CN115333755A - Multi-attribute identity authentication method based on continuous trust evaluation - Google Patents
Multi-attribute identity authentication method based on continuous trust evaluation Download PDFInfo
- Publication number
- CN115333755A CN115333755A CN202211263999.XA CN202211263999A CN115333755A CN 115333755 A CN115333755 A CN 115333755A CN 202211263999 A CN202211263999 A CN 202211263999A CN 115333755 A CN115333755 A CN 115333755A
- Authority
- CN
- China
- Prior art keywords
- index
- service
- user
- trust evaluation
- matrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011156 evaluation Methods 0.000 title claims abstract description 80
- 238000000034 method Methods 0.000 title claims abstract description 64
- 239000011159 matrix material Substances 0.000 claims abstract description 81
- 230000008569 process Effects 0.000 claims abstract description 25
- 230000000739 chaotic effect Effects 0.000 claims abstract description 16
- 238000013507 mapping Methods 0.000 claims abstract description 10
- 238000004364 calculation method Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 11
- 238000010606 normalization Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 10
- 230000008901 benefit Effects 0.000 claims description 7
- 238000013210 evaluation model Methods 0.000 claims description 5
- 239000013598 vector Substances 0.000 claims description 5
- 230000009466 transformation Effects 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 claims description 2
- 239000000470 constituent Substances 0.000 claims description 2
- 238000001514 detection method Methods 0.000 claims description 2
- 238000005259 measurement Methods 0.000 claims description 2
- 238000012360 testing method Methods 0.000 claims description 2
- 238000012544 monitoring process Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 10
- 230000003068 static effect Effects 0.000 description 11
- 230000006870 function Effects 0.000 description 8
- 230000007547 defect Effects 0.000 description 4
- 230000002441 reversible effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012163 sequencing technique Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/001—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using chaotic signals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a multi-attribute identity authentication method based on continuous trust evaluation, which integrates the related technologies, provides a multi-attribute identity authentication mode based on trust evaluation by combining a trust evaluation technology and a token authentication method, embeds the trust evaluation value into a token, authenticates the identity of a user by updating the token in real time, thereby giving corresponding authority, and simultaneously encrypts and decrypts the authentication process by mixing a random generation matrix encryption algorithm and an RSA digital signature algorithm based on chaotic mapping so as to improve the security of authentication.
Description
Technical Field
The invention belongs to the technical field of computer information security identity management, and particularly relates to a multi-attribute identity authentication method based on continuous trust evaluation.
Background
With the construction promotion of company energy internet and digital transformation business, the power mobile internet business develops at a high speed, particularly, the demand of mobile office is explosively increased after epidemic situations, the range of mobile application business is continuously extended, and the power mobile internet business becomes an important window for internal and external interaction of companies. The method connects users, terminals and applications of the power system together, shares the generated data, and facilitates the users, the power grid and the society.
Identification becomes particularly important in order to prevent the risk of key theft. The identity authentication technology is an effective solution formed by confirming the identity of an operator in a computer network. The identity authentication is at the forefront of access control and is the first authentication defense line of the network application system. Identity authentication can be divided into: static authentication and dynamic authentication. In the initial stage of identity authentication development, the computer uses static parameters to perform the most basic identity authentication, and before authentication, authentication information representing the legal identity of the user is set for the user in advance. The static identity authentication mainly comprises a plurality of authentication modes such as user password authentication, face secret-free identification authentication, smart card authentication and the like, however, the static authentication only can provide identity input and static verification and cannot provide dynamic authentication supporting security level, so that a larger security risk exists in the static authentication; the dynamic identity authentication mainly can perform different authorizations according to the real-time change of a user or a terminal, further authenticates the authenticity of the user identity on one hand, and dynamically authenticates the access security and the legality of the user on the other hand.
The identity authentication technology based on static authentication mainly includes authentication technologies based on software passwords, smart cards and biological characteristics. In 1981, lamport proposed a Password-based authentication protocol in the paper "passage authentication with authentication communication" for the first time, but in such a protocol, users always select a simple weak Password for easy memory and use repeatedly, so the user is vulnerable to attacks and has poor security. In order to improve the security of authentication and solve the problem that a software password is too simple and easy to be attacked and leaked, people consider that the security of authentication is ensured through hardware, so that the identity authentication based on a smart card is provided. In the identity authentication technology based on dynamic authentication, researchers find that static authentication has the defect that the used authentication information is unchanged, which fundamentally has potential safety hazards, and therefore, authentication modes based on dynamic passwords, dynamic passwords and the like are provided. With the stricter and stricter requirements on network security, the identity authentication mode based on single factor is not enough to protect the security, so the multi-factor authentication gradually becomes an identity authentication method which is more widely applied besides static authentication and dynamic authentication.
The multi-factor authentication combines different authentication methods, and the security is enhanced by the superposition of the authentication methods. The multi-factor authentication schemes which are currently mainstream comprise two schemes of a digital certificate + a static factor and a static factor + a dynamic factor. The multi-factor identity authentication protocol based on hardware fingerprints and biological characteristics [ J ] information network security, 2020,20 (08): 9-15 ] combines hardware fingerprint authentication and biological characteristic authentication together, and improves the performance in resisting eavesdropping attack, replay attack, equipment theft attack and the like. The power safety certification scheme based on multi-factor certification is designed into [ J ] microcomputer application, 2019,35 (11): 84-87] aiming at the requirement of a power system on safety, a comprehensive power safety certification scheme based on multi-factor certification is provided so as to improve the safety of the current power mobile application. The design of a multi-stage identity verification and lightweight encryption-based electric power Internet of things data security system [ J ]. Nanjing post and electronics university newspaper (Nature science edition), 2020,40 (06) ] proposes an electric power Internet of things data security scheme based on multi-stage identity verification and lightweight encryption, and further solves the big data security problem of the electric power Internet of things. In the process, the user goes through three levels of authentication processes by providing the certificate of the user, and the security strength and the encryption and decryption indexes are improved. Although this kind of authentication method improves the security of authentication by combining various factors with authentication, it is still disadvantageous because it does not change in accordance with the real-time change of the user identity.
Disclosure of Invention
Aiming at the defects and the defects of the prior art, the invention provides a multi-attribute identity authentication method based on continuous trust evaluation, integrates the related technologies, combines a trust evaluation technology and a token authentication method, provides a multi-attribute identity authentication mode based on trust evaluation, embeds the trust evaluation value into a token, authenticates the identity of a user through real-time updating of the token, and gives corresponding authority, and simultaneously encrypts and decrypts the authentication process through mixing a random generation matrix encryption algorithm based on chaotic mapping and an RSA digital signature algorithm so as to improve the authentication security.
The specific implementation content of the invention is as follows:
the invention provides a multi-attribute identity authentication method based on continuous trust evaluation, which is used for carrying out trust evaluation on a user based on a continuous trust evaluation method to obtain a trust evaluation value; then embedding the trust evaluation value into the token, and authenticating the identity of the user through real-time updating of the token, thereby giving the user the authority under the corresponding continuous trust value; meanwhile, in the authentication process, encryption and decryption are performed by mixing a random generation matrix encryption algorithm based on chaotic mapping and an RSA digital signature algorithm, so that the authentication safety is improved.
In order to better implement the present invention, further, the specific operations of performing authentication are:
firstly, a system of a mobile application logs in based on token: when logging in for the first time, a client user initiates a login request, inputs a user name and a password and sends the request to a login server; the login server calls an authentication service, the authentication service acquires user information through a user information database and verifies the accuracy of a user name and a password, and if the user information passes the verification, a token is produced in the authentication server; then, the authentication server calls a trust evaluation algorithm to calculate the trust evaluation value of the current user, the trust evaluation value is inserted into the token, the authentication server returns the verification result to the login server, and the login server returns a token of the token to the client; finally, the token is stored by the client so as to be used when the server resource is requested;
then, the system of the mobile application performs the following operations based on token: when a client user requests any resource, the client user firstly submits the request to a corresponding resource controller and then invokes an identity authentication service to carry out identity authentication; when the authentication service finds token information in the request object through the request object, verifying the validity of the token and judging the role, and judging whether the role level is matched with the level of the request resource; and after the validity of the token and the corresponding role are confirmed, requesting the corresponding resource service to acquire the resource required by the user, returning the result to the resource controller, and responding to the client user.
In order to better implement the present invention, further, the trust evaluation is performed on the user based on the continuous trust evaluation method, and the process of obtaining the trust evaluation value specifically includes the following steps:
step 1: building a trust evaluation model, and evaluating the power mobile application by using a multi-attribute decision method;
step 2: constructing a decision matrix reflecting the multiple attributes of the QoS interval number, and carrying out index standardization processing;
and 3, step 3: adopting FAHP to establish a hierarchical structure model weight system;
and 4, step 4: calculating all index weight sets of all cloud services of the service layer to obtain a weight matrix, wherein the index weight matrix provides weights for trust evaluation;
and 5: calculating comprehensive evaluation values of different power mobile application user types;
the authentication process is encrypted and decrypted by mixing a random generation matrix encryption algorithm based on chaotic mapping and an RSA digital signature algorithm so as to improve the security of authentication.
In order to better implement the present invention, further, the step 1 is specifically operated as follows:
step 1.1: the target layer of the hierarchical analysis model refers to the classification of the power mobile application user types, T represents the user layer, and the set of the user layers T = { T = (T) } 1 ,t 2 ,…,t k And k is the number of user types.
If the power mobile application host and the power mobile application client are subjected to continuous trust evaluation, the service provided by the application is represented by S, and S = { S = { S = } 11 ,s 12 ,…,s km },s km The mth service of the power mobile application k, and m is the service number of the related software k.
The index layer is a measurement index for providing services for the applications in the service layer and is used for objectively describing the operation condition of the application services. Denoting the index layer by Q, Q = { Q = 11 ,q 12 ,…, q mn } ,q mn Representing the nth QoS index of the mth service.
Step 1.2: in order to objectively evaluate the power mobile application subject and object, qoS index data of the application running process are monitored and collected. The QoS index is a measure of the ability of an application service to meet user requirements, and includes security, reliability, cost, performance, availability, etc., and the indexes are mutually influenced and restricted and are in dynamic transformation. And aiming at the dynamic property of the power mobile application index data, expressing and standardizing the collected QoS index data in an interval number form.
Step 1.3: in order to reasonably express the membership relationship between the user layer and the service layer in the hierarchical model and between the service layer and the index layer, a weight system of trust evaluation is calculated by adopting a fuzzy analytic hierarchy process according to the influence degree of the lower layer in the hierarchical structure on the upper layer. And based on the acquired and normalized decision matrix and the constructed hierarchical structure model weight system, evaluating by adopting a linear weighting method in interval number multi-attribute decision to realize trust evaluation on the power mobile application.
In order to better implement the present invention, further, the step 2 specifically includes the following steps:
step 2.1: constructing decision matrix reflecting multiple attributes of QoS interval number
Let q l ,q h Is two real numbers, q l ,q h E is R, and q l ≤q h If so, the number of intervals is called q = [ ql, qh ]; wherein q is l Lower bound of number of intervals, q h Is the upper bound of the number of intervals; when q is l And q is h When the sizes are equal, the number of intervals is a real number.
Jth QoS index for ith application operation for kth user
To do so by
Represents the lower bound of the indicator operating data during the test,
the upper bound of the index operation data in the detection process is represented, then
Has the interval number of the form q ij =[
,
];
Based on the collected index data reflecting the QoS, data classification is carried out according to different index attributes, and a decision matrix X reflecting the multiple attributes of the QoS interval number is constructed as follows:
step 2.2, index normalization is carried out based on the vector normalization principle
In the decision matrix X, different QoS indicators have different physical meanings and dimensions, and are difficult to directly compare. Through normalization, dimensions of different QoS indexes can be removed, fusion calculation of different indexes is realized, different index data can be converted into data in a specific interval, and huge fluctuation of different data values and mutual influence of the data are avoided. The QoS index can be divided into two types, i.e., benefit type and cost type, in terms of its properties, the benefit type index indicates an index with a larger numerical value, such as safety intensity and operation duration, and the cost type index indicates an index with a smaller numerical value, such as response time and operation frequency.
Normalizing based on the vector normalization principle according to an interval number algorithm:
for the benefit type index in the decision matrix X, the normalized formula is as follows:
for the cost type index in the decision matrix X, the normalized formula is as follows:
the decision matrix X' after normalization of the decision matrix X is as follows:
in order to better implement the present invention, further, the specific operations of step 3 are:
and 3.1, adopting FAHP to establish a hierarchical structure model weight system and establishing fuzzy judgment matrixes of an index layer and a service layer.
There are many metrics that measure the application attribute QoS, and the metrics may affect each other. In order to balance the influence of different indexes on trust evaluation, a weight calculation method aiming at an uncertain multi-attribute decision problem needs to be constructed. A Fuzzy Analytic Hierarchy Process (FAHP) in an index weight method in the multi-attribute decision problem is based on an analytic hierarchy process, and an effective solving way is provided for the problems of fuzziness and difficulty in quantification. The method adopts FAHP to establish a hierarchical structure model weight system.
The FAHP firstly establishes a fuzzy consistency judgment matrix, and then calculates the combination weight of each layer of constituent elements to the total target. And comparing each index of the service according to a '0.1-0.9' scale method to obtain the membership degree between each two indexes, and establishing a fuzzy judgment matrix R of an index layer. Aiming at the ith service in the service layer, a fuzzy judgment matrix Ri established by the membership degree between indexes is as follows:
the membership degree of the fuzzy judgment matrix quantifies the relationship among different indexes according to actually acquired data, and is suitable for calculating the weight of multi-attribute uncertainty. Establishing a service layer fuzzy judgment matrix R in the same way 1 ,R 2 ,…,R m 。
Step 3.2, establishing fuzzy judgment matrixes E of different user types according to different user types 1 ,E 2 ,…,E k 。
And 3.3, performing consistency check on each fuzzy judgment matrix, ensuring the consistency among the importance degrees of each element in the matrix, and ensuring that the calculation result is scientific and reliable.
In order to better implement the present invention, further, the specific operations of step 4 are:
and calculating the application attribute index weight by adopting a fuzzy judgment matrix weight formula. The weight of the jth QoS index of the ith application attribute is represented by ω ij, and the calculation formula is as follows:
g is the index number of the cloud service, and a = (g-1)/2.
And finally, calculating all index weight sets of all cloud services of the service layer to obtain a weight matrix omega. The metric weight matrix ω provides weights for the trust evaluation.
In order to better implement the present invention, further, the specific operations of step 5 are:
using linear weighting
The comprehensive evaluation value of the c-th application cloud service is represented by Tc, and the calculation formula is as follows:
wherein (q) xy ) 'is QoS index data of X row and y column in X'; ω ij is the jth index weight value of the ith attribute in the index weight matrix ω;
and calculating the comprehensive evaluation value of the cloud provider based on the comprehensive evaluation result of each cloud service of the cloud provider and the service weight set of the cloud provider. And Fd represents the comprehensive evaluation value of the d-th user type, and the calculation formula is as follows:
wherein (T) αc ) ' a comprehensive evaluation value of a c-th application cloud service for the cloud provider α; v. of αβ A beta cloud service weight value for an alpha cloud provider in the matrix v; and similarly, calculating the comprehensive evaluation values of different mobile application user types.
In order to better implement the invention, further, the authentication process is encrypted and decrypted by mixing a random generation matrix encryption algorithm based on chaotic mapping and an RSA digital signature algorithm synchronously so as to improve the security of authentication.
The key of generating the encryption key matrix through the chaotic function lies in constructing a reversible matrix by utilizing random numbers generated by the chaotic function, and the patent selects a logistic mapping chaotic function to generate the encryption matrix.
Drawings
FIG. 1 is a token-based login timing diagram for a power mobile system;
FIG. 2 is a token-based resource request timing diagram for the power mobile system;
fig. 3 is a working diagram of the hybrid matrix encryption algorithm and the RSA signature algorithm.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments, and therefore should not be considered as limiting the scope of protection. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
In the description of the present invention, it is to be noted that, unless otherwise explicitly specified or limited, the terms "disposed," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through an intermediary, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1:
the embodiment provides a multi-attribute identity authentication method based on continuous trust evaluation, and as shown in fig. 1 and fig. 2, the general architecture of the authentication method is given as follows:
as shown in fig. 1, the token-based login process of the power mobile system is as follows: when logging in for the first time, a client user initiates a login request, inputs a user name and a password and sends the request to a login server; the login server calls an authentication service, the authentication service acquires user information through a user information database and verifies the accuracy of a user name and a password, and if the user information passes the verification, a token is produced in the authentication server; then, calling a trust evaluation algorithm in the authentication server to calculate a trust evaluation value of the current user, inserting the trust evaluation value into the token, returning a verification result to the login server by the authentication server, and returning a token to the client by the login server; and finally, the token is stored by the client so as to be used when the server resource is requested.
As shown in fig. 2, the specific process of token-based resource request of the power mobile system is as follows: when a client user requests any resource, the client user firstly submits the request to a corresponding resource controller and then invokes an identity authentication service to carry out identity authentication; when the authentication service finds token information in the request object through the request object, verifying the validity of the token and judging the role, and judging whether the role level is matched with the level of the request resource; and after the validity of the token and the corresponding role are confirmed, requesting the corresponding resource service to acquire the resource required by the user, returning the result to the resource controller, and responding to the client user.
The working principle is as follows: by adopting an identity authentication mechanism based on Token, the identity authentication problem in the current Internet of things application system can be better solved. Token is a kind of credential stored in the application system of internet of things for verifying the identity of the user. When the internet of things client side initiates a login or connection request, the server side generates a string of character strings for user access credentials according to registration information of a user or terminal equipment of the internet of things, and feeds the string of character strings back to the client side to serve as a Token. Token identity authentication mechanism is applied to a resource management system by a water resource management decision support system network security system research [ J/OL ]. Hydroelectric power generation 1-7[2021-10-11] based on a token, and the like [ Cherufeng, zhou Jiang, liuyi ], the network security level of the system is improved, and the defects of the traditional Session identity authentication mechanism are overcome.
And calculating a weight system of the trust evaluation by adopting a fuzzy analytic hierarchy process. Based on the collected and normalized decision matrix and the constructed hierarchical structure model weight system, the trust evaluation of the power mobile application is realized by adopting a linear weighting method in interval number multi-attribute decision and sequencing by an interval number sequencing method based on a Boolean matrix.
By integrating the related technologies, the invention provides a multi-attribute identity authentication mode based on trust evaluation by combining a trust evaluation technology and a token authentication method, embeds the trust evaluation value into a token, and authenticates the identity of a user by updating the token in real time, thereby giving corresponding authority.
Example 2:
on the basis of the foregoing embodiment 1, the present embodiment aims at the verification of the persistent trust evaluation algorithm: MATLB and EXCEL can be adopted to realize the functions of decision matrix standardization, weight calculation based on a fuzzy analytic hierarchy process, comprehensive evaluation calculation and the like in the model, and QoS index data of service provided by application software collected from a CloudHarmony website are processed and evaluated to verify the effectiveness of the method.
Processing the original data acquired by the CloudHarmony website, listing the corresponding decision matrix, and carrying out normalization processing on the decision matrix to obtain X' as follows:
according to the index data corresponding to the application software, different indexes obtained by different user types are calculated, and a weight matrix omega of the indexes is obtained as follows:
establishing a fuzzy judgment matrix and a fuzzy consistency judgment matrix aiming at service data provided by application, and finally obtaining service weight vectors of three different client types (a common user U1, a staff U2 and a manager U3) as follows:
U1=[0.31,0.10,0.32],
U2=[0.33,0.24,0.40],
U3=[0.56,0.22,0.81]
according to the formula
And formula
And finally, obtaining comprehensive trust evaluation values of three user types:
FU1=[0.0487,0.0824],
FU2=[0.0433,0.1074],
FU3=[0.0704,0.1381]
sequencing to obtain FU3 > FU2 > FU1;
the result shows that in the application software, the trust evaluation value of the service of the manager is optimal, and the trust evaluation value of the service of the ordinary user is the worst.
Other parts of this embodiment are the same as those of embodiment 1, and thus are not described again.
Example 3:
on the basis of any one of the above embodiments 1-2, as shown in fig. 3, the present embodiment mixes a random generation matrix encryption algorithm based on chaotic mapping with an RSA digital signature algorithm:
the key of generating the encryption key matrix through the chaotic function lies in constructing a reversible matrix by utilizing random numbers generated by the chaotic function, and the patent selects a logistic mapping chaotic function to generate the encryption matrix.
One main definition of the logistic map is as follows:
the specific steps of the chaos mapping based random generation matrix encryption algorithm are as follows:
(1) Firstly, data to be encrypted is organized and arranged according to the dimension of an encryption key matrix, and is cut into (N multiplied by N) data blocks.
(2) If the data length is D, there may be D% (N × N) remaining data, and the remaining data needs to be filled into the last data block, where the filling number is N × N-D% (N × N), and finally, the data is generated by using the logistic chaotic function for filling.
(3) And sequentially encrypting the segmented and filled data blocks, and then sending < D, e1, e2, e3, \ 8230;, en > as a final completed encryption result to a receiver, wherein D is the length of the original data, and ei is the data block after encryption.
(4) And after receiving the ciphertext, the receiving party decrypts the encrypted data blocks in sequence by using the decryption matrix, and then can restore the original data according to the original length of the received data.
And if the generated chaotic reversible matrix is Q, the inverse matrix is Q-1, and the original data matrix is P. The encryption and decryption processes are as follows:
firstly, an original data matrix P is encrypted by using a chaotic reversible encryption matrix Q, and a ciphertext matrix G is generated after the encryption of the matrix Q. The decryption is the inverse process of the encryption, and the matrix G is right-multiplied by the matrix Q-1 to finally obtain a decrypted data matrix P.
The RSA digital signature algorithm is derived according to an RSA public key cryptographic algorithm, encrypts data through a private key, and decrypts the data by using a public key.
Other parts of this embodiment are the same as any of embodiments 1-2 described above, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (10)
1. A multi-attribute identity authentication method based on continuous trust evaluation is characterized in that trust evaluation is carried out on a user based on a continuous trust evaluation method to obtain a trust evaluation value; then embedding the trust evaluation value into the token, and authenticating the identity of the user through real-time updating of the token, so that the user is given the authority under the corresponding continuous trust value; meanwhile, in the authentication process, encryption and decryption are performed by mixing a random generation matrix encryption algorithm based on chaotic mapping and an RSA digital signature algorithm, so that the authentication safety is improved.
2. The multi-attribute identity authentication method based on continuous trust evaluation as claimed in claim 1, wherein the specific operation of authentication is as follows:
firstly, a system of a mobile application logs in based on token: when logging in for the first time, a client user initiates a login request, inputs a user name and a password and sends the request to a login server; the login server calls an authentication service, the authentication service acquires user information through a user information database and verifies the accuracy of a user name and a password, and if the user information passes the verification, a token is produced in the authentication server; then, calling a trust evaluation algorithm in the authentication server to calculate a trust evaluation value of the current user, inserting the trust evaluation value into the token, returning a verification result to the login server by the authentication server, and returning the token to the client by the login server; finally, the token is stored by the client so as to be used when the server resource is requested;
then, the system of the mobile application performs the following operations based on token: when a client user requests any resource, the client user firstly submits the request to a corresponding resource controller and then invokes an identity authentication service to carry out identity authentication; when the authentication service finds token information in the request object through the request object, verifying the validity of the token and judging the role, and judging whether the role level is matched with the level of the request resource; and after the validity of the token and the corresponding role are confirmed, requesting the corresponding resource service to acquire the resource required by the user, returning the result to the resource controller, and responding to the client user.
3. The multi-attribute identity authentication method based on continuous trust evaluation as claimed in claim 1, wherein the trust evaluation is performed on the user based on the continuous trust evaluation method, and the process of obtaining the trust evaluation value specifically comprises the following steps:
step 1: building a trust evaluation model, and evaluating the mobile application by using a multi-attribute decision method;
step 2: constructing a decision matrix reflecting the multiple attributes of the QoS intervals, and carrying out index standardization processing;
and 3, step 3: adopting FAHP to establish a hierarchical structure model weight system;
and 4, step 4: calculating all index weight sets of all cloud services of a service layer to obtain an index weight matrix, and providing weights for trust evaluation by using the index weight matrix;
and 5: and calculating the comprehensive trust evaluation value of the user types of different mobile applications.
4. The multi-attribute identity authentication method based on continuous trust evaluation as claimed in claim 3, wherein the step 1 comprises the following steps:
step 1.1: constructing a trust evaluation model; the trust evaluation model adopts a hierarchical analysis model form and comprises a user layer, an index layer and a service layer;
the user layer represents a classification of mobile application user types, the user layer is denoted by T and, then the user layer set T = { T = } 1 ,t 2 ,…,t k H is the number of user types;
the service layer is used for performing continuous trust evaluation on a mobile application host object, and if the service provided by the mobile application is represented by S, S = { S = { S = } 11 ,s 12 ,…,s km },s km The mth service of the mobile application k is obtained, and m is the service quantity of the relevant software k;
the index layer is a measurement index for providing services for the mobile application in the service layer and is used for describing the service operation condition of the mobile application; denoting the index layer by Q, Q = { Q = 11 ,q 12 ,…,q mn } ,q mn An nth QoS index representing an mth service;
step 1.2: monitoring and collecting QoS index data of an application operation process; the QoS index data is a measure of the ability of the mobile application service to meet the user requirements, and comprises indexes of safety, reliability, cost, performance and availability, wherein the indexes are mutually influenced and mutually restricted and are in dynamic transformation; aiming at the dynamic property of the power mobile application index data, expressing the collected QoS index data in an interval number form and carrying out unified and standardized processing on the data;
step 1.3: in order to reasonably express the membership relationship between a user layer and a service layer in the hierarchical model and between the service layer and an index layer, a weight system of trust evaluation is calculated by adopting a fuzzy analytic hierarchy process according to the influence degree of a lower layer in the hierarchical structure of the trust evaluation model on an upper layer; and based on the collected and unified normalized decision matrix and the constructed hierarchical structure model weight system, evaluating by adopting a linear weighting method in interval number multi-attribute decision to evaluate the trust of the mobile application.
5. The multi-attribute identity authentication method based on continuous trust evaluation as claimed in claim 4, wherein the step 2 specifically comprises the following steps:
step 2.1: constructing a decision matrix reflecting the multiple attributes of the QoS intervals; the specific operation is as follows:
let q l ,q h Is two real numbers, q l ,q h Is epsilon of R, and q l ≤q h If so, then q = [ ql, qh ] is called as an interval number; wherein q is l Is the lower bound of the number of intervals, l is q l The superscript of (a) represents the upper bound value, q h Is the upper bound of the number of intervals, h is q h The superscript of (b) represents the lower bound value; when q is l And q is h When the sizes are equal, the number of intervals is a real number;
jth QoS index for ith application operation for kth user
To do so by
Represents the lower bound of the indicator operating data during the test,
the upper bound of the index operation data in the detection process is represented, then
Has the interval number of the form q ij =[
,
];
Based on the collected index data reflecting the QoS, data classification is carried out according to different index attributes, and a decision matrix X reflecting the multiple attributes of the QoS intervals is constructed as follows:
in the formula: m is the service number, n is the QoS index number, and s is the index number of QoS.
6. The multi-attribute identity authentication method based on continuous trust evaluation as claimed in claim 5, wherein the step 2 further comprises the following steps:
step 2.2: the method comprises the following specific operations of carrying out index normalization processing based on a vector normalization principle:
dividing the QoS index into a benefit index and a cost index from the property; the benefit type index refers to an index which is better when the numerical value is larger; the cost index refers to an index which is better when the numerical value is smaller;
according to the interval number algorithm, the normalization processing is carried out based on the vector normalization principle, and the specific processing formula is as follows:
for benefit type indicators in the decision matrix X, the normalized formula is processed as follows:
for the cost type index in the decision matrix X, the normalized formula is as follows:
the processing formula of the decision matrix X' obtained after the decision matrix X is subjected to the standardized processing is as follows:
wherein, ()' represents the value after the normalized formula processing of the benefit type index in the decision matrix X.
7. The multi-attribute identity authentication method based on continuous trust evaluation as claimed in claim 6, wherein the specific operation of the step 3 is:
step 3.1: establishing a hierarchical structure model weight system by adopting a Fuzzy Analytic Hierarchy Process (FAHP), and establishing fuzzy judgment matrixes of an index layer and a service layer;
step 3.2: establishing fuzzy judgment matrixes of different user types according to the different user types;
and 3.3, performing consistency check on each fuzzy judgment matrix to ensure the consistency between the importance degrees of each element in the fuzzy judgment matrix.
8. The multi-attribute identity authentication method based on continuous trust evaluation according to claim 7, wherein the step 3.1 specifically comprises the following operations:
step 3.1.1: firstly, establishing a fuzzy consistency judgment matrix, and then calculating the combination weight of each layer of constituent elements to a total target;
step 3.1.2: comparing each index of the service according to a '0.1-0.9' scaling method to obtain the membership degree between each two indexes, and establishing a fuzzy judgment matrix R of an index layer;
step 3.1.3: aiming at the ith service in the service layer, a fuzzy judgment matrix R is established by the membership degree between indexes of the ith service i The method comprises the following specific operations:
wherein r is kj A jth QoS indicator value representing a kth application service;
the membership degree of the fuzzy judgment matrix quantifies the relationship between different indexes according to actually acquired data, is suitable for calculating the weight of multi-attribute uncertainty, and establishes a service layer fuzzy judgment matrix R in the same way 1 ,R 2 ,…,R m 。
9. The multi-attribute identity authentication method based on continuous trust evaluation as claimed in claim 6, wherein the specific operation of the step 4 is as follows:
calculating the application attribute index weight by adopting a fuzzy judgment matrix weight formula;
the weight of the jth QoS index of the ith application attribute is represented by ω ij, and the calculation formula is as follows:
wherein r is ij A jth QoS index value representing an ith application service,
g is the index number of the cloud service, a = (g-1)/2;
finally, calculating all index weight sets of all cloud services of the service layer to obtain an index weight matrix omega; the metric weight matrix ω provides weights for trust evaluations.
10. The multi-attribute identity authentication method based on continuous trust evaluation as claimed in claim 9, wherein the specific operation of the step 5 is as follows:
the comprehensive evaluation value of the c-th application attribute is expressed by Tc by adopting a linear weighting method, and the calculation formula is as follows:
wherein (q) xy ) 'is QoS index data of X row and y column in X'; ω ij is the jth index weight value of the ith attribute in the index weight matrix ω;
calculating a comprehensive evaluation value of the cloud provider based on the comprehensive evaluation result of each cloud service of the cloud provider and the service weight set of the cloud provider:
and Fd represents the comprehensive evaluation value of the d-th user type, and the calculation formula is as follows:
wherein (T) αc ) ' a comprehensive evaluation value of a c-th cloud service that is a cloud provider α; v. of αβ A β cloud service weight value for an α cloud provider in the matrix v; and similarly, calculating the comprehensive evaluation values of different mobile application user types.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211263999.XA CN115333755A (en) | 2022-10-17 | 2022-10-17 | Multi-attribute identity authentication method based on continuous trust evaluation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211263999.XA CN115333755A (en) | 2022-10-17 | 2022-10-17 | Multi-attribute identity authentication method based on continuous trust evaluation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115333755A true CN115333755A (en) | 2022-11-11 |
Family
ID=83915438
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211263999.XA Pending CN115333755A (en) | 2022-10-17 | 2022-10-17 | Multi-attribute identity authentication method based on continuous trust evaluation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115333755A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115834252A (en) * | 2023-02-09 | 2023-03-21 | 中国证券登记结算有限责任公司 | Service access method and system |
| CN116032552A (en) * | 2022-12-13 | 2023-04-28 | 国网湖北省电力有限公司电力科学研究院 | Side-end side equipment interaction real-time continuous trust evaluation method of electric power system |
| CN116305225A (en) * | 2023-05-24 | 2023-06-23 | 山东梧桐树软件有限公司 | User data encryption protection method used in online payment process |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000031644A1 (en) * | 1998-11-25 | 2000-06-02 | The Commonwealth Of Australia | High assurance digital signatures |
| CN113596009A (en) * | 2021-07-23 | 2021-11-02 | 中国联合网络通信集团有限公司 | Zero trust access method, system, zero trust security proxy, terminal and medium |
| CN114567473A (en) * | 2022-02-23 | 2022-05-31 | 南通大学 | Zero-trust mechanism-based Internet of vehicles access control method |
| CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
| WO2022146472A1 (en) * | 2020-12-31 | 2022-07-07 | EMC IP Holding Company LLC | A method for protecting edge device trust score |
-
2022
- 2022-10-17 CN CN202211263999.XA patent/CN115333755A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000031644A1 (en) * | 1998-11-25 | 2000-06-02 | The Commonwealth Of Australia | High assurance digital signatures |
| WO2022146472A1 (en) * | 2020-12-31 | 2022-07-07 | EMC IP Holding Company LLC | A method for protecting edge device trust score |
| CN113596009A (en) * | 2021-07-23 | 2021-11-02 | 中国联合网络通信集团有限公司 | Zero trust access method, system, zero trust security proxy, terminal and medium |
| CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
| CN114567473A (en) * | 2022-02-23 | 2022-05-31 | 南通大学 | Zero-trust mechanism-based Internet of vehicles access control method |
Non-Patent Citations (2)
| Title |
|---|
| GUO JING: ""Multi-attribute Authentication Method Based on Continuous Trust Evaluation"", 《INTERNATIONAL CONFERENCE ON SMART COMPUTING AND COMMUNICATION》 * |
| 余海等: "零信任体系技术研究", 《通信技术》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116032552A (en) * | 2022-12-13 | 2023-04-28 | 国网湖北省电力有限公司电力科学研究院 | Side-end side equipment interaction real-time continuous trust evaluation method of electric power system |
| CN115834252A (en) * | 2023-02-09 | 2023-03-21 | 中国证券登记结算有限责任公司 | Service access method and system |
| CN116305225A (en) * | 2023-05-24 | 2023-06-23 | 山东梧桐树软件有限公司 | User data encryption protection method used in online payment process |
| CN116305225B (en) * | 2023-05-24 | 2023-08-18 | 山东梧桐树软件有限公司 | User data encryption protection method used in online payment process |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Privacy-preserving public auditing protocol for low-performance end devices in cloud | |
| CN115333755A (en) | Multi-attribute identity authentication method based on continuous trust evaluation | |
| CN103581108B (en) | Login authentication method, login authentication client, login authentication server and login authentication system | |
| Zhu et al. | Dynamic audit services for outsourced storages in clouds | |
| Zhao et al. | A novel mutual authentication scheme for Internet of Things | |
| US20090265555A1 (en) | Methods and apparatus for credential validation | |
| CN112651011B (en) | Login verification method, device and equipment for operation and maintenance system and computer storage medium | |
| CN105207780B (en) | A kind of certification user method and device | |
| KR101954998B1 (en) | Quantum authentication method for access control between three elements of cloud computing | |
| CN114884680B (en) | Multi-server sustainable trust evaluation method based on context authentication | |
| Zhang et al. | Authorized identity-based public cloud storage auditing scheme with hierarchical structure for large-scale user groups | |
| Jia et al. | Enabling efficient and secure outsourcing of large matrix multiplications | |
| Hosen et al. | SPTM-EC: A security and privacy-preserving task management in edge computing for IIoT | |
| Zhao et al. | Blockchain-based auditable privacy-preserving data classification for Internet of Things | |
| CN115277010A (en) | Identity authentication method, system, computer device and storage medium | |
| CN112422516B (en) | Trusted connection method and device based on power edge calculation and computer equipment | |
| CN116112242B (en) | Unified safety authentication method and system for power regulation and control system | |
| Yang et al. | Accountable and verifiable secure aggregation for federated learning in IoT networks | |
| Lin et al. | A user authentication system using back-propagation network | |
| Mehta et al. | A systematic review of authentication methods for internet of things | |
| CN114726502A (en) | Safety system based on Internet of things and big data | |
| Kim et al. | Certificate sharing system for secure certificate distribution in mobile environment | |
| Chen et al. | A Mobile Internet Multi-level Two-way Identity Authentication Scheme Based on Zero Trust | |
| CN111539031A (en) | Data integrity detection method and system for privacy protection of cloud storage tag | |
| Guo et al. | Multi-attribute Authentication Method Based on Continuous Trust Evaluation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20221111 |