal or not, and the specific method is as follows: the validity period of the user entity certificate and the validity period d of the private key are within the validity date of the CA certificate; the user entity certificate validity period has no date before the starting time of the private key validity period private key usagc period date of the CA certificate, otherwise, the certificate is unsafe;
e. The certificate revocation list inquiry is to check whether the user certificate is revoked and issue the certificate revocation list, and the CA issues the certificate in an X.500 format to a certificate library in real time through an LDAP standard protocol so as to perform open inquiry among entities during access;
f. That is, the setting of the certificate policy in the bridge CA system in the user entity certificate should be a list of certificate policies acknowledged by the CA, which is defined by a special extension domain to specify policies applicable to the user certificate, these policies should be explicitly specified in the CPS of the CA, the object identifier is not more than 200 characters, and the user certificate cannot be executed without the policy acknowledged by the CA;
g. and then the certificate of the internal administrator of the certification authority issued by the CA is distinguished from the end user entity certificate, so that the end user entity certificate is finally confirmed, and the certification is completed.
In the method for accessing the control list in S1, each object is associated with an ACL, and the subjects allowed to access the object and the allowed access operations thereof are recorded, which is equivalent to storing the access matrix in columns, and the ACL method can easily check all subjects capable of accessing one object and can easily revoke the access rights of all subjects to the object; the capability list is a description of the access capabilities of the subjects, and each subject is associated with a CL according to the CL method, where the CL lists all objects that the subject is allowed to access and the corresponding access operations.
The autonomous access control in S1 is a control policy for determining an access mode and defining access according to the identity and authorization of a visitor based on the identity and authorization of the subject, where the DAC allows the subject having control rights to the object to explicitly specify the access rights of other subjects to the object, and the DAC allows a legitimate user to access the object specified by the policy with the identity of the user or the group of users while preventing unauthorized users from accessing the object.
In the step S1, whether the subject has access right to the object or not is determined according to the security levels of the subject and the object, the forced access control is essentially based on the rule access control, each process, each file and each IPC object in the system are endowed with corresponding security attributes, the access control based on the role is realized by introducing the concept of the role, the access right to the object is endowed to the role rather than directly to the user, then the role is allocated to the user, the user obtains the access right through the role, and the RBAC model associates the right with the role.
The micro service gateway is used for shielding internal services externally, completing some current limiting and fault tolerance, monitoring logs and reversely mapping external requests to specific internal micro services.
And the security policy management module operates in real time, and updates the security policy to the terminal identity authentication service unit and the access control micro service unit through the micro service interface according to the security plan manually formulated or triggered after the system receives the notification of the security situation awareness system, so that the real-time information update of the system is realized.
10. The micro-service-based ICT virtual operation security access control method of claim 1, wherein the digital certificate management unit comprises the following services: a. certificate status service, the certificate catalogue is updated and issued in real time, and the OCSP inquiry function is satisfied; b. the user certificate service meets the requirements of the whole-flow service of certificates such as certificate application, certificate downloading, certificate updating, certificate revocation, freezing/thawing, online unlocking and the like.
Compared with the related art, the ICT virtual operation security access control method based on the micro-service has the following beneficial effects:
The invention provides an ICT virtual operation safety access control method based on micro-service, which is a method capable of developing a single application program into a group of small-sized services by using a micro-service architecture, so that each service operates in a process of the service, the inter-service communication adopts a lightweight communication mechanism, the service is constructed around service capability and can be independently deployed by a full-automatic deployment mechanism, and further, each service is highly decoupled, no dependence on codes and deployment is caused, so that the failure rate is greatly reduced, meanwhile, flexible and rapid development can be realized in the actual development process, only a specific service function is concerned by adopting one micro-service, the service boundary is clear, the service is easy to maintain, in addition, each micro-service realizes high decoupling, each service is independently deployed, the deployment is simpler, and simultaneously, the expandability of a system, the easy deployment of the authentication service, the multiple terminals of the service, different authentication and authorization strategies and other convenience are further improved due to different service scenes, and the like when a large number of terminals are accessed, and further, the use requirements of people are better met.
The foregoing description is only illustrative of the present invention and is not intended to limit the scope of the invention, and all equivalent structures or equivalent processes or direct or indirect application in other related technical fields are included in the scope of the present invention.
Claims (10)
1. The ICT virtual operation safety access control method based on the micro-service is characterized by comprising the following operation steps:
S1, after a micro service architecture system is connected with a power grid terminal, access control is carried out on the power grid terminal resources by an access control micro service unit to grant or limit the access capability of the power grid terminal, and access control is carried out on the power grid terminal resources by the access control micro service unit by adopting a plurality of access control modes including an access control list, a capability list, autonomous access control, forced access control and role-based access control, wherein the micro service architecture system comprises a micro service gateway, a micro service module and a security policy management module, the micro service module is divided into a registration and discovery micro service unit, a terminal authentication micro service unit, an access control micro service unit and other service units, and the security policy management module comprises a digital certificate management unit and an authorization management unit;
S2, when the power grid terminal is accessed to a request, firstly, registering and finding out information of a micro service unit registration terminal, and providing the address and various information of the terminal, so that a caller of the service subscribes to the service through the provided address and various information, and then, the registration and finding out micro service unit sends a relevant address list of the service to the service caller, and the caller of the service finds out a target service;
S3, after the caller of the service enters the power grid terminal, the caller of the service is authenticated through the terminal authentication micro-service unit, after the authentication is passed, the caller of the service accesses the internal resource, otherwise, the caller of the service is not allowed to continue to access, and the micro-service module is used for controlling the service to be accessed, so that the normal operation of the access service is ensured.
2. The method for managing and controlling ICT virtual operation security access based on micro service according to claim 1, wherein in S1, before the micro service architecture system establishes connection with the power grid terminal, authentication needs to be performed on the micro service architecture system, according to digital certificate information embedded in the power grid terminal, a public key authentication based technology is adopted, so that the power grid terminal performs identity authentication through an authentication server, and after the micro service architecture system passes the identity authentication of the power grid terminal, connection can be further established with the power grid terminal.
3. The method for managing and controlling the ICT virtual operation security access based on the micro-service according to claim 1, wherein after the micro-service architecture system is built, the terminal authentication micro-service unit uses a technology based on public key authentication according to digital certificate information embedded in the power grid terminal, so that the power grid terminal can perform identity authentication through an authentication server, and after the micro-service architecture system passes the identity authentication of the power grid terminal, connection can be further built with the power grid terminal.
4. The method for managing and controlling the secure access of the ICT virtual operation based on the micro service according to claim 3, wherein the specific authentication process of the digital certificate of the terminal authentication micro service unit is as follows:
a. Verifying whether the public key of the issuer CA can correctly unlock the digital signature of the issuer in the client entity certificate, and after exchange transfer, unpacking the two certificates to see whether the two certificates can be unpacked or not, and if the two certificates can be correctly unlock, outputting the result as the public key of the user;
b. tracing back to the root of the trusted CA through a certificate chain to verify whether the CA issuing the user entity certificate is an authoritative trusted CA, wherein the requirement of the certificate chain verification is that each certificate in the path is valid from the final entity to the root certificate, and each certificate correctly corresponds to the authoritative trusted CA issuing the certificate;
c. Checking whether the serial number of the signing entity in the entity certificate is consistent with the serial number of the issuer certificate, verifying the authenticity of the certificate, wherein the verification operation process is as follows: the public key identification extension item certificate serial number in the user entity certificate, namely the serial number of the issuing certificate, checks the certificate serial number in the CA certificate and the certificate serial number, and the two are consistent, otherwise, the certificate is not issued by a trusted Certification Authority (CA);
d. The validity period verification is to check whether the date of using the user certificate is legal or not, and the specific method is as follows: the validity period of the user entity certificate and the validity period d of the private key are within the validity date of the CA certificate; the user entity certificate validity period has no date before the starting time of the private key validity period private key usagc period date of the CA certificate, otherwise, the certificate is unsafe;
e. The certificate revocation list inquiry is to check whether the user certificate is revoked and issue the certificate revocation list, and the CA issues the certificate in an X.500 format to a certificate library in real time through an LDAP standard protocol so as to perform open inquiry among entities during access;
f. That is, the setting of the certificate policy in the bridge CA system in the user entity certificate should be a list of certificate policies acknowledged by the CA, which is defined by a special extension domain to specify policies applicable to the user certificate, these policies should be explicitly specified in the CPS of the CA, the object identifier is not more than 200 characters, and the user certificate cannot be executed without the policy acknowledged by the CA;
g. and then the certificate of the internal administrator of the certification authority issued by the CA is distinguished from the end user entity certificate, so that the end user entity certificate is finally confirmed, and the certification is completed.
5. The method for controlling access to an ICT virtual operation security based on micro-services according to claim 1, wherein in the method for accessing a control list in S1, each object is associated with an ACL, and a subject allowed to access the object and an allowed access operation thereof are recorded, which is equivalent to storing an access matrix by column, and the ACL method can easily check all subjects capable of accessing one object and easily revoke access rights of all subjects to the object; the capability list is a description of the access capabilities of the subjects, and each subject is associated with a CL according to the CL method, where the CL lists all objects that the subject is allowed to access and the corresponding access operations.
6. The method for controlling access to secure Information and Communication Technology (ICT) virtual operation based on micro-service according to claim 1, wherein the autonomous access control in S1 is a control policy for determining an access mode and defining access according to the identity and authorization of a visitor based on the identity and the authorization of the host, the DAC allows the host having control rights to the object to explicitly specify the access rights of other hosts to the object, and the DAC allows legal users to access the object specified by the policy with the identity of the user or the group of users while preventing unauthorized users from accessing the object.
7. The method for controlling security access to an ICT virtual operation based on micro-services according to claim 1, wherein the mandatory access control in S1 is to determine whether the subject has access to the object according to security levels of the subject and the object, the mandatory access control is essentially based on rule access control, each process, each file, each IPC object in the system is assigned with a corresponding security attribute, and the access control based on role is to grant access rights to the object to the role instead of directly to the user by introducing concept of role, then assign role to the user, the user obtains access rights by role, and the RBAC model associates rights with roles.
8. The method for controlling and managing secure access to an ICT virtual operation based on micro services according to claim 1, wherein the micro service gateway is configured to externally shield internal services, and simultaneously perform some current limiting and fault tolerance, log monitoring, and reverse mapping of external requests to specific internal micro services.
9. The method for managing and controlling ICT virtual operation safety access based on micro-service according to claim 1, wherein the safety strategy is updated to the terminal identity authentication service unit and the access control micro-service unit through the micro-service interface according to the safety plan triggered by the manual formulation or the system after receiving the notification of the safety situation awareness system by the safety strategy management module, thereby realizing the real-time information update of the system.
10. The micro-service-based ICT virtual operation security access control method of claim 1, wherein the digital certificate management unit comprises the following services: a. certificate status service, the certificate catalogue is updated and issued in real time, and the OCSP inquiry function is satisfied; b. the user certificate service meets the requirements of the whole-flow service of certificates such as certificate application, certificate downloading, certificate updating, certificate revocation, freezing/thawing, online unlocking and the like.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111489302.6A CN114398612B (en) | 2021-12-08 | 2021-12-08 | ICT virtual operation safety access control method based on micro-service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111489302.6A CN114398612B (en) | 2021-12-08 | 2021-12-08 | ICT virtual operation safety access control method based on micro-service |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114398612A CN114398612A (en) | 2022-04-26 |
CN114398612B true CN114398612B (en) | 2024-05-03 |
Family
ID=81227103
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111489302.6A Active CN114398612B (en) | 2021-12-08 | 2021-12-08 | ICT virtual operation safety access control method based on micro-service |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114398612B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116567069B (en) * | 2023-07-11 | 2023-09-19 | 飞天诚信科技股份有限公司 | Method and system for realizing registration of Internet of things |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107612955A (en) * | 2016-07-12 | 2018-01-19 | 深圳市远行科技股份有限公司 | Micro services provide method, apparatus and system |
CN110781476A (en) * | 2019-10-15 | 2020-02-11 | 南京南瑞信息通信科技有限公司 | Flexible micro-service security access control method and system |
CN113098695A (en) * | 2021-04-21 | 2021-07-09 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
CN113259350A (en) * | 2021-05-12 | 2021-08-13 | 深圳华数云计算技术有限公司 | Cryptographic user authorization and authentication system based on key generation algorithm |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
NO318842B1 (en) * | 2002-03-18 | 2005-05-09 | Telenor Asa | Authentication and access control |
US11057393B2 (en) * | 2018-03-02 | 2021-07-06 | Cloudentity, Inc. | Microservice architecture for identity and access management |
CN112291178B (en) * | 2019-07-22 | 2024-03-22 | 京东方科技集团股份有限公司 | Service providing method and device and electronic equipment |
-
2021
- 2021-12-08 CN CN202111489302.6A patent/CN114398612B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107612955A (en) * | 2016-07-12 | 2018-01-19 | 深圳市远行科技股份有限公司 | Micro services provide method, apparatus and system |
CN110781476A (en) * | 2019-10-15 | 2020-02-11 | 南京南瑞信息通信科技有限公司 | Flexible micro-service security access control method and system |
CN113098695A (en) * | 2021-04-21 | 2021-07-09 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
CN113259350A (en) * | 2021-05-12 | 2021-08-13 | 深圳华数云计算技术有限公司 | Cryptographic user authorization and authentication system based on key generation algorithm |
Non-Patent Citations (2)
Title |
---|
微服务架构与企业身份认证门户的融合方案;王冠;;科技视界;20200705(19);247-249 * |
柔性微服务安全访问控制框架;刘一田;林亭君;刘士进;;计算机系统应用;20181015(10);74-78 * |
Also Published As
Publication number | Publication date |
---|---|
CN114398612A (en) | 2022-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110213246B (en) | Wide-area multi-factor identity authentication system | |
CN108737370B (en) | Block chain-based Internet of things cross-domain authentication system and method | |
CN105577665B (en) | Identity and access control management system and method under a kind of cloud environment | |
US8971537B2 (en) | Access control protocol for embedded devices | |
Liu et al. | Capability-based IoT access control using blockchain | |
CN112822675B (en) | MEC environment-oriented OAuth 2.0-based single sign-on mechanism | |
CN107483491A (en) | The access control method of distributed storage under a kind of cloud environment | |
CN109088857B (en) | Distributed authorization management method in scene of Internet of things | |
Panda et al. | A blockchain based decentralized authentication framework for resource constrained iot devices | |
CN113204744B (en) | Software authorization system and method based on distributed identity | |
KR20140127303A (en) | Multi-factor certificate authority | |
CN110351263A (en) | A kind of Internet of Things authentication method based on super account book fabric | |
CN107832602A (en) | A kind of unified electronic seal system based on mark | |
CN114398612B (en) | ICT virtual operation safety access control method based on micro-service | |
CN111181931B (en) | Authorization system and method based on user terminal authentication | |
US20230412400A1 (en) | Method for suspending protection of an object achieved by a protection device | |
Ezawa et al. | Blockchain-based cross-domain authorization system for user-centric resource sharing | |
CN114189380A (en) | Zero-trust-based distributed authentication system and authorization method for Internet of things equipment | |
US20050055556A1 (en) | Policy enforcement | |
CN110891067B (en) | Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system | |
CN113259350A (en) | Cryptographic user authorization and authentication system based on key generation algorithm | |
Ferretti et al. | Authorization transparency for accountable access to IoT services | |
Omolola et al. | Policy-based access control for the IoT and Smart Cities | |
Liang et al. | A multiple-policy supported attribute-based access control architecture within large-scale device collaboration systems | |
Yan et al. | Distributed authentication scheme for industry internet platform application based on consortium blockchain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |