CN115550074B - Zero trust verification method, device and system and electronic equipment - Google Patents
Zero trust verification method, device and system and electronic equipment Download PDFInfo
- Publication number
- CN115550074B CN115550074B CN202211519628.3A CN202211519628A CN115550074B CN 115550074 B CN115550074 B CN 115550074B CN 202211519628 A CN202211519628 A CN 202211519628A CN 115550074 B CN115550074 B CN 115550074B
- Authority
- CN
- China
- Prior art keywords
- target
- characteristic value
- information
- equipment
- safety information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/76—Proxy, i.e. using intermediary entity to perform cryptographic operations
Abstract
The application discloses a zero trust verification method, a device and a system and electronic equipment. Wherein, the method comprises the following steps: generating equipment state safety information of the target terminal equipment according to the environmental safety condition of the target terminal equipment, and generating a safety information characteristic value according to the equipment state safety information; after a target terminal device generates a first target message, adding device state safety information and a safety information characteristic value in the first target message in a network layer to obtain a second target message; sending a second target message to a target gateway, wherein the target gateway is used for explaining the second target message in a network layer, determining the safety state of target terminal equipment according to equipment state safety information and a safety information characteristic value, and forwarding the first target message to a server for providing target service resources under the condition of determining the safety of the terminal equipment; and receiving the target service resource returned by the server according to the first target message.
Description
Technical Field
The application relates to the field of network security, in particular to a zero trust verification method, a zero trust verification device, a zero trust verification system and electronic equipment.
Background
In the prior art, when a user wants to access certain service resources, only the identity of the access user is usually authenticated, but the security environment of equipment used by the user cannot be verified, so that the security of a zero trust verification process cannot be ensured, and data leakage is easily caused.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a zero trust verification method, a zero trust verification device, a zero trust verification system and electronic equipment, and aims to at least solve the technical problem that the safety of a verification process cannot be ensured because the safety environment of terminal equipment cannot be verified in the related technology.
According to an aspect of an embodiment of the present application, there is provided a zero trust verification method, including: generating equipment state safety information of the target terminal equipment according to the environmental safety condition of the target terminal equipment, and generating a safety information characteristic value according to the equipment state safety information, wherein the equipment state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal equipment; after a target terminal device generates a first target message, adding device state safety information and a safety information characteristic value in the first target message in a network layer to obtain a second target message, wherein the second target message is used for accessing a target service resource and authenticating the target terminal device; sending a second target message to a target gateway, wherein the target gateway is used for analyzing the second target message at a network layer, acquiring equipment state safety information and a safety information characteristic value, and the first target message, determining the safety state of target terminal equipment according to the equipment state safety information and the safety information characteristic value, and forwarding the first target message to a server for providing target service resources under the condition of determining the safety of the target terminal equipment; and receiving a target service resource forwarded by the target gateway proxy, wherein the target service resource is a service resource provided by the server according to the first target message.
Optionally, the step of generating the security information feature value according to the device status security information includes: acquiring terminal hardware information of target terminal equipment, and acquiring an equipment key corresponding to the target terminal equipment, wherein the equipment key is obtained by calculation according to the terminal hardware information; and generating a safety information characteristic value according to the equipment secret key and the equipment state safety information.
Optionally, the step of generating the security information feature value according to the device key and the device status security information includes: and carrying out password generation operation on the equipment state safety information by adopting a password generation algorithm and an equipment key to generate a safety information characteristic value.
Optionally, the step of adding the device state security information and the security information characteristic value to the first target packet to obtain a second target packet includes: acquiring routing configuration information corresponding to a target gateway; according to the routing configuration information, the first target message is encapsulated again in the network layer, and in the encapsulating process, a destination address and a port of the first target message are set to point to a target gateway; and adding the encrypted equipment state safety information and the safety information characteristic value to the message header of the encapsulated first target message to obtain a second target message.
Optionally, the step of obtaining a device key corresponding to the target terminal device, which is obtained by calculation according to the terminal hardware information, includes: sending the terminal hardware information and a registration request to a target control center, wherein the target control center is used for calculating and obtaining an equipment key according to the terminal hardware information under the condition of passing the registration request; and receiving the device key sent by the target control center.
Optionally, the step of generating device state security information of the target terminal device according to an environmental security condition of the target terminal device, and generating a security information feature value according to the device state security information includes: and scanning the equipment state of the target terminal equipment at a preset frequency, acquiring equipment state safety information, and generating a safety information characteristic value after acquiring the equipment state safety information each time.
Optionally, the device state security information comprises at least one of: the system comprises indication information used for indicating whether a starting-up password is set, system patch information of the target terminal equipment, firewall information of the target terminal equipment, safety program information of the target terminal equipment, whether white list program list information of the target terminal equipment meets a first preset condition or not and whether black list program list information of the target terminal equipment meets a second preset condition or not.
According to another aspect of the embodiments of the present application, there is also provided a zero trust verification method, including: receiving a second target message sent by target terminal equipment, wherein the second target message carries equipment state safety information and a first safety information characteristic value of the target terminal equipment, and the first target message is used for accessing a target service resource; analyzing the second target message, and acquiring equipment state safety information, a first safety information characteristic value and a first target message; determining the safety state of the target terminal equipment according to the equipment state safety information and the first safety information characteristic value; and under the condition that the security state of the target terminal equipment is determined to be safe, the agent forwards a first target message to a server for providing the target service resource, wherein the first target message is used for indicating the server to send the target service resource to the target terminal equipment through a target gateway.
Optionally, the step of determining the security status of the target terminal device according to the device status security information and the first security information characteristic value includes: searching whether a second safety information characteristic value matched with the first safety information characteristic value exists in the target storage space or not; determining that the security state of the target terminal equipment is safe under the condition that the second security information characteristic value is determined to exist; and sending the equipment state safety information and the first safety information characteristic value to a target control center under the condition that the second safety information characteristic value does not exist, wherein the target control center is used for obtaining a third safety information characteristic value by calculation according to the equipment state safety information and an equipment key of target terminal equipment and verifying the first safety information characteristic value according to the third safety information characteristic value; receiving verification information sent by a target control center under the condition that the first safety information characteristic value passes verification; and determining the safety state of the target terminal equipment according to the verification information.
Optionally, after the step of receiving the verification information sent by the target control center, the zero-trust verification method further includes: under the condition that the verification information indicates that the safety state of the target terminal equipment is safe, equipment identification information of the target terminal equipment is determined according to the second target message; taking the first safety information characteristic value as a second safety information characteristic value, and determining an incidence relation between the equipment identification information and the second safety information characteristic value; and storing the equipment identification information and the second safety information characteristic value into a target storage space.
Optionally, after the step of storing the device identification information and the second security information feature value in the target storage space, the zero trust verification method further includes: and deleting the equipment identification information and the second safety information characteristic value under the condition that a second target message sent by the target terminal equipment is not received within a preset time length.
According to another aspect of the embodiments of the present application, there is also provided a zero trust verification system, including: a target terminal device, a target gateway, a service resource server, and a control center, wherein the target terminal device is configured to execute the zero trust verification method of any one of claim 1 to claim 7; a target gateway configured to perform the zero trust verification method of any one of claim 8 to claim 11; the control center is used for acquiring terminal hardware information of the target terminal equipment, calculating and sending an equipment key corresponding to the target terminal equipment according to the terminal hardware information; and acquiring the equipment state safety information and the first safety information characteristic value sent by the target gateway, verifying the equipment state safety information and the first safety information characteristic value, and sending verification information to the target gateway.
Optionally, the step of the control center verifying the device state safety information includes: determining identification information of target terminal equipment; determining a device key corresponding to the target terminal device according to the identification information; decrypting the equipment state safety information according to the equipment secret key; and verifying the decrypted equipment state safety information, and determining whether the safety state of the target terminal equipment meets a preset condition.
Optionally, the step of verifying the first security information feature value by the control center includes: generating a third safety information characteristic value according to the equipment state safety information and the equipment key; and checking the first safety information characteristic value according to the third safety information characteristic value to determine whether the first safety information characteristic value is tampered.
According to another aspect of the embodiments of the present application, there is also provided a zero trust verification apparatus, including: the first processing module is used for generating equipment state safety information of the target terminal equipment according to the environmental safety condition of the target terminal equipment and generating a safety information characteristic value according to the equipment state safety information, wherein the equipment state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal equipment; the second processing module is used for adding equipment state safety information and a safety information characteristic value in the first target message in a network layer after the first target message is generated by the target terminal equipment to obtain a second target message, wherein the second target message is used for accessing a target service resource and authenticating the target terminal equipment; the first communication module is used for sending a second target message to a target gateway, wherein the target gateway is used for analyzing the second target message in a network layer, acquiring equipment state safety information and a safety information characteristic value, and the first target message, determining the safety state of target terminal equipment according to the equipment state safety information and the safety information characteristic value, and forwarding the first target message to a server for providing target service resources under the condition that the safety of the target terminal equipment is determined; and the second communication module is used for receiving the target service resource forwarded by the target gateway proxy, wherein the target service resource is a service resource provided by the server according to the first target message.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a memory and a processor, where the processor is configured to execute a program stored in the memory, and where the program executes a zero trust verification method when running.
In the embodiment of the application, device state safety information of the target terminal device is generated according to the environment safety condition of the target terminal device, and a safety information characteristic value is generated according to the device state safety information, wherein the device state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal device; after a target terminal device generates a first target message, adding device state safety information and a safety information characteristic value in the first target message in a network layer to obtain a second target message, wherein the second target message is used for accessing a target service resource and authenticating the target terminal device; sending a second target message to a target gateway, wherein the target gateway is used for explaining the second target message at a network layer, acquiring equipment state safety information and a safety information characteristic value, and the first target message, determining the safety state of target terminal equipment according to the equipment state safety information and the safety information characteristic value, and forwarding the first target message to a server for providing target service resources under the condition of determining the safety of the terminal equipment; receiving a target service resource forwarded by a target gateway agent, wherein the target service resource is generated by a server according to equipment state safety information of terminal equipment by a mode of a service resource provided by a first target message, a safety authentication message and a safety information characteristic value are generated according to equipment state safety information of the terminal equipment, the safety authentication message and the safety information characteristic value are added into the first target message, and then the gateway verifies the safety authentication message and the safety information characteristic value, so that the aim of verifying the equipment safety environment of the terminal equipment in the process of accessing the service resource is fulfilled, the technical effect of ensuring the safety of a zero trust verification process is realized, and the technical problem that the safety of the verification process cannot be ensured due to the fact that the safety environment of the terminal equipment cannot be verified in the related technology is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of a computer terminal according to an embodiment of the present application;
FIG. 2 is a flow chart diagram of a zero trust verification method according to an embodiment of the present application;
FIG. 3 is a flow chart diagram of another zero trust verification method according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of a zero trust verification system according to an embodiment of the present application;
FIG. 5 is a flow diagram illustrating a zero trust verification process according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a zero trust verification apparatus according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the accompanying drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be implemented in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In the current zero trust security authentication system, although identity authentication is continuously performed on a user, whether terminal equipment used by the user is secure cannot be determined, so that a risk of data leakage exists. In view of the above problems, the present application provides a zero trust security authentication method that can add device status security information to each data packet sent by a terminal device used by a user, and can collect the security information of the terminal device in real time during the whole data access process, encapsulate the security information into each data packet, send the data packet to a specific target gateway, and then verify the security information by the target gateway, so as to solve the above problems, which will be described in detail below.
In accordance with an embodiment of the present application, there is provided a method embodiment of a zero trust verification method, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that presented herein.
The method provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal or a similar operation device. Fig. 1 shows a schematic structural diagram of a computer terminal (or mobile device) for implementing a zero trust verification method. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more (shown as 102a, 102b, \8230;, 102 n) processors 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, and a transmission module 106 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the zero-trust verification method in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implementing the zero-trust verification method of the application software. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
It should be noted that the technical solutions of the embodiments of the present application may be applied to various communication systems, for example: a Global System for Mobile communications (GSM) System, a Code Division Multiple Access (CDMA) System, a Wideband Code Division Multiple Access (WCDMA) System, a General Packet Radio Service (GPRS), a Long Term Evolution (Long Term Evolution, LTE) System, a LTE Frequency Division Duplex (FDD) System, a LTE Time Division Duplex (TDD), a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication System, or a 5G System.
For example, the communication system applied in the embodiment of the present application may include a network device, and the network device may be a device that communicates with a terminal device (or referred to as a communication terminal, terminal). A network device may provide communication coverage for a particular geographic area and may communicate with terminal devices located within that coverage area. Optionally, the Network device may be a Base Transceiver Station (BTS) in a GSM system or a CDMA system, a Base Station (NodeB, NB) in a WCDMA system, an evolved Node B (eNB or eNodeB) in an LTE system, or a wireless controller in a Cloud Radio Access Network (CRAN), or may be a Network device in a Mobile switching center, a relay Station, an Access point, a vehicle-mounted device, a wearable device, a hub, a switch, a bridge, a router, a Network-side device in a 5G Network, or a Network device in a Public Land Mobile Network (PLMN) for future evolution, or the like.
The communication system further comprises at least one terminal device located within the coverage area of the network device. As used herein, "terminal equipment" includes, but is not limited to, connections via wireline, such as Public Switched Telephone Network (PSTN), digital Subscriber Line (DSL), digital cable, direct cable connection; and/or another data connection/network; and/or via a Wireless interface, e.g., for a cellular Network, a Wireless Local Area Network (WLAN), a digital television Network such as a DVB-H Network, a satellite Network, an AM-FM broadcast transmitter; and/or means of another terminal device arranged to receive/transmit communication signals; and/or Internet of Things (IoT) devices. A terminal device arranged to communicate over a wireless interface may be referred to as a "wireless communication terminal", "wireless terminal", or "mobile terminal". Examples of mobile terminals include, but are not limited to, satellite or cellular telephones; personal Communications System (PCS) terminals that may combine a cellular radiotelephone with data processing, facsimile and data Communications capabilities; PDAs that may include radiotelephones, pagers, internet/intranet access, web browsers, notepads, calendars, and/or Global Positioning System (GPS) receivers; and conventional laptop and/or palmtop receivers or other electronic devices that include a radiotelephone transceiver. Terminal Equipment may refer to an access terminal, user Equipment (UE), subscriber unit, subscriber station, mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or User Equipment. An access terminal may be a cellular telephone, a cordless telephone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device having Wireless communication capabilities, a computing device or other processing device connected to a Wireless modem, a vehicle mounted device, a wearable device, a terminal device in a 5G network, or a terminal device in a future evolved PLMN, etc.
Optionally, device to Device (D2D) communication may be performed between the terminal devices.
Alternatively, the 5G system or the 5G network may also be referred to as a New Radio (NR) system or an NR network.
In the foregoing operating environment, an embodiment of the present application provides a zero trust verification method, which is applicable to a terminal device, and as shown in fig. 2, the method includes the following steps:
step S202, generating equipment state safety information of the target terminal equipment according to the environment safety condition of the target terminal equipment, and generating a safety information characteristic value according to the equipment state safety information, wherein the equipment state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal equipment;
in the technical solution provided in step S202, the step of generating the security information feature value according to the device status security information of the target terminal device includes: acquiring terminal hardware information of target terminal equipment, and acquiring an equipment key corresponding to the target terminal equipment, wherein the equipment key is obtained by calculation according to the terminal hardware information; and generating a safety information characteristic value according to the equipment key and the equipment state safety information.
Specifically, after the terminal hardware information of the target terminal device is obtained, in order to obtain the device key, the obtained terminal hardware information of the target terminal device and the registration request need to be sent to the control center, and then the device key calculated by the target control center according to the terminal hardware information after passing the registration request is obtained.
In an actual application process, the target terminal device may be a terminal device running an SDP (Software Defined Perimeter) client, and the control center may be an SDP control center.
When generating the device state security information according to the device state security information, the device state security information used may include at least one of the following: the system patch information of the target terminal equipment is used for indicating whether a start-up password is set or not, the firewall information of the target terminal equipment, the security program information of the target terminal equipment, whether the white list program list information of the target terminal equipment meets a first preset condition or not and whether the black list program list information of the target terminal equipment meets a second preset condition or not. The first preset condition refers to that no program which is not in the white list exists in the white list program list of the target terminal device, and the second preset condition refers to that no program which is not in the black list exists in the black list program list and program information which is not in the black list program list is not lost. For example, if program a is an untrusted program, program a cannot appear in the white list of programs and program a needs to appear in the black list of programs.
As an optional implementation manner, the step of generating the security information feature value according to the device key and the device state security information includes: and carrying out password generation operation on the equipment state safety information by adopting a password generation algorithm and an equipment key to generate a safety information characteristic value. The device state security information used here is plaintext of the device state security information.
Specifically, the encryption algorithm may be an SM4 algorithm, the password generation algorithm may be an HMAC-SM3 algorithm, the security information feature value may be an HMAC value, and the device state security information is calculated in the form of a device security message and written in a header of the first target message.
In some embodiments of the present application, in order to ensure that whether a target terminal device is safe or not is timely confirmed, when device state safety information and a safety information characteristic value are generated according to device state safety information of the target terminal device, the device state of the target terminal device is also scanned at a preset frequency, so as to obtain the device state safety information of the target terminal device, and after the device state safety information is obtained each time, the safety information characteristic value is generated.
Specifically, the SDP client running in the target terminal device will check the device state security information of the target terminal device and the security information of the environment where the device is located at regular time, for example: the SDP client can periodically check whether the target terminal equipment sets a power-on password, periodically acquire the name, the version number and the like of a system patch installed on the target terminal equipment, periodically determine the name, the version number, the running state and the like of a firewall in the target terminal equipment, periodically acquire the name, the version number, the running state and the like of antivirus software installed in the target terminal equipment, and periodically check whether a white list software, a black list software and the like meeting requirements are arranged in the target terminal equipment.
Step S204, after the target terminal equipment generates a first target message, adding equipment state safety information and a safety information characteristic value in the first target message in a network layer to obtain a second target message, wherein the second target message is used for accessing a target service resource and authenticating the target terminal equipment;
in the technical solution provided in step S204, the step of adding the encrypted device state security information and the security information characteristic value to the first target packet to obtain the second target packet includes: acquiring routing configuration information corresponding to a target gateway; repackaging the first target message in a network layer according to the routing configuration information, and setting a destination address and a port of the first target message to point to a target gateway in the process of packaging; and adding equipment state safety information and a safety information characteristic value to the message header of the encapsulated first target message to obtain a second target message. When encrypting the device state security information, an encryption algorithm such as SM4 algorithm may be used.
Specifically, the destination address and the port of the message are pointed to the target gateway, so that the message can be sent to the designated gateway, and the risk of data leakage is avoided.
Step S206, sending the second target packet to a target gateway, where the target gateway is configured to parse the second target packet at a network layer, obtain the device state security information and the security information characteristic value, and the first target packet, determine a security state of the target terminal device according to the device state security information and the security information characteristic value, and forward the first target packet to a server configured to provide the target service resource when the security of the target terminal device is determined;
in the technical solution provided in step S206, after receiving the second target packet, the target gateway may parse the second target packet to obtain the first target packet, the encrypted terminal security authentication packet, and the HMAC value (that is, the security information characteristic value). Then, the target gateway checks whether the cache stores the HMAC value matched with the HMAC value obtained by analysis, and forwards the first target message to a server operating a service system after the cache stores the HMAC value, and the server sends corresponding service resources to the target terminal device after receiving the first target message. If the target gateway does not inquire the corresponding HMAC value, the analyzed HMAC value and the security authentication message are sent to a target control center, then the control center decrypts the message by adopting an SM4 algorithm, obtains the HMAC value through calculation of an HMAC-SM3 algorithm, compares the calculated HMAC value with the received HMAC value, and confirms whether the terminal security authentication message is tampered in the transmission process, if the terminal security authentication message is tampered, the authentication is determined not to pass. And under the condition that no tampering is confirmed, the control center verifies the terminal security authentication message according to a preset verification strategy and sends a verification result to the gateway. And if the verification passes, the verification result sent to the gateway also carries the calculated HMAC value.
Step S208, receiving a target service resource forwarded by the target gateway proxy, where the target service resource is a service resource provided by the server according to the first target packet.
Generating equipment state safety information of the target terminal equipment according to the environmental safety condition of the target terminal equipment, and generating a safety information characteristic value according to the equipment state safety information, wherein the equipment state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal equipment; after a target terminal device generates a first target message, adding device state safety information and a safety information characteristic value in the first target message in a network layer to obtain a second target message, wherein the second target message is used for accessing a target service resource and authenticating the target terminal device; transmitting a second target message to a target gateway, wherein the target gateway is used for explaining the second target message in a network layer, acquiring equipment state safety information and a safety information characteristic value, and the first target message, determining the safety state of target terminal equipment according to the equipment state safety information and the safety information characteristic value, and forwarding the first target message to a server for providing target service resources under the condition of determining the safety of the terminal equipment; receiving a target service resource forwarded by a target gateway agent, wherein the target service resource is generated by a server according to equipment state safety information of terminal equipment by a mode of a service resource provided by a first target message, a safety authentication message and a safety information characteristic value are generated according to equipment state safety information of the terminal equipment, the safety authentication message and the safety information characteristic value are added into the first target message, and then the gateway verifies the safety authentication message and the safety information characteristic value, so that the aim of verifying the equipment safety environment of the terminal equipment in the process of accessing the service resource is fulfilled, the technical effect of ensuring the safety of a zero trust verification process is realized, and the technical problem that the safety of the verification process cannot be ensured due to the fact that the safety environment of the terminal equipment cannot be verified in the related technology is solved.
The embodiment of the present application further provides another zero trust verification method, which is applicable to a gateway device, and as shown in fig. 3, the method includes the following steps:
step S302, receiving a second target message sent by a target terminal device, wherein the second target message carries device state security information and a first security information characteristic value of the target terminal device, and the first target message for accessing a target service resource;
step S304, analyzing the second target message, and acquiring equipment state safety information, a first safety information characteristic value and a first target message;
step S306, determining the safety state of the target terminal device according to the device state safety information and the first safety information characteristic value;
in the technical solution provided in step S306, the step of determining the security state of the target terminal device according to the device state security information and the first security information feature value includes: retrieving whether a second security information characteristic value matched with the first security information characteristic value exists in the target storage space; determining that the security state of the target terminal equipment is safe under the condition that the second security information characteristic value is determined to exist; and under the condition that the second safety information characteristic value does not exist, sending the equipment state safety information and the first safety information characteristic value to a target control center, wherein the target control center is used for obtaining a third safety information characteristic value by calculation according to the equipment state safety information and an equipment key of the target terminal equipment and verifying the first safety information characteristic value according to the third safety information characteristic value; receiving verification information sent by the target control center under the condition that the first safety information characteristic value is verified; and determining the safety state of the target terminal equipment according to the verification information.
As an optional implementation manner, after the step of receiving the verification information sent by the target control center, the zero-trust verification method further includes: and taking the first safety information characteristic value as a second safety information characteristic value, and storing the second safety information characteristic value into the target storage space.
In addition, after the step of storing the device identification information and the second security information characteristic value in the target storage space, the gateway may also delete the device identification information and the second security information characteristic value if the second target packet sent by the target terminal device is not received within a preset time period.
Specifically, the target gateway may store the second security information characteristic value in a target storage space (e.g., a cache, etc.), and delete the second security information characteristic value after a preset time period is exceeded. And the storage time length of the second safety information characteristic value can be refreshed after the target gateway receives the message sent by the terminal equipment every time, so that the target gateway cannot delete the second safety information characteristic value as long as the time interval of receiving the messages sent by the same terminal equipment twice does not exceed the preset time length.
Step S308, in a case that it is determined that the security status of the target terminal device is secure, sending a first target packet to a server for providing the target service resource, where the first target packet is used to instruct the server to send the target service resource to the target terminal device.
In the technical solution provided in step S308, when the target gateway or the SDP control center determines that the verification fails, the target gateway deletes the parsed HMAC value, and prevents the first target packet from being transmitted to the target server.
The embodiment of the application also provides a zero trust verification system. Fig. 4 is a schematic structural diagram of a zero trust verification system provided in an embodiment of the present application, and as shown in fig. 4, the system includes: a target terminal device 40, a target gateway 42, a service resource server 44, and a control center 46, wherein the target terminal device 40 is configured to execute the zero trust verification method shown in fig. 2; a target gateway 42 configured to perform the zero trust verification method shown in FIG. 3; the control center 46 is configured to obtain terminal hardware information of the target terminal device 40, calculate and send a device key corresponding to the target terminal device 40 according to the terminal hardware information; and acquiring a security authentication message sent by the target gateway 42, verifying the security authentication message, and generating and sending verification information to the target gateway 42 after the verification is passed.
It should be noted that the system shown in fig. 4 may be configured to execute the zero trust verification method shown in fig. 2 or fig. 3, and therefore, the related explanation of the zero trust verification method shown in fig. 2 or fig. 3 is also applicable to the system provided in the embodiment of the present application, and is not repeated herein.
In some embodiments of the present application, an overall workflow of the zero-trust verification system is shown in fig. 5, and includes the following steps:
s502, the SDP client collects the hardware information of the target terminal equipment, sends the hardware information to the SDP control center and initiates a registration application to the SDP control center;
s504, the SDP control center pre-configures the terminal security environment element and calculates the device key, and sends the terminal security environment element and the device key to the SDP client;
s506, the SDP client periodically collects the equipment state safety information of the terminal equipment according to the safety information type related in the safety environment element, and generates a safety authentication message and an HMAC value;
s508, under the condition that the user accesses the service resource through the SDP client, the SDP client re-encapsulates the original message, adds the security authentication message and the HMAC value to the message header of the original message, and points the destination address and the port of the message to the target gateway;
s510, after receiving a message sent by an SDP client, a target gateway analyzes the message to obtain a security authentication message, an HMAC value and an original message;
s512, the target gateway verifies the analyzed HMAC value, searches whether a matched HMAC value exists in the local cache, if so, the original message is forwarded to the server in an agent mode, and if not, the step S514 is executed;
s514, the target gateway sends the security authentication message and the HMAC value to an SDP control center;
s516, the SDP control center calculates to obtain an HMAC value according to the security authentication message, verifies the security authentication message and verifies whether the terminal equipment is safe or not;
s518, sending the verification result and the calculated HMAC value to the target gateway under the condition that the verification is passed, and sending the verification result to the target gateway under the condition that the verification is not passed;
s520, the target gateway transmits the original message to the server by proxy under the condition that the verification is confirmed to be passed, stores the HMAC value sent by the SDP control center, and prevents the message sent by the target terminal device from being transmitted to the server under the condition that the verification is not passed;
s522, the server sends the service resource to the target gateway according to the original message.
S524, the target gateway proxy forwards the service resource to the target terminal device.
The embodiment of the application provides a zero trust verification device. Fig. 6 is a schematic structural diagram of a zero trust verification apparatus provided according to an embodiment of the present application, and as shown in fig. 6, the apparatus includes: the first processing module 60 generates device state security information of the target terminal device according to the environmental security condition of the target terminal device, and generates a security information characteristic value according to the device state security information, wherein the device state security information and the security information characteristic value are used for confirming the security state of the target terminal device; a second processing module 62, configured to add device state security information and a security information characteristic value to a first target packet in a network layer after the first target packet is generated by a target terminal device, to obtain a second target packet, where the second target packet is used to access a target service resource and authenticate the target terminal device; a first communication module 64, configured to send a second target packet to a target gateway, where the target gateway is configured to interpret the second target packet at a network layer, obtain device status security information and a security information characteristic value, and the first target packet, determine a security status of a target terminal device according to the device status security information and the security information characteristic value, and forward the first target packet to a server for providing a target service resource when the security of the terminal device is determined; and a second communication module 66, configured to receive a target service resource forwarded by the target gateway proxy, where the target special service resource is a service resource provided by the server according to the first target packet. According to another aspect of the embodiments of the present application, there is also provided a non-volatile storage medium, in which a program is stored, where the program controls a device in which the non-volatile storage medium is located to execute the zero trust verification method when the program runs.
In some embodiments of the present application, the step of generating the security information characteristic value according to the device status security information by the first processing module 60 includes: acquiring terminal hardware information of target terminal equipment, and acquiring an equipment key corresponding to the target terminal equipment, wherein the equipment key is obtained by calculation according to the terminal hardware information; and generating a safety information characteristic value according to the equipment secret key and the equipment state safety information.
In some embodiments of the present application, the step of generating, by the first processing module 60, the security information characteristic value according to the device key and the device state security information includes: and performing password generation operation on the equipment state safety information by adopting a password generation algorithm and an equipment secret key to generate a safety information characteristic value.
In some embodiments of the present application, the step of the first processing module 60 obtaining the device key corresponding to the target terminal device, which is calculated according to the terminal hardware information, includes: sending terminal hardware information and a registration request to a target control center, wherein the target control center is used for calculating an equipment key according to the terminal hardware information under the condition of passing the registration request; and receiving the device key sent by the target control center.
In some embodiments of the present application, the step of generating, by the first processing module 60, the device state security information and the security information feature value according to the device state security information of the target terminal device includes: and scanning the equipment state of the target terminal equipment at a preset frequency, acquiring equipment state safety information, and generating a safety information characteristic value after acquiring the equipment state safety information each time.
In some embodiments of the present application, the device state security information comprises at least one of: the system comprises indication information used for indicating whether a starting-up password is set, system patch information of the target terminal equipment, firewall information of the target terminal equipment, safety program information of the target terminal equipment, whether white list program list information of the target terminal equipment meets a first preset condition or not and whether black list program list information of the target terminal equipment meets a second preset condition or not.
In some embodiments of the present application, the step of adding, by the second processing module 62, the device state security information and the security information feature value to the first target packet to obtain the second target packet includes: acquiring routing configuration information corresponding to a target gateway; according to the routing configuration information, the first target message is encapsulated again in the network layer, and in the encapsulating process, a destination address and a port of the first target message are set to point to a target gateway; and adding the encrypted equipment state safety information and the safety information characteristic value to the message header of the encapsulated first target message to obtain a second target message.
It should be noted that, each module in the zero-trust verification apparatus may be a program module (for example, a set of program instructions for implementing a certain function), or may also be a hardware module, and for the latter, it may be represented in the following form, but is not limited to this: the expression of each of the above modules is a processor, or the function of each of the above modules is implemented by a processor. In addition, the apparatus may be configured to perform the zero trust verification method, and therefore, the explanation about the zero trust verification method is also applicable to the embodiment of the present application, which is not described herein again.
In an embodiment of the present application, an embodiment of a non-volatile storage medium is also provided. The method comprises the steps that a program is stored in a nonvolatile storage medium, wherein when the program runs, a device where the nonvolatile storage medium is located is controlled to execute a zero trust verification method provided in the zero trust verification method embodiment, for example, the method can be used for executing the following zero trust verification method to generate device state safety information of a target terminal device according to the environment safety condition of the target terminal device, and generate a safety information characteristic value according to the device state safety information, wherein the device state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal device; after a target terminal device generates a first target message, adding device state safety information and a safety information characteristic value in the first target message in a network layer to obtain a second target message, wherein the second target message is used for accessing a target service resource and authenticating the target terminal device; transmitting a second target message to a target gateway, wherein the target gateway is used for explaining the second target message in a network layer, acquiring equipment state safety information and a safety information characteristic value, and the first target message, determining the safety state of target terminal equipment according to the equipment state safety information and the safety information characteristic value, and forwarding the first target message to a server for providing target service resources under the condition of determining the safety of the terminal equipment; and receiving a target service resource forwarded by the target gateway proxy, wherein the target service resource is a service resource provided by the server according to the first target message.
In other embodiments of the present application, the apparatus in which the nonvolatile storage medium is located may further perform the following zero trust verification method when the program runs: receiving a second target message sent by target terminal equipment, wherein the second target message carries equipment state safety information and a first safety information characteristic value of the target terminal equipment, and the first target message is used for accessing a target service resource; analyzing the second target message, and acquiring equipment state safety information, a first safety information characteristic value and a first target message; determining the safety state of the target terminal equipment according to the equipment safety information and the first safety information characteristic value; and under the condition that the safety state of the target terminal equipment is determined to be safe, the agent forwards a first target message to a server for providing the target service resource, wherein the first target message is used for indicating the server to send the target service resource to the target terminal equipment through a target gateway.
In the embodiment of the application, an embodiment of an electronic device is also provided. The electronic device comprises a memory and a processor, wherein the processor is configured to execute a program stored in the memory, and when the program is executed, the zero trust verification method provided in the above zero trust verification method embodiment is executed, for example, the following zero trust verification method may be executed: generating equipment state safety information of the target terminal equipment according to the environmental safety condition of the target terminal equipment, and generating a safety information characteristic value according to the equipment state safety information, wherein the equipment state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal equipment; after a target terminal device generates a first target message, adding device state safety information and a safety information characteristic value in the first target message in a network layer to obtain a second target message, wherein the second target message is used for accessing a target service resource and authenticating the target terminal device; transmitting a second target message to a target gateway, wherein the target gateway is used for explaining the second target message in a network layer, acquiring equipment state safety information and a safety information characteristic value, and the first target message, determining the safety state of target terminal equipment according to the equipment state safety information and the safety information characteristic value, and forwarding the first target message to a server for providing target service resources under the condition of determining the safety of the terminal equipment; and receiving a target service resource forwarded by the target gateway proxy, wherein the target service resource is a service resource provided by the server according to the first target message.
In other embodiments of the present application, the processor may further perform the following zero trust verification method when the program runs: receiving a second target message sent by target terminal equipment, wherein the second target message carries equipment state safety information and a first safety information characteristic value of the target terminal equipment, and the first target message is used for accessing a target service resource; analyzing the second target message, and acquiring equipment state safety information, a first safety information characteristic value and a first target message; determining the safety state of the target terminal equipment according to the equipment safety information and the first safety information characteristic value; and under the condition that the safety state of the target terminal equipment is determined to be safe, the agent forwards a first target message to a server for providing the target service resource, wherein the first target message is used for indicating the server to send the target service resource to the target terminal equipment through a target gateway.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be an indirect coupling or communication connection through some interfaces, units or modules, and may be electrical or in other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (18)
1. A zero trust verification method, comprising:
generating equipment state safety information of target terminal equipment according to the environmental safety condition of the target terminal equipment, and generating a safety information characteristic value according to the equipment state safety information, wherein the equipment state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal equipment;
after the target terminal equipment generates a first target message, adding the equipment state safety information and the safety information characteristic value in the first target message in a network layer to obtain a second target message, wherein the second target message is used for accessing a target service resource and authenticating the target terminal equipment;
sending the second target message to a target gateway, wherein the target gateway is configured to parse the second target message at a network layer, obtain the device state security information and the security information characteristic value, and the first target message, determine a security state of the target terminal device according to the device state security information and the security information characteristic value, and forward the first target message to a server configured to provide the target service resource when the security of the target terminal device is determined;
and receiving a target service resource forwarded by the target gateway proxy, wherein the target service resource is a service resource provided by the server according to the first target message.
2. The zero trust verification method of claim 1, wherein the step of generating a security information characteristic value from the device state security information comprises:
acquiring terminal hardware information of the target terminal equipment, and acquiring an equipment key corresponding to the target terminal equipment, which is obtained by calculation according to the terminal hardware information;
and generating the safety information characteristic value according to the equipment key and the equipment state safety information.
3. The zero trust verification method of claim 2, wherein the step of generating the security information characteristic value according to the device key and the device state security information comprises:
and carrying out password generation operation on the equipment state safety information by adopting a password generation algorithm and the equipment key to generate the safety information characteristic value.
4. The zero-trust verification method of claim 3, wherein the step of adding the device state security information and the security information characteristic value to the first target message to obtain a second target message comprises:
obtaining the route configuration information corresponding to the target gateway;
according to the routing configuration information, the first target message is encapsulated again in a network layer, and in the encapsulating process, a destination address and a port of the first target message are set to point to the target gateway;
and adding the encrypted equipment state safety information and the safety information characteristic value to the message header of the packaged first target message to obtain the second target message.
5. The zero-trust verification method of claim 2, wherein the step of obtaining the device key corresponding to the target terminal device calculated according to the terminal hardware information comprises:
sending the terminal hardware information and a registration request to a target control center, wherein the target control center is used for obtaining the equipment key by calculation according to the terminal hardware information under the condition of passing the registration request;
and receiving the equipment key sent by the target control center.
6. The zero trust verification method of claim 1, wherein the step of generating the device state security information of the target terminal device according to the environmental security condition of the target terminal device, and generating the security information characteristic value according to the device state security information comprises:
and scanning the equipment state of the target terminal equipment at a preset frequency, acquiring the equipment state safety information, and generating the safety information characteristic value after acquiring the equipment state safety information each time.
7. The zero trust verification method of claim 1, wherein the device state security information comprises at least one of: the system patch information of the target terminal equipment is used for indicating whether a start-up password is set or not, the firewall information of the target terminal equipment, the security program information of the target terminal equipment, whether the white list program list information of the target terminal equipment meets a first preset condition or not and whether the black list program list information of the target terminal equipment meets a second preset condition or not.
8. A zero trust verification method, comprising:
receiving a second target message sent by target terminal equipment, wherein the second target message carries equipment state safety information and a first safety information characteristic value of the target terminal equipment, and the first target message is used for accessing a target service resource;
analyzing the second target message, and acquiring the equipment state safety information, the first safety information characteristic value and the first target message;
determining the safety state of the target terminal equipment according to the equipment state safety information and the first safety information characteristic value;
and under the condition that the security state of the target terminal equipment is determined to be safe, proxy forwarding the first target message to a server for providing the target service resource, wherein the first target message is used for indicating the server to send the target service resource to the target terminal equipment through a target gateway.
9. The zero trust verification method of claim 8, wherein the step of determining the security status of the target terminal device according to the device status security information and the first security information characteristic value comprises:
searching whether a second safety information characteristic value matched with the first safety information characteristic value exists in the target storage space or not;
determining that the security state of the target terminal device is secure if it is determined that the second security information characteristic value exists; and (c) a second step of,
under the condition that the second safety information characteristic value does not exist, sending the equipment state safety information and the first safety information characteristic value to a target control center, wherein the target control center is used for obtaining a third safety information characteristic value through calculation according to the equipment state safety information and an equipment key of the target terminal equipment and verifying the first safety information characteristic value according to the third safety information characteristic value;
receiving verification information sent by the target control center under the condition that the first safety information characteristic value is verified;
and determining the safety state of the target terminal equipment according to the verification information.
10. The zero trust verification method of claim 9, wherein after the step of receiving the verification information sent by the target control center, the zero trust verification method further comprises:
determining the device identification information of the target terminal device according to the second target message under the condition that the verification information indicates that the safety state of the target terminal device is safe;
taking the first security information characteristic value as the second security information characteristic value, and determining an association relationship between the device identification information and the second security information characteristic value;
and storing the equipment identification information and the second safety information characteristic value in the target storage space.
11. The zero trust verification method of claim 10, wherein after the step of depositing the device identification information and the second security information characteristic value to the target storage space, the zero trust verification method further comprises:
and deleting the equipment identification information and the second safety information characteristic value under the condition that the second target message sent by the target terminal equipment is not received within a preset time length.
12. The zero trust verification method of claim 9, wherein the step of retrieving whether there is a second security information characteristic value in the target storage space that matches the first security information characteristic value comprises:
determining equipment identification information of the target terminal equipment;
and determining whether the second safety information characteristic value exists in the target storage space or not according to the equipment identification information.
13. A zero trust verification system is characterized by comprising a target terminal device, a target gateway, a service resource server and a control center, wherein,
the target terminal device configured to perform the zero trust verification method of any one of claims 1 to 7;
the target gateway configured to perform the zero trust verification method of any one of claim 8 to claim 11;
the control center is used for acquiring the terminal hardware information of the target terminal equipment, calculating according to the terminal hardware information and sending an equipment key corresponding to the target terminal equipment; and acquiring the equipment state safety information and a first safety information characteristic value sent by the target gateway, verifying the equipment state safety information and the first safety information characteristic value, and sending verification information to the target gateway.
14. The zero trust verification system of claim 13, wherein the step of the control center verifying the device state security information comprises:
determining the identification information of the target terminal equipment;
determining an equipment key corresponding to the target terminal equipment according to the identification information;
decrypting the equipment state safety information according to the equipment secret key;
and verifying the decrypted equipment state safety information, and determining whether the safety state of the target terminal equipment meets a preset condition.
15. The zero trust verification system of claim 14, wherein the step of the control center verifying the first security information characteristic value comprises:
generating a third safety information characteristic value according to the equipment state safety information and the equipment key;
and checking the first safety information characteristic value according to the third safety information characteristic value to determine whether the equipment state safety information is tampered.
16. A zero trust verification apparatus, comprising:
the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for generating equipment state safety information of a target terminal device according to the environmental safety condition of the target terminal device and generating a safety information characteristic value according to the equipment state safety information, and the equipment state safety information and the safety information characteristic value are used for confirming the safety state of the target terminal device;
a second processing module, configured to add, after a first target packet is generated by the target terminal device, the device state security information and the security information characteristic value in the first target packet in a network layer to obtain a second target packet, where the second target packet is used to access a target service resource and authenticate the target terminal device;
a first communication module, configured to send the second target packet to a target gateway, where the target gateway is configured to parse the second target packet at a network layer, obtain the device state security information and the security information characteristic value, and the first target packet, determine a security state of the target terminal device according to the device state security information and the security information characteristic value, and forward the first target packet to a server that is configured to provide the target service resource when the security of the target terminal device is determined;
and the second communication module is used for receiving the target service resource forwarded by the target gateway proxy, wherein the target service resource is a service resource provided by the server according to the first target message.
17. A non-volatile storage medium, wherein a program is stored in the non-volatile storage medium, and when the program runs, the non-volatile storage medium is controlled in a device to execute the zero trust verification method according to any one of claims 1 to 7 or claims 8 to 12.
18. An electronic device, comprising: a memory and a processor for executing a program stored in the memory, wherein the program when executed performs the zero trust verification method of any one of claims 1 to 7 or claims 8 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211519628.3A CN115550074B (en) | 2022-11-30 | 2022-11-30 | Zero trust verification method, device and system and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211519628.3A CN115550074B (en) | 2022-11-30 | 2022-11-30 | Zero trust verification method, device and system and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115550074A CN115550074A (en) | 2022-12-30 |
| CN115550074B true CN115550074B (en) | 2023-03-03 |
Family
ID=84722216
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211519628.3A Active CN115550074B (en) | 2022-11-30 | 2022-11-30 | Zero trust verification method, device and system and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115550074B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117240910B (en) * | 2023-11-16 | 2024-03-01 | 中邮消费金融有限公司 | Zero trust verification system and method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124583A (en) * | 2022-01-27 | 2022-03-01 | 杭州海康威视数字技术股份有限公司 | Terminal control method, system and device based on zero trust |
| CN115150208A (en) * | 2022-09-06 | 2022-10-04 | 信联科技(南京)有限公司 | Zero-trust-based Internet of things terminal secure access method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220345484A1 (en) * | 2021-04-21 | 2022-10-27 | ANDRO Computation Solutions, LLC | Zero trust architecture for networks employing machine learning engines |
| CN113949573B (en) * | 2021-10-18 | 2024-01-23 | 天翼数字生活科技有限公司 | Zero-trust service access control system and method |
-
2022
- 2022-11-30 CN CN202211519628.3A patent/CN115550074B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124583A (en) * | 2022-01-27 | 2022-03-01 | 杭州海康威视数字技术股份有限公司 | Terminal control method, system and device based on zero trust |
| CN115150208A (en) * | 2022-09-06 | 2022-10-04 | 信联科技(南京)有限公司 | Zero-trust-based Internet of things terminal secure access method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115550074A (en) | 2022-12-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230092015A1 (en) | Securing communication of devices in the internet of things | |
| US20220385445A1 (en) | EMBEDDED UNIVERSAL INTEGRATED CIRCUIT CARD (eUICC) PROFILE CONTENT MANAGEMENT | |
| Hussain et al. | Insecure connection bootstrapping in cellular networks: the root of all evil | |
| KR101508576B1 (en) | Home node-b apparatus and security protocols | |
| US8046583B2 (en) | Wireless terminal | |
| EP2553898B1 (en) | Method and system for authenticating a point of access | |
| US10833876B2 (en) | Protection of the UE identity during 802.1x carrier hotspot and Wi-Fi calling authentication | |
| US11641376B2 (en) | Protection of traffic between network functions | |
| JP7261872B2 (en) | Method and apparatus for network slice authentication | |
| CN102448064A (en) | Access through non-3GPP access networks | |
| KR20060056956A (en) | Controlling access to a network using redirection | |
| KR20100054178A (en) | Security method and apparatus related mobile terminal security capability in mobile telecommunication system | |
| EP2215803B1 (en) | Network access authentication | |
| EP3844929B1 (en) | Non-3gpp device access to core network | |
| KR20170087406A (en) | Methods for fast, secure and privacy-friendly internet connection discovery in wireless networks | |
| CN115550074B (en) | Zero trust verification method, device and system and electronic equipment | |
| CN113676904B (en) | Slice authentication method and device | |
| CN114301967B (en) | Control method, device and equipment for narrowband Internet of things | |
| WO2001022685A1 (en) | Method and arrangement for communications security | |
| WO2022041473A1 (en) | Authentication method, electronic device, and storage medium | |
| Dudac | Open Source 5G Networks, Spoofing Attacks, and Proof-of-Concept Multi-Node Continuous Spectrum Analysis | |
| CN116170189A (en) | Intranet security scanning method and device and nonvolatile storage medium | |
| CN114650537A (en) | Credit relay communication method, device, terminal and network side equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |