CN115208580A - Credible service positioning method and system based on industrial internet identification analysis - Google Patents

Credible service positioning method and system based on industrial internet identification analysis Download PDF

Info

Publication number
CN115208580A
CN115208580A CN202210824359.5A CN202210824359A CN115208580A CN 115208580 A CN115208580 A CN 115208580A CN 202210824359 A CN202210824359 A CN 202210824359A CN 115208580 A CN115208580 A CN 115208580A
Authority
CN
China
Prior art keywords
service
node
certificate
identification
site information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210824359.5A
Other languages
Chinese (zh)
Other versions
CN115208580B (en
Inventor
李龙
刘东坡
杨树梅
张发振
柳京晖
李慧玲
武莹
胡键伟
马晨光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Taier Yingfu Technology Co ltd
Original Assignee
Beijing Taier Yingfu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Taier Yingfu Technology Co ltd filed Critical Beijing Taier Yingfu Technology Co ltd
Priority to CN202210824359.5A priority Critical patent/CN115208580B/en
Publication of CN115208580A publication Critical patent/CN115208580A/en
Application granted granted Critical
Publication of CN115208580B publication Critical patent/CN115208580B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a credible service positioning method and a system based on industrial internet identification analysis, wherein the method comprises the following steps: when receiving a service access request, a client sends a request for acquiring site information of a secondary node service to a top node; the top-level node sends the second-level node service site information to the client; the client uses the root certificate to perform credible signature verification on the site information of the second-level node service, and sends a request for acquiring the site information of the enterprise node service to the second-level node; the secondary node sends the site information of the enterprise node service to the client; the client uses the intermediate certificate to perform credible signature verification on the site information of the enterprise node service, and sends a request of service access identification information to the enterprise node; the enterprise node analyzes the obtained service access industrial internet identification and sends the service access industrial internet identification to the client; the client accesses the service according to the identification. The invention can realize public key infrastructure based on an industrial internet identification analysis system and ensure credible service access.

Description

Credible service positioning method and system based on industrial internet identification analysis
Technical Field
The invention relates to the technical field of network security, in particular to a trusted service positioning method and system based on industrial internet identification analysis.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
Currently, when a user uses a client or an SDK to access an identifier resolution service, if the IP and port information provided by the identifier resolution service is tampered, the identifier resolution client or the SDK may be incorrectly directed to other illegal services, which results in requesting an incorrect identifier resolution service.
Disclosure of Invention
The embodiment of the invention provides a credible service positioning method based on industrial internet identification analysis, which is used for realizing credible service positioning based on industrial internet identification analysis, wherein an industrial internet identification analysis system is a distributed architecture comprising at least three layers of nodes, the three layers of nodes comprise a top level node, a second level node and an enterprise node, the top level node is pre-configured with site information of the second level node service, and the second level node is pre-configured with site information of the enterprise node service; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust warehouse, and the site information of the enterprise node service is signed by using an intermediate certificate distributed according to the root certificate in advance, wherein the method comprises the following steps:
when receiving a service access request, a client sends a request for acquiring site information of a secondary node service to a top node;
the top level node sends the site information served by the second level node to the client according to the request for obtaining the site information served by the second level node;
the client uses the root certificate to perform credible signature verification processing on the site information of the second-level node service, and sends a request for acquiring the site information of the enterprise node service to the second-level node;
the secondary node sends the site information of the enterprise node service to the client according to the request for acquiring the site information of the enterprise node service;
the client uses the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sends a request of identification information of service access to the enterprise node;
the enterprise node analyzes the request of the identification information of the service access to obtain an industrial internet identification of the service access, and sends the industrial internet identification to the client; the industrial internet identification comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data value comprises a user identity identification value, and the user identity identification value comprises a user public key index, a preset character and an industrial internet identification;
and the client processes the service access request according to the industrial internet identification.
The embodiment of the invention also provides a credible service positioning system based on the industrial internet identification analysis, which is used for realizing accurate service positioning based on the industrial internet identification analysis, wherein the industrial internet identification analysis system is a distributed architecture comprising at least three layers of nodes, the three layers of nodes comprise a top level node, a second level node and an enterprise node, the top level node is pre-configured with site information of the second level node service, and the second level node is pre-configured with site information of the enterprise node service; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust warehouse, and the site information of the enterprise node service is signed by using an intermediate certificate which is distributed according to the root certificate in a preconfigured way; the system comprises:
the client is used for sending a request for acquiring site information served by the second-level node to the top-level node when receiving the service access request; using the root certificate to perform credible signature verification processing on the site information of the secondary node service, and sending a request for acquiring the site information of the enterprise node service to the secondary node; using the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sending a request of identification information of service access to the enterprise node; processing the service access request according to the industrial internet identification;
the top level node is used for sending the site information served by the second level node to the client according to the request for obtaining the site information served by the second level node;
the secondary node is used for sending the site information of the enterprise node service to the client according to the request for obtaining the site information of the enterprise node service;
the enterprise node is used for analyzing to obtain an industrial internet identifier of the service access according to the request of the identifier information of the service access and sending the industrial internet identifier to the client; the industrial internet identification comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data values comprise user identity identification values, and the user identity identification values comprise user public key indexes, preset characters and industrial internet identification.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the computer program to realize the trusted service positioning method based on the industrial internet identification analysis.
The embodiment of the invention also provides a computer readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the trusted service positioning method based on the industrial internet identification analysis is realized.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when executed by a processor, the computer program implements the above trusted service location method based on industrial internet identity resolution.
In the embodiment of the invention, in the credible service positioning scheme based on the industrial internet identification analysis, an industrial internet identification analysis system is a distributed architecture comprising at least three layers of nodes, wherein the three layers of nodes comprise a top level node, a second level node and an enterprise node, the top level node is preconfigured with site information of the second level node service, and the second level node is preconfigured with site information of the enterprise node service; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust warehouse, the site information of the enterprise node service is signed by using an intermediate certificate distributed according to the root certificate in advance, and compared with the technical scheme that in the prior art, if ip information is tampered, an identification analysis client can be wrongly directed to other illegal services, and wrong identification analysis service is requested, the method comprises the following steps: when receiving a service access request, a client sends a request for acquiring site information of a secondary node service to a top node; the top-level node sends the site information served by the second-level node to the client according to the request for obtaining the site information served by the second-level node; the client uses the root certificate to perform trusted signature verification processing on the site information of the secondary node service, and sends a request for acquiring the site information of the enterprise node service to the secondary node; the secondary node sends the site information of the enterprise node service to the client according to the request for obtaining the site information of the enterprise node service; the client uses the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sends a request of identification information of service access to the enterprise node; the enterprise node analyzes to obtain an industrial Internet identifier of the service access according to the request of the identifier information of the service access, and sends the industrial Internet identifier to the client; the industrial Internet mark comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data values comprise user identity mark values, and the user identity mark values comprise user public key indexes, preset characters and industrial Internet marks; the client processes the service access request according to the industrial internet identifier, so that the website information and data acquired by the identifier analysis client are credible when the identifier is analyzed through the public key infrastructure, the IP and the port of the system request cannot be falsified, and credible service access is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
FIG. 1 is a schematic diagram of an industrial Internet identity resolution architecture according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an existing industrial Internet ID coding according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a service location based on industrial Internet identity resolution according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a data structure of an industrial Internet identity according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a certificate in an industrial Internet identity according to an embodiment of the present invention;
FIG. 6 is a diagram of certificate claims in an embodiment of the invention;
FIG. 7 is a diagram illustrating a certificate chain constructed based on multiple certificates in an embodiment of the present invention;
FIG. 8 is a diagram illustrating a root certificate assertion in an embodiment of the present invention;
FIG. 9 is a diagram illustrating a signature load for obtaining an identification signature value according to an embodiment of the present invention;
FIG. 10 is a diagram illustrating a process for verifying a trusted signature according to an embodiment of the present invention;
FIG. 11 is a diagram illustrating an embodiment of identifying and parsing key service information;
FIG. 12 is a diagram illustrating a trusted system constructed based on an industrial Internet identity resolution system in an embodiment of the present invention;
FIG. 13 is a diagram illustrating node signatures after certificate identification registration is completed in an embodiment of the present invention;
fig. 14 is a schematic structural diagram of a trusted service location system based on industrial internet identity resolution in an embodiment of the present invention;
FIG. 15 is a diagram illustrating data signatures in an embodiment of the present invention;
fig. 16 is a diagram illustrating site information according to an embodiment of the present invention;
FIG. 17 is a diagram illustrating signature information in an embodiment of the invention;
FIG. 18 is a diagram illustrating signature data in accordance with an embodiment of the present invention;
FIG. 19 is a diagram illustrating information requesting a specific identifier for an enterprise node in accordance with an embodiment of the present invention;
FIG. 20 is a diagram illustrating parsed data in an embodiment of the present invention;
fig. 21 is a flowchart illustrating a trusted service location method based on industrial internet identity resolution according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
Before describing the embodiments of the present invention, the terms related to the embodiments of the present invention will be described in detail.
1. Public Key Infrastructure (PKI) is a set of universal security Infrastructure that provides security services through the principle and technology of Public Key cryptography, and is a technical specification that can provide a set of security Infrastructure platforms for various application systems. The public key is managed through a digital Certificate, and the public key Of the user and other identification information are bound together through a Certificate Of Authority (CA) to realize user identity verification on the Internet. The underlying technologies of PKI include encryption, digital signatures, data integrity mechanisms, digital envelopes, double digital signatures, and the like.
2. Digital certificate: a simple and convenient way for issuing the public key is provided; a digital certificate comprising: owner identity information, public keys, CA digital signatures, validity periods and other information.
3. Digital signature: the method is used for confirming the identity of the information sender and ensuring the integrity and the repudiation resistance of the information.
4. JWT: the JSON Web Token is a compact, url-safe representation method that requires transfer between the two parties. The declaration in JWT is encoded as a JSON object, either as a payload Web signature (JWS) structure for JSON or as a clear text encryption (JWE) structure for JSON Web, so that the declaration can be a digital signature or integrity (MAC) and/or encryption protected with a message authentication code.
The industrial internet identification analysis is an important network infrastructure of the industrial internet, provides coding, registration and analysis services for industrial equipment, machines, materials, parts and products, realizes interconnection, intercommunication, safe sharing and intelligent association of different main, different places and different kinds of information through identification, and is an important base stone for realizing rapid development of the industrial internet.
The requirement of the identifier analysis service for the safety guarantee capability puts a very high requirement, and the identifier analysis safety is an important construction content of industrial internet safety. Firstly, in order to ensure the stable operation of the industrial internet, integrity and consistency protection needs to be provided for data in the identification analysis system in the transmission process, confidentiality and privacy protection needs to be provided for sensitive data, and the access control capability for the identification analysis data needs to be provided for updating the identification analysis system data. Secondly, the capabilities of privacy protection, source authentication, queryability, data integrity verification, key management and the like of the identifier are realized, the capabilities of fine-grained access control and the like of an identifier analysis request end based on modes such as identity and attribute are supported, and the security of identifier analysis is improved.
The identity resolution system is similar to a domain name resolution system (DNS) in the field of the Internet, and is one of the core infrastructures for the safe operation of the global industrial Internet. As shown in fig. 1, the industrial internet identity resolution architecture employs a hierarchical deployment architecture. Top level node: the method is interconnected with a global root node, supports cross-secondary node identification analysis and supports interconnection of a heterogeneous identification analysis system; secondary identification analysis node: providing identification registration and analysis service for industry; enterprise identification parsing application: and distributing and managing the internal identification codes of the enterprises, and butting the internal identification codes with the public identification analysis system.
As shown in fig. 2, the industrial internet id code:
1. the identification prefix is separated from the identification suffix by "/".
2. Prefixes are separated by ". Quadrature..
The Web PKI is used when the user accesses the HTTPS link using a browser. It greatly enhances the security of the web and is substantially transparent to the user. When accessing an internet web service, it should be enabled in all possible cases to improve security. The trust mechanism of Web PKI starts with a trust repository. The trust repository has two sources, one is the trust repository for browser trust, and the other is the trust repository for the operating system.
The root certificate in the trust repository is self-signed, the issuer of this certificate being the same as the principal. A self-signed certificate ensures that the issuer, the principal of the certificate knows the corresponding private key, a self-signed certificate should trust the root certificate only if its process of entering the trust repository is trusted.
Certificate authority CA is the trust base of PKI, which manages the entire life cycle of public keys, and its roles include: issuing a certificate, specifying the validity period of the certificate, and ensuring that the certificate can be revoked when necessary by issuing a Certificate Revocation List (CRL). If tracing back far enough along the chain of trust of certificates (chain of trust) that the root certificate can always be found in the end, the CA certificate is signed by a trusted root certificate.
There are three types of certificates for Web PKI, the most distinctive of which is how they are identified at the time of application. subscriber, and the authentication mechanism they use. Domain authentication (DV) certificates bind to the DNS name, which the CA needs to authenticate at the time of issuance is indeed controlled by the substriber. Organization Verification (OV) and EV certificates, which will be described below, are built on top of DV certificates, which include location information (location) of the organization to which the name and domain name belong. The OV and EV certificates associate the certificates not only to a domain name, but also to a legal entity (legacy entry) that controls this domain name. The verification process of the OV certificate is not uniform among different CAs. The Extended Validation (EV) certificate contains the same basic information as the OV, but requires strict validation (entry proofing) to be enforced. The EV certificate application process may take days or weeks, which may include public records searches (public records searches) and company personnel (pen) signed (paper) certificate words, among others.
The web service is used as PKI application, and after the certificate is applied, the corresponding service is configured. Data transmission is performed over the secure channel while processing the user request.
The disadvantages of the prior art are as follows:
(1) The certificate coding formats are complex and various, and no uniform specification exists.
In general, reference to a "certificate" without an additional qualifier is a X.509v3 certificate. In other words, those certificates that the browser understands and uses to do HTTPS (HTTP over TLS) are referred to. There are other certificate formats, such as the well-known SSH and PGP, which have their own respective formats.
Taking x.509 as an example, the other formats are similar. Because these certificates are widely used, there is a good library of functions, and they are also used in scenarios outside of browsers. They are, of course, the most common certificate format issued by internal PKI. Importantly, these certificates are out-of-box in many TLS/HTTPS client/server programs.
X.509 was first standardized in 1988 as part of the telecommunication union (ITU) x.500 project. This is a standard in the field of communications (telecom) through which one wants to construct a global telephone book (global telephone book). Although this project was unsuccessful, some heritage remained, of which x.509 was one. If the certificate of X.509 is viewed, it can be seen that the information of locality, state, county, etc. is contained in the certificate, and X.509 is not designed for web.
X.509 is built on ASN.1 (Abstract Syntax Notation), another ITU-T standard (X.208and X.680). Asn.1 is only abstract, since this standard does not define how the represented as bits and bytes should be represented at the data level. Asn.1's relationship to its coding format, as does unicode's distinction from utf 8. Therefore, there are many encoding rules (encoding rules) describing how to represent asn.1 data in detail. Common formats are DER (binary encoded rules) and PEM (text encoded email), which some tools may not follow.
(2) The user identity of the certificate is single, usually the domain name, and is not suitable for binding a large number of identities.
The issuing process of the X.509 certificate is to verify the ownership of the bound domain name, and the organization verification and the extension verification are also based on the domain name verification, and a domain name service provider is used as an identity subject. Even in a client certificate of mutual authentication, it is based on providing a web service in a domain name manner.
In an industrial internet identification analysis system, the whole working and manufacturing process relates to a plurality of equipment identities, workshop identities, process identities, factory identities and the like. These identities use a management approach that does not directly use existing x.509 certificates.
(3) There is a lack of a unified system to manage certificates.
The manner in which x.509 certificates are issued is managed directly in the form of a file, with different certificate authorities providing different ways of management. After the certificate is issued, except that the issued certificate is stored in the system of the issuing organization, other third-party services simply and conveniently acquire the certificate. The default is distributed through an https protocol, and after a domain name service applies for a certificate, the domain name service can work normally only by configuring the domain name service on own web service middleware. The certificates need to be updated if necessary, requiring reconfiguration of the corresponding web servers.
(4) The authentication function for data is weak except that the authentication service establishes a secure channel.
The x.509 certificate was not originally designed for the web and is now widely used to secure web services using HTTPS protocol to provide security support for data communications. The security is mainly embodied in the following three aspects, namely, the user and the server are authenticated, and the data are ensured to be sent to the correct client and server; secondly, data are encrypted to prevent the data from being stolen midway; and thirdly, the integrity of the data is maintained, and the data is ensured not to be changed in the transmission process.
The industrial internet identification resolution system is a globally unique name service. In order to provide excellent resolution performance, data will be cached on the recursive nodes, even providing some mirroring services. In an environment where data sources are diverse, a verification function for data is required.
The embodiment of the invention provides a credible service positioning scheme based on industrial Internet identification analysis, which relates to a public key infrastructure based on an industrial Internet identification analysis system and is used for signature and verification of credible identity of identification data. The data finally reaching the user is complete and is not tampered in the process of transferring the data in the transmission process and the different services. The service location scheme based on the industrial internet identity resolution is described in detail below.
Fig. 21 is a schematic flowchart of a trusted service locating method based on industrial internet identity parsing in an embodiment of the present invention, where an industrial internet identity parsing system is a distributed architecture including at least three layers of nodes, where each layer of node includes a top-level node, a second-level node, and an enterprise node, the top-level node is preconfigured with site information of the second-level node service, and the second-level node is preconfigured with site information of the enterprise node service; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust repository, and the site information of the enterprise node service is signed by using an intermediate certificate distributed according to the root certificate in a preconfigured manner, as shown in fig. 21, the method includes the following steps:
step 101: when receiving a service access request, a client sends a request for acquiring site information of a secondary node service to a top node;
step 102: the top-level node sends the site information served by the second-level node to the client according to the request for obtaining the site information served by the second-level node;
step 103: the client uses the root certificate to perform credible signature verification processing on the site information of the second-level node service, and sends a request for acquiring the site information of the enterprise node service to the second-level node;
step 104: the secondary node sends the site information of the enterprise node service to the client according to the request for acquiring the site information of the enterprise node service;
step 105: the client uses the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sends a request of identification information of service access to the enterprise node;
step 106: the enterprise node analyzes the request of the identification information of the service access to obtain an industrial internet identification of the service access, and sends the industrial internet identification to the client; the industrial internet identification comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data value comprises a user identity identification value, and the user identity identification value comprises a user public key index, a preset character and an industrial internet identification;
step 107: and the client processes the service access request according to the industrial internet identification.
In the trusted service positioning method based on the industrial internet identification analysis provided by the embodiment of the invention, an industrial internet identification analysis system is a distributed architecture comprising at least three layers of nodes, wherein the three layers of nodes comprise a top level node, a second level node and an enterprise node, the top level node is preconfigured with site information of the second level node service, and the second level node is preconfigured with site information of the enterprise node service; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust warehouse, the site information of the enterprise node service is signed by using an intermediate certificate distributed according to the root certificate, and the method comprises the following steps of: when receiving a service access request, a client or an SDK sends a request for acquiring site information of a secondary node service to a top node; the top level node sends the site information served by the second level node to the client according to the request for obtaining the site information served by the second level node; the client uses the root certificate to perform trusted signature verification processing on the site information of the secondary node service, and sends a request for acquiring the site information of the enterprise node service to the secondary node; the secondary node sends the site information of the enterprise node service to the client according to the request for acquiring the site information of the enterprise node service; the client uses the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sends a request of identification information of service access to the enterprise node; the enterprise node analyzes the request of the identification information of the service access to obtain an industrial internet identification of the service access, and sends the industrial internet identification to the client; the industrial internet identification comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data value comprises a user identity identification value, and the user identity identification value comprises a user public key index, a preset character and an industrial internet identification; the client processes the service access request according to the industrial internet identifier, so that the obtained site information and data are credible when the identifier analysis client analyzes the identifier through a public key infrastructure, the IP and the port of the system request cannot be tampered, and credible service access is ensured.
Compared with the technical scheme that if IP information is tampered, the identification analysis client is wrongly directed to other illegal services, and therefore the wrong identification analysis service is requested, the trusted service positioning method based on the industrial Internet identification analysis provided by the embodiment of the invention realizes that the obtained site information and data are trusted when the identification analysis client is subjected to identification analysis through a public key infrastructure, an IP and a port requested by a system cannot be tampered, and accurate service access is guaranteed. The method according to the embodiment of the present invention will be described in detail with reference to fig. 1 to 21.
As shown in fig. 3, the method is based on industrial internet identification and is used as a carrier of identity and certificate. The representation mode of the design certificate and the signature in the industrial Internet identification adopts a redesigned JWT-based certificate coding format and an easily readable agency name and authority description. The system root certificate is preset through the client, and is distributed to serve as the basis of system authentication. And verifying the identification signature by using the client, constructing a certificate chain and verifying the validity of the certificate.
(1) User identity and certificate representation based on industrial internet identification
In the industrial internet identification resolution system, all objects are identifications. As shown in fig. 4, the data structure of the industrial internet sign is a one-to-many structure, and there may be a plurality of data values under one sign, each data value including an index of a value type, a data type of a character string type and actual data. The identification value is used as an identity identifier, the authentication of the user is based on an asymmetric encryption key pair, a public key of the key pair is stored on the identification and is disclosed to the whole identification analysis system, and a private key of the key pair is kept by the user as a certificate of the identity authentication.
The identification value may support basic user authentication, i.e. the user holding the valid private key is considered to be the current user. Since the identification suffix may contain special characters (preset characters) such as ": the identification value is represented by < index > < identification >, and the identity identifier is also represented by an identification value, for example, the identification value" 300.111.1/test "is an identifier of an identity.
The certificate is based on the identity of the identified user, is the same identity as the user identity, and is also a special identification value. His index is typically 400, type "HS _ CERT", and the data is a JWT. As shown in fig. 5, the identification certificate: and 1, registering an identification value with the type being HS-CERT to store the certificate, wherein the certificate identification value and the identity identification value are in the same identification. 2, the certificate is in JWT format and is stored in the identification value in the form of a string. 3,issuer, principal, etc. information in the JWT statement is managed using the identity of the identity, and the JWT signature is computed using the issuer's secret key using the RS256 algorithm.
The payload in the certificate is a JSON type of data that contains the declaration of the certificate. The declaration convention in the certificate is the following elements, and extension fields are reserved to facilitate adding custom attributes.
Perms: authority
publicKey: user public key
Iss (issuer): person of signing and issuing
Exp (expiration time): expiration time
Sub (subject): main body
Nbf (not before): effective time
Iat (issued at): time of issue
Org (organization): tissue of
Sn (subject name): name of subject
Exts (extensions): extension
As shown in fig. 6, identifying user 301:88.111.1/test, which has all the rights, is the certificate reputation information that identifies user 301:88.111.1/0.0, under the name AAAA, and is organized by AAAA technologies, inc. The validity of the certificate can be verified by verifying the validation time, the expiration time and the signature information of the certificate.
As can be seen from the above, in one embodiment, the data values may further include: a certificate identification value; the format of the certificate may be JWT format, the payload in the certificate may be a JSON type data, the payload may contain the declaration of the certificate, and the declaration element of the certificate may include: user public key, principal, issuer, and issuer signature. Of course, the declaration elements of the certificates may include other elements described above, such as the validation time, and so forth.
(2) Authentication repository, root certificate and preconfigured root certificate
In the industrial internet id resolution system, all id and the trust repository are also a default id, such as 88.111.1/0.0, and the entire entity is trusted by the id user and the root certificate in the default id. As shown in fig. 7, the root certificate is associated with a trusted:
the root certificate is self-signed (self-signed): the issuer (issuer) and the subject are the same.
The identification of the root certificate and the initialization certificate are distributed by identifying the client or sdk, and the version release of the client should be verified by the certificate.
The root certificate signs and issues an intermediate certificate, and the intermediate certificate signs and issues a common certificate to form a certificate chain. A certificate chain may be constructed by identifying a reference relationship to a certificate, as shown in fig. 7.
To prevent the certificate from being too long, the length of the certificate chain may be set to a limit of N, which is 1,2,3.
(3) Certificate authority and certificate authority
A certificate authority is a root or trusted certificate issuing certificates that have authority to issue other certificates, such as intermediate certificates. Perms in a certificate declaration is an array and can contain multiple pieces of data, perm in a piece of data can have 4 levels:
1. all the rights of the evenything.
2. derivedpiffixes derive prefixes.
3. Identification under the handlesixpiffix prefix.
4. thisshandle specifies the identity.
The designation is required in all cases except that perm does not require the designation of a handle field for eventing. Whether the ca flag is a certificate authority, if not specifying default to true, is illustrated in fig. 8.
From the above, in one embodiment, the root certificate may have an authority to issue other certificates, where the authority is an array and may include multiple pieces of data, and the authority in one piece of data may include four levels: all rights, derived prefixes, identification under the prefix, and designated identification.
(4) Data signing and authentication
In the identification resolution system, identification data refers to data of an identification value. After the certificate-based authentication system is established, the identification data is signed using the certificate. The identification SIGNATURE is a special identification value, the index usually starts at 400, the type is HS _ SIGNATURE, and the data is JWT. JWT uses the RS256 algorithm for signing, the signing key being the private key that identifies the user. The load of the JWT includes, in addition to relevant information such as an issuer, a current subject, and time, a hash value for each identification value to be signed, and generates JSON as shown in fig. 9.
The method comprises the steps of firstly calculating hash values of data of each index, then combining the indexes and the hash values into an object, finally combining the objects of the indexes into one data, and recording the hash algorithm used by the outer layer to obtain a signature load of the identification value in the JSON format. With this structure, when the identifier value cannot respond fully due to the authority setting, the signature verification of other identifier values is not affected, as shown in fig. 15, for example, the identifier 88.111.1/test has four identifier values, where the identifier values with index 1,2, and 3 are common data, and the identifier value with index 400 is a signature identifier value. According to the method, the signature load is as follows:
Figure BDA0003745817860000111
Figure BDA0003745817860000121
the value setting with index of 2 can only be viewed by an administrator, so that a common user cannot analyze the identification value data with the identification value of 2, but can still verify that the identification values with index of 1 and index of 3 are not tampered.
As can be seen from the above, in one embodiment, the data value may further include: identifying a signature identification value, the signature key being a private key identifying the user; the service positioning method based on the industrial internet identification analysis can further comprise the following steps of obtaining a signature load of the identification signature value according to the following method:
calculating a hash value for each indexed data;
combining a plurality of indexes and hash values into one object;
and forming a plurality of indexed objects into data, and recording the hash algorithm used by the outer layer to obtain a signature load of a signature identification value in a JSON format.
As shown in fig. 10, the verification process of the authentic signature: for the identifier with the signature data, the client or the SDK can verify the trusted signature after resolving the identifier. Taking the identifier 88.111.1/test as an example, as shown in table 1 below, this identifier has four identifier values, where the identifier values with index 1,2, and 3 are common data, and the identifier value with index 400 is a signature identifier value.
Index Type Data
1 URL http://www.aaaaaaaa.cn
2 EMAIL test@aaaaaaaa.cn
3 HS_PUBKEY {"kty":"RSA","n":"jbtKnM8yGzrRgiAVGGCeEtEE...
400 HS_SIGNATURE eyJhbGciOiJSUzI1NiJ9.eyJkaWdlc3RzIjp7ImFsZyI6IlNIQ..
TABLE 1
Signature verification mainly verifies the following:
1. identify whether the hash of the identification value matches:
using the method of JWT, the content of the identification value with index of 400 is identified. Wherein the payload is a json data as follows:
Figure BDA0003745817860000131
and calculating an original result of the identifier analysis by using a hash algorithm defined by alg fields under the digests object, comparing the original result with each field declared in the digests data, and if the original result is the same as each field declared in the digests data, passing the hash verification.
The verify sub field is the current identity.
2. Whether within the expiration date:
the fields of verification exp, nbf, iat, etc. should determine the current time through identity resolution within the validity period.
3. Whether the JWT signature is legitimate;
according to the JWT specification, the rest is the signature, except for the algorithm, load, and the identification signature in this case can be as follows:
KjLzhHGofoSQb7ELWEl3mhA1XGh_DuiYaS7-YXncUoGMtAM7Agna0V1kaojTzhFstIp84pO1LlPY27JRuyGcizuf5kpfUtV7GtROnDUkpqcWTuxYf51TUQQVs0xlxtEC9XpM26vRPDzE0tS809dksrl_F34bFgXryKLqYcVoCCQ1ZspQ8IrTGxejucS1ZjW2OPHGu7MQwBkgIe-qbs_fb-jmSjK1SktWexFShzKMWNkjWoOdXBuu-3iB3lqGO1hPwqbgEMVgC0keH707Kr6llRdL7hX59rrozgV7fQ-1TFtNwzWoonFK7Y1GyaL7jSADrJVPJ0YpmG6h7QxjnuRorA。
firstly, a corresponding user public key is obtained by analyzing an identifier corresponding to iss, and then whether a signature is legal or not is verified.
4. Whether the certificate on the constructed certificate chain is legal or not, and the JWT signature is correct in the valid period:
and acquiring a superior certificate through the iss field, wherein the superior certificate also has the iss field, and continuously constructing an identification certificate chain through identification analysis until the root certificate is acquired. The iss field of the root certificate is the same as the sub field and is a self-signed certificate.
Each certificate is in JWT format, which in turn verifies the validity of each certificate.
5. Whether the root certificate identity complies with the convention:
and if the identifier and the public key of the root certificate are consistent with the identifier and the public key configured in the SDK, the verification is passed.
If the above conditions are met, the corresponding identification value is considered authentic.
As can be seen from the above, in an embodiment, the processing, by the client, of performing the trusted signature verification may include: identifying whether the hash of the identification value matches; whether it is within the expiration date; whether the JWT signature is legal; whether the certificate on the constructed certificate chain is legal or not, and whether the JWT signature is correct or not within the validity period or not; the root certificate identifies whether the agreement is in agreement.
To facilitate an understanding of how the invention may be practiced, two examples are set forth in detail below.
And protecting the key service information of the identifier resolution to prevent access to the non-trusted identifier resolution service.
(1) Background and problems
The industrial internet identification resolution system is a distributed multi-layer architecture system. The top level node configures the site information and data of the secondary node service, and the site information is the ip and the port of the secondary node service. The secondary node configures site information and data served by the enterprise node. When the specific identifier is analyzed, the site information of the service of the second-level node is requested to the top-level node, then the site information of the enterprise node is requested to the second-level node, and finally the final identifier data is requested to the enterprise node. If the ip information is tampered, the identification resolution client or sdk will be wrongly directed to other illegal services, resulting in a request for wrong identification resolution services.
As shown in the example of fig. 11, the top-level node prefix 88 service is configured with site information corresponding to the second-level node prefix 88.111 service. The secondary node prefix 88.111 service is configured with site information corresponding to the enterprise node prefix 88.111.1 service. The identifier resolution client or sdk may obtain service site information of an actual identifier from the top node, and further request to obtain specific identifier data. For example, the identifier 88.111.1/aaaaaaaaaa. Cn is analyzed, and the top node is first requested to obtain the service site information corresponding to 88.111. Then, through the obtained analysis result of 88.111, the service corresponding to 88.111 is requested, and the site information of the service corresponding to 88.111.1 is obtained. And finally, requesting the service corresponding to 88.111.1 according to the obtained analysis result of 88.111.1, and acquiring data corresponding to the whole identifier of 88.111.1/aaaaaaaa.
(2) Detailed description of the preferred embodiments
According to the technical scheme, a credible system is established based on an industrial internet identification analysis system. As shown in FIG. 12, the root certificate in the trust repository is defined as 88/0.0, the root certificate is a self-signed certificate, the identity of the user is 301. The root certificate is the basis of the whole trusted system, and the key of the root certificate should be properly stored and should not provide services online. After the root certificate is configured, an intermediate certificate is configured, the intermediate certificate is directly registered on the prefix identifier 88, and a certificate identifier value is added to the prefix identifier 88 according to the identifier value 400. A generic certificate is issued using an intermediate certificate, the generic certificate being registered on prefix identification 88.111, the certificate identification value being stored on 400. That is, in an embodiment, as shown in fig. 12, the root certificate may be a self-signed certificate, the issuer of the intermediate certificate refers to the main body of the root certificate, the signature of the intermediate certificate is signed by using a private key corresponding to a user public key of the root certificate, except for the root certificate and the intermediate certificate, other certificates are common certificates, the issuer of the common certificate is the main body of the intermediate certificate, and the signature of the common certificate is signed by using a private key corresponding to a user public key of the intermediate certificate, that is, in step 106, the industrial internet identity obtained by the analysis of the enterprise node through the service access may be truthfully signed by using a common certificate distributed in advance according to the intermediate certificate, and then in subsequent step 107, when the client processes the service access request to perform service location, the client performs credible signature verification processing on the industrial internet identity obtained through the analysis by using the common certificate, thereby performing service location.
After the certificate identification is registered, when the site information of the enterprise is maintained by each level of nodes, the site information is signed by using the corresponding certificate private key. As shown in fig. 13, the site information of 88.111 on the top level node service is signed by using the root certificate, and the site of 88.111.1 on the second level node service is signed by using the intermediate certificate.
The public key infrastructure ensures that the acquired site information and data can be trusted and the IP and port requested by the system cannot be tampered when the identification analysis client analyzes the identification. As shown in fig. 14, taking the resolution id 86.111.1/test as an example, the authentication process for verifying the credible site information is as follows:
1, a client requests a vertex node to acquire secondary node site information. The secondary node site information includes the IP and port served by the secondary node. To resolve the identifier, the service information of the identifier is determined, and the client resolves the prefix identifier 86.111.1 to the top node.
And 2, the top level node returns the information of the second level node. The top level node detects that the 86.111.1 prefix related information is at the second level node, and then returns the site information related to the second level node. The site information and signature information of 86.111 are shown in fig. 16 and 17.
And 3, the client acquires the secondary node information, constructs a certificate chain of a root certificate and an intermediate certificate, verifies the validity of the signature information and the certificate and the like, constructs the certificate chain to verify the secondary node by identifying the signature data of the identification value appointed at the index of 401, and verifies that the site information of the secondary node is credible. And requesting the secondary node to analyze the prefix identification 86.111.1 to acquire the site information of the enterprise node.
And 4, returning the site information of the enterprise node by the secondary node. Fig. 18 shows the signature data including the station information having an index of 1 and the contract index of 401.
And 5, the client acquires the enterprise node information, verifies the validity of the signature information and the certificate, and requests information of specific identification of the enterprise node, as shown in fig. 19.
And 6, the enterprise node (server) receives the identifier analysis request, and the enterprise node (server, which can check the corresponding data through the identifier and can also support the relevant operations of adding, deleting, modifying and checking the identifier and the like) returns the information of the specific identifier. Taking 86.111.1/test as an example, the analyzed data are shown in FIG. 20.
To sum up, the service positioning method based on the industrial internet identification resolution provided by the embodiment of the invention realizes that:
1. the industrial Internet identification is adopted as a carrier of the identity and the certificate, the advantages of good analysis performance and easy management of an identification system are fully exerted, and the identification analysis is uniformly used for distributing the certificate.
2. The method adopts a redesigned JWT-based certificate encoding format, unifies and simplifies the encoding format, leaves out a history bundle, is easy to expand subsequently, and adds an organization name and an entity name which can be read by a user.
3. And presetting an identified trust warehouse through a client, and distributing a system root certificate as a basis for system trust.
4. The certificate authority range is combined with an industrial internet identification analysis system.
5. The signature of the identification value forms an array aiming at the hash of each identification value data, and then the signature is carried out, so that the identification value can be verified when the authority can only obtain part of the identification value.
In summary, the trusted service positioning method based on the industrial internet identity parsing provided by the embodiment of the invention realizes public key infrastructure based on an industrial internet identity parsing system, thereby not only ensuring safe and stable operation of the industrial internet, but also bringing trusted capability for supporting the application development of the identity. The public key infrastructure has good performance by combining the positioning of the high-efficiency name service of the industrial Internet identification analysis system.
According to the technical scheme, the data acquisition, storage, use, processing and the like meet relevant regulations of national laws and regulations.
The embodiment of the invention also provides a trusted service positioning system based on the industrial internet identification resolution, and the system is described in the following embodiment. Because the principle of solving the problems of the system is similar to the credible service positioning method based on the industrial internet identification analysis, the implementation of the system can refer to the implementation of the credible service positioning method based on the industrial internet identification analysis, and repeated parts are not repeated.
The embodiment of the invention also provides a credible service positioning system based on the industrial internet identification analysis, wherein the industrial internet identification analysis system is a distributed architecture comprising at least three layers of nodes, the three layers of nodes comprise top-level nodes, second-level nodes and enterprise nodes, the top-level nodes are pre-configured with site information of the second-level node service, and the second-level nodes are pre-configured with site information of the enterprise node service; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust warehouse, and the site information of the enterprise node service is signed by using an intermediate certificate which is distributed according to the root certificate in a preconfigured way; as shown in fig. 14, the system includes:
the client 01 is used for sending a request for acquiring site information of the service of the second-level node to the top-level node when receiving the service access request; using the root certificate to perform credible signature verification processing on the site information of the secondary node service, and sending a request for acquiring the site information of the enterprise node service to the secondary node; using the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sending a request of identification information of service access to the enterprise node; processing the service access request according to the industrial internet identification;
the top-level node 021 is used for sending the site information served by the second-level node to the client according to the request for obtaining the site information served by the second-level node;
a secondary node 022, configured to send the site information of the enterprise node service to the client according to the request for obtaining the site information of the enterprise node service;
an enterprise node 023, configured to parse the request for the identification information of the service access to obtain an industrial internet identification of the service access, and send the industrial internet identification to the client; the industrial internet identification comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data values comprise user identity identification values, and the user identity identification values comprise user public key indexes, preset characters and industrial internet identification.
In one embodiment, the data value further comprises: a certificate identification value; the format of the certificate is JWT format, the load in the certificate is data of JSON type, the load contains the declaration of the certificate, the declaration element of the certificate includes: user public key, principal, issuer, and issuer signature.
In one embodiment, the data value further comprises: identifying a signature identification value, wherein a signature key is a private key for identifying a user; the service positioning device based on the industrial internet identification analysis further comprises a signature load generating unit, which is used for obtaining the signature load of the identification signature value according to the following method:
calculating a hash value for each indexed data;
combining a plurality of indexes and hash values into one object;
and forming a plurality of indexed objects into data, and recording the used hash algorithm on the outer layer to obtain a signature load of a signature identification value in a JSON format.
In one embodiment, the root certificate has authority to issue other certificates, the authority being an array containing a plurality of pieces of data, the authority in a piece of data including four levels: all rights, derived prefixes, identification under the prefix, and designated identification.
In one embodiment, the client is specifically configured to perform the following trusted signature verification processing: identifying whether the hash of the identification value matches; whether it is within the expiration date; whether the JWT signature is legitimate; whether the certificate on the constructed certificate chain is legal or not, and whether the JWT signature is correct or not within the validity period or not; the root certificate identifies whether the contract is met.
In one embodiment, the root certificate is a self-signed certificate, the issuer of the intermediate certificate refers to the body of the root certificate, and the signature of the intermediate certificate is signed by a private key corresponding to the user public key of the root certificate.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the computer program, the trusted service positioning method based on the industrial internet identification analysis is realized.
The embodiment of the invention also provides a computer readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the trusted service positioning method based on the industrial internet identification analysis is realized.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when executed by a processor, the computer program implements the above trusted service location method based on industrial internet identity resolution.
In the embodiment of the invention, in the credible service positioning scheme based on the industrial internet identification analysis, an industrial internet identification analysis system is a distributed architecture comprising at least three layers of nodes, wherein the three layers of nodes comprise a top level node, a second level node and an enterprise node, the top level node is preconfigured with site information of the second level node service, and the second level node is preconfigured with site information of the enterprise node service; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust warehouse, the site information of the enterprise node service is signed by using an intermediate certificate distributed according to the root certificate in advance, and compared with the technical scheme that in the prior art, if ip information is tampered, an identification analysis client can be wrongly directed to other illegal services, and wrong identification analysis service is requested, the method comprises the following steps: when receiving a service access request, a client sends a request for acquiring site information of a secondary node service to a top node; the top-level node sends the site information served by the second-level node to the client according to the request for obtaining the site information served by the second-level node; the client uses the root certificate to perform credible signature verification processing on the site information of the second-level node service, and sends a request for acquiring the site information of the enterprise node service to the second-level node; the secondary node sends the site information of the enterprise node service to the client according to the request for acquiring the site information of the enterprise node service; the client uses the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sends a request of identification information of service access to the enterprise node; the enterprise node analyzes the request of the identification information of the service access to obtain an industrial internet identification of the service access, and sends the industrial internet identification to the client; the industrial internet identification comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data value comprises a user identity identification value, and the user identity identification value comprises a user public key index, a preset character and an industrial internet identification; the client processes the service access request according to the industrial internet identifier, so that the website information and data acquired by the identifier analysis client are credible when the identifier is analyzed through the public key infrastructure, the IP and the port of the system request cannot be falsified, and credible service access is ensured.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A credible service positioning method based on industrial internet identification analysis is characterized in that an industrial internet identification analysis system is a distributed architecture comprising at least three layers of nodes, wherein the three layers of nodes comprise a top level node, a second level node and an enterprise node, the top level node is pre-configured with site information served by the second level node, and the second level node is pre-configured with site information served by the enterprise node; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust warehouse, and the site information of the enterprise node service is signed by using an intermediate certificate which is distributed according to the root certificate in a preconfigured way; the service positioning method based on the industrial Internet identification analysis comprises the following steps:
when receiving a service access request, a client sends a request for acquiring site information of a secondary node service to a top node;
the top-level node sends the site information served by the second-level node to the client according to the request for obtaining the site information served by the second-level node;
the client uses the root certificate to perform credible signature verification processing on the site information of the second-level node service, and sends a request for acquiring the site information of the enterprise node service to the second-level node;
the secondary node sends the site information of the enterprise node service to the client according to the request for acquiring the site information of the enterprise node service;
the client uses the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sends a request of identification information of service access to the enterprise node;
the enterprise node analyzes the request of the identification information of the service access to obtain an industrial internet identification of the service access, and sends the industrial internet identification to the client; the industrial internet identification comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data value comprises a user identity identification value, and the user identity identification value comprises a user public key index, a preset character and an industrial internet identification;
and the client processes the service access request according to the industrial internet identification.
2. A trusted service location method based on industrial internet identity resolution as claimed in claim 1 wherein said data value further comprises: a certificate identification value; the format of the certificate is JWT format, the load in the certificate is data of JSON type, the load contains the declaration of the certificate, the declaration element of the certificate includes: user public key, principal, issuer, and issuer signature.
3. A trusted service location method based on industrial internet identity resolution as claimed in claim 1 wherein said data value further comprises: identifying a signature identification value, wherein a signature key is a private key for identifying a user; the service positioning method based on the industrial internet identification analysis further comprises the following steps of obtaining the signature load of the identification signature value according to the following method:
calculating a hash value for each indexed data;
combining a plurality of indexes and hash values into one object;
and forming a plurality of indexed objects into data, and recording the hash algorithm used by the outer layer to obtain a signature load of a signature identification value in a JSON format.
4. The method as claimed in claim 1, wherein the root certificate has authority to issue other certificates, the authority is an array containing a plurality of data, and the authority in one data includes four levels: all rights, derived prefixes, identification under the prefix, and designated identification.
5. The industrial internet identity resolution-based trusted service location method of claim 1, wherein the client performing trusted signature verification processing comprises: whether the hash of the identifier and the identifier value matches; whether it is within the expiration date; whether the JWT signature is legitimate; whether the certificate on the constructed certificate chain is legal or not, and whether the JWT signature is correct or not within the validity period or not; the root certificate identifies whether the contract is met.
6. The method as claimed in claim 1, wherein the root certificate is a self-signed certificate, the issuer of the intermediate certificate refers to the subject of the root certificate, and the signature of the intermediate certificate is signed by a private key corresponding to the public key of the user of the root certificate.
7. A credible service positioning system based on industrial internet identification analysis is characterized in that an industrial internet identification analysis system is a distributed architecture comprising at least three layers of nodes, wherein the three layers of nodes comprise a top level node, a second level node and an enterprise node, the top level node is preconfigured with site information of the second level node service, and the second level node is preconfigured with site information of the enterprise node service; the site information of the secondary node service is signed by using a preconfigured root certificate, the root certificate is generated by a client according to a preset trust warehouse, and the site information of the enterprise node service is signed by using an intermediate certificate which is distributed according to the root certificate in a preconfigured way; the service positioning system based on industrial internet identification analysis comprises:
the client is used for sending a request for acquiring site information of the service of the second-level node to the top-level node when receiving the service access request; using the root certificate to perform credible signature verification processing on the site information of the secondary node service, and sending a request for acquiring the site information of the enterprise node service to the secondary node; using the intermediate certificate to perform credible signature verification processing on the site information of the enterprise node service, and sending a request of identification information of service access to the enterprise node; processing the service access request according to the industrial internet identification;
the top level node is used for sending the site information served by the second level node to the client according to the request for obtaining the site information served by the second level node;
the secondary node is used for sending the site information of the enterprise node service to the client according to the request for obtaining the site information of the enterprise node service;
the enterprise node is used for analyzing to obtain an industrial Internet identifier of the service access according to the request of the identifier information of the service access and sending the industrial Internet identifier to the client; the industrial internet identification comprises a plurality of data values, each data value comprises an index of the data value, a data type and actual data corresponding to the data value, the data values comprise user identity identification values, and the user identity identification values comprise user public key indexes, preset characters and industrial internet identification.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 6 when executing the computer program.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 6.
10. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1 to 6.
CN202210824359.5A 2022-07-14 2022-07-14 Trusted service positioning method and system based on industrial Internet identification analysis Active CN115208580B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210824359.5A CN115208580B (en) 2022-07-14 2022-07-14 Trusted service positioning method and system based on industrial Internet identification analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210824359.5A CN115208580B (en) 2022-07-14 2022-07-14 Trusted service positioning method and system based on industrial Internet identification analysis

Publications (2)

Publication Number Publication Date
CN115208580A true CN115208580A (en) 2022-10-18
CN115208580B CN115208580B (en) 2024-05-24

Family

ID=83579876

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210824359.5A Active CN115208580B (en) 2022-07-14 2022-07-14 Trusted service positioning method and system based on industrial Internet identification analysis

Country Status (1)

Country Link
CN (1) CN115208580B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118368070A (en) * 2024-06-14 2024-07-19 中汽智联技术有限公司 Digital certificate query method and system based on industrial Internet identification

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5922074A (en) * 1997-02-28 1999-07-13 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
CN109067539A (en) * 2018-06-13 2018-12-21 深圳前海微众银行股份有限公司 Alliance's chain method of commerce, equipment and computer readable storage medium
CN111262834A (en) * 2020-01-09 2020-06-09 中国信息通信研究院 Authentication and credibility analysis method, device and system for physical entity
CN113779605A (en) * 2021-09-14 2021-12-10 码客工场工业科技(北京)有限公司 Industrial internet Handle identification system analysis authentication method based on alliance chain
CN113972986A (en) * 2021-09-22 2022-01-25 北京邮电大学 Block chain-based industrial internet identification information analysis method and related device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5922074A (en) * 1997-02-28 1999-07-13 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
CN109067539A (en) * 2018-06-13 2018-12-21 深圳前海微众银行股份有限公司 Alliance's chain method of commerce, equipment and computer readable storage medium
CN111262834A (en) * 2020-01-09 2020-06-09 中国信息通信研究院 Authentication and credibility analysis method, device and system for physical entity
CN113779605A (en) * 2021-09-14 2021-12-10 码客工场工业科技(北京)有限公司 Industrial internet Handle identification system analysis authentication method based on alliance chain
CN113972986A (en) * 2021-09-22 2022-01-25 北京邮电大学 Block chain-based industrial internet identification information analysis method and related device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118368070A (en) * 2024-06-14 2024-07-19 中汽智联技术有限公司 Digital certificate query method and system based on industrial Internet identification

Also Published As

Publication number Publication date
CN115208580B (en) 2024-05-24

Similar Documents

Publication Publication Date Title
US11706038B1 (en) System and method for distributed PKI root
Omar et al. Identity management in IoT networks using blockchain and smart contracts
US11025407B2 (en) Hash-based digital signatures for hierarchical internet public key infrastructure
US10027670B2 (en) Distributed authentication
US12063314B1 (en) Systems and methods for secure event and log management
Farrell et al. An internet attribute certificate profile for authorization
US8806196B2 (en) Method and apparatus for authenticating a digital certificate status and authorization credentials
US10715502B2 (en) Systems and methods for automating client-side synchronization of public keys of external contacts
US8984283B2 (en) Private certificate validation method and apparatus
US9178869B2 (en) Locating network resources for an entity based on its digital certificate
EP1668815B1 (en) Delegated certificate authority
CN113271311A (en) Digital identity management method and system in cross-link network
CN112307116A (en) Data access control method, device and equipment based on block chain
EP3817320A1 (en) Blockchain-based system for issuing and validating certificates
Spies Public key infrastructure
CN115208580B (en) Trusted service positioning method and system based on industrial Internet identification analysis
Tehrani et al. The missing piece: On namespace management in NDN and how DNSSEC might help
US11664987B2 (en) Updating public key certificates in network devices using a blockchain network
Göndör et al. Distributed and domain-independent identity management for user profiles in the SONIC Online Social Network Federation
US20210258172A1 (en) Method for monitoring digital certificates
Berbecaru et al. Exploiting the European Union trusted service status list for certificate validation in STORK: design, implementation, and lessons learnt
Farrell et al. RFC 5755: An Internet Attribute Certificate Profile for Authorization
Berbecaru et al. A unified and flexible solution for integrating CRL and OCSP into PKI applications
Graham et al. IVOA Recommendation: IVOA Credential Delegation Protocol Version 1.0
Berbecaru et al. On Generation and Use of EU Trusted Lists (TSLs): an automatic generator for TSLs and a TSL-based service in the STORK Identity Management Infrastructure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant