CN115603987A - Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system - Google Patents

Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system Download PDF

Info

Publication number
CN115603987A
CN115603987A CN202211219681.1A CN202211219681A CN115603987A CN 115603987 A CN115603987 A CN 115603987A CN 202211219681 A CN202211219681 A CN 202211219681A CN 115603987 A CN115603987 A CN 115603987A
Authority
CN
China
Prior art keywords
domain
resource
access
authentication
trust
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211219681.1A
Other languages
Chinese (zh)
Inventor
赵新建
袁国泉
陈石
陈璐
陈牧
张颂
徐晨维
冒佳明
夏飞
王鹏飞
陈欣
赵然
余竞航
朱佳佳
宋浒
奚梦婷
程昕云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Smart Grid Research Institute Co ltd
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
State Grid Smart Grid Research Institute Co ltd
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Smart Grid Research Institute Co ltd, State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd filed Critical State Grid Smart Grid Research Institute Co ltd
Priority to CN202211219681.1A priority Critical patent/CN115603987A/en
Publication of CN115603987A publication Critical patent/CN115603987A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloud-edge-end-fused cross-domain zero-trust authentication system of a power information communication system, which comprises a cloud resource navigation server and a plurality of trust domains isolated from each other; each trust domain comprises a policy center and a proxy gateway; a physical resource access channel is constructed between the proxy gateways of the trust domains with the resource access service; a zero trust authentication channel is constructed between the strategy centers of the trust domains participating in the distributed authentication; the strategy center runs at the edge side; the strategy center is internally provided with a domain judgment module, a local domain authentication module, a cross-domain authentication module and a behavior log recording module. The invention can adopt the cloud edge-side integrated architecture to realize zero trust, can fully exert the advantages of cloud data sharing, abundant edge-side computing resources, convenient terminal-side access mode and the like, performs targeted distributed authentication on resource requests, is convenient to deploy and strong in compatibility, does not need to rely on the instant management of registered users, and has good user experience.

Description

Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system
Technical Field
The invention relates to the technical field of zero trust networks, in particular to a cross-domain zero trust authentication system and method of a power information communication system with cloud edge side integration.
Background
The zero trust network (also called zero trust architecture) model is created in 2010 by the chief analyst of Forrester, john kingwig, and gradually becomes one of the popular frameworks of network security along with the complexity of network services and the diversification of attack types. Zero trust is a security concept, the central idea being that an enterprise should not automatically trust anyone/thing inside or outside, and should authenticate anyone/thing trying to access the enterprise system before authorization. Thus, the most critical in a zero trust architecture is authentication and authorization for resource access. In actual operation, all the access processes of the resources need to be authenticated, similar to the idea of whitelisting the minimum authority set, and unless the network explicitly knows the identity of the access person, any entity such as IP, host, ID, etc. with unauthorized or unknown authorization path is denied access.
"zero trust" requires an enterprise to determine, based on conditions such as the user, the location of the user, and other data, whether to trust the user/host/application requesting access to a particular scope of the enterprise using micro-segmentation and fine-grained boundary rules. Zero trust relies on multi-factor identity authentication, identity and Access Management (IAM), orchestration, analysis, encryption, security rating, and file system permissions to do so. The minimum privilege principle is also one of the zero trust dependent policing policies, i.e. only giving the user the minimum access privilege required to complete a particular job.
The authentication process is more important and more complex for cross-domain resource access. However, currently, existing research is mostly directed to authentication in the same trust domain, and research on cross-domain situations is less.
The invention with the publication number of CN103973451A discloses a cross-trust domain authentication method for a distributed network system, which adopts distributed key generation and threshold signature mechanism based on elliptic curve cryptosystem to construct a virtual bridge authentication center VBCA, and completes cross-domain interactive authentication between different trust domain entities in the distributed network system by means of the virtual bridge authentication center VBCA. However, how to effectively combine authentication of the local domain and the cross-domain is not considered, the cross-domain authentication depends on effective management of the key shadow of the member, and once the key shadow of the member is invalid or an update error occurs, authentication is difficult to perform, so that the cross-domain zero-trust authentication method cannot be applied to cross-domain zero-trust authentication in the cloud edge converged power information communication system.
The invention with publication number CN103780393A discloses a virtual desktop security authentication system and method facing multiple security levels, which relates to an identity authentication mode and system realization based on user behaviors, firstly, the security authentication method introduces a user behavior authentication mechanism, proposes a collection, judgment and prediction method of cross-domain behaviors in a user domain, and realizes a user behavior security authentication method combining role and authority; secondly, an encryption part in the authentication method adopts a digital signature based on an elliptic curve, a symmetric encryption algorithm is introduced into a signature algorithm, in order to reduce the algorithm calculation complexity, the inversion operation of large integers is eliminated in a signature equation, the signature efficiency is improved, and the safety of the authentication method and the system is ensured; finally, the system realizes the uniform identity authentication of the user, reduces the deployment of authentication servers and reduces the cost. The mechanism can be widely applied to the related fields of cloud computing virtual desktop security authentication, multiple security levels and the like. The invention provides a method for collecting, judging and predicting the behaviors in the user domain and across domains, reduces the deployment of authentication servers, and can conveniently switch the virtual desktops with different security levels by means of the past behaviors of the user only by logging in the user once. However, the method only considers the user authority and the user behavior, needs to predict the authentication of the user by combining the intra-domain behavior and the cross-domain behavior of the user, and has complex prediction operation without considering the specific situation of resources.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a cross-domain zero-trust authentication system and a cross-domain zero-trust authentication method for a cloud-edge-end integrated power information communication system, which are based on a threshold signature mechanism in secure multi-party computing, and the relevant trust domain is combined with the historical behaviors and resource attributes of a user at the same time to carry out targeted distributed authentication on a resource request, so that the deployment is convenient, the compatibility is strong, the instant management of registered users is not required, and the user experience is good.
In order to achieve the purpose, the invention adopts the following technical scheme:
a cloud-edge-fused cross-domain zero-trust authentication system of a power information communication system is applied to the cloud-edge-integrated power information communication system;
the cross-domain zero-trust authentication system comprises a cloud resource navigation server and a plurality of trust domains which are isolated from each other; each trust domain is provided with a plurality of registered users, and resource data to be accessed are stored in the trust domains; the cloud resource navigation server is used for managing trust domain routing information and trust domain information associated with each registered user;
each trust domain comprises a policy center and a proxy gateway; a physical resource access channel is constructed between the proxy gateways of the trust domains with the resource access service; a zero trust authentication channel is constructed between the strategy centers of the trust domains participating in the distributed authentication; the strategy center runs at the edge side;
the proxy gateway intercepts a received resource access request of a requester, returns the digital identity of the requester, generates an access request event and submits the access request event to a policy center of the trust domain;
a domain judgment module, a local domain authentication module, a cross-domain authentication module and a behavior log recording module are deployed in the strategy center; the behavior log recording module is used for storing access behavior logs of all users accessing a domain where the strategy center is located; the domain judgment module is used for judging the domain to which the resource corresponding to the access request event belongs, if the domain belongs to the domain in which the user is located, the access request event is transferred to the domain authentication module, otherwise, the access request event is transferred to the cross-domain authentication module, and the cross-domain authentication module of the domain in which the target resource is located is triggered to enter an authentication process; the local domain authentication module is combined with the digital identity of the requester and the matching result of the access policy library to inform the local proxy gateway of opening the access authority of the resource corresponding to the authority of the user within a limited time; a cross-domain authentication module of a domain where the target resource is located accesses a cloud resource navigation server, a plurality of strategy centers of trust domains associated with a requester are obtained to form a distributed authentication group, and the distributed authentication group does not include the trust domain where the requester is located and the trust domain where the resource is located;
each member in the distributed authentication group comprehensively evaluates the trust condition of the resource requester according to the historical behavior log of the resource requester stored in the cloud public database and the access behavior log of the resource requester stored in the behavior log recording module of each member, encrypts the scoring data based on a threshold signature algorithm of an elliptic curve encryption mechanism and submits the scoring data to a policy center of a trust domain where the resource is located if the requester is deemed to be trusted, and otherwise returns the information which cannot be evaluated; and the policy center of the trust domain where the resource is located performs trust authentication on the resource request according to the submission results of all members in the distributed authentication group, informs the proxy gateway to open a corresponding access port for the resource request passing the authentication, and opens the access authority of the resource corresponding to the authority of the proxy gateway to the requesting party within a limited time.
In order to optimize the technical scheme, the specific measures adopted further comprise:
further, a 5G slice or an IP tunnel technology is adopted to switch the resource access channel and the zero trust authentication channel.
Further, the policy center comprises a user registration module;
the user registration module receives a unique identifier Id and a validity period T sent by a user 1 Generating a new message with a predetermined validity period T 1 DID = < H of the user 1 (Id||T 1 ) P); wherein, P is access authority; h 1 () Is a one-way hash function;
after the validity period is reached, the user registration module periodically or according to an updating request sent by the user updates the digital identity of the user, the updating is calculated according to the superposition of the running time, and the result is T 2 The digital identity updated after the time period is DID = < H 1 (Id||(T 1 +T 2 )),P)。
Furthermore, the local domain authentication module comprises a resource management unit, a registered user management unit, a local domain access policy library, a user authority authentication unit and a local domain resource access management unit;
the resource management unit is used for managing a resource library of the trust domain, and each resource is provided with a corresponding local domain access authority; the registered user management unit is used for managing registered users of the trust domain, and each registered user has an independent digital identity; the local domain access strategy library is used for storing local domain resource authorities corresponding to all access authorities of registered users;
the user authority authentication unit extracts the digital identity D1 of the requester from the access request event, matches the extracted digital identity D1 of the requester with the storage information of the local domain access policy library, and acquires the local domain resource authority X of the requester; matching the local domain resource authority X with the accessed object to obtain an open parameter F of the accessed object;
the local domain resource access management unit is used for notifying the local proxy gateway according to the opening parameter F of the accessed object and the information of the requester, which are sent by the user authority authentication unit, opening the access authority with the opening parameter F on the accessed object to the requester, starting the timer T, notifying the local proxy gateway to close the access authority again when the timing is finished, and recording the current access log of the requester to the behavior log recording module.
Further, the cross-domain authentication module comprises a routing query unit, an authentication request detection unit, a cross-domain access policy library, an authentication management unit, a distributed authentication group generation unit, a scoring authentication unit and a cross-domain resource access management unit;
the route query unit is used for extracting information domain information of resources contained in the access request event from the access request event, querying the cloud resource navigation server whether corresponding cross-domain routes exist or not, if so, triggering the authentication request detection unit to enable the authentication request detection unit to initiate authentication request detection information to a policy center of a domain where the target resources exist, otherwise, returning information that the requester cannot access through the cross-domain resource access management unit; if the authentication request detection unit receives an authentication request detection response sent by the authentication request detection unit of the domain where the requester is located, the authentication request detection unit indicates that the authentication management unit of the domain where the target resource is located is triggered, and the authentication process is started;
the cross-domain access strategy library is used for storing cross-domain access attributes and cross-domain access permissions of resources of the domain where the resource is located and cross-domain resource permissions corresponding to the access permissions of the registered users;
after an authentication management unit of a domain where the target resource is located is triggered, extracting a digital identity of a requester and the target resource requested by the requester from an access request event, calling a cross-domain access policy library to verify whether the target resource has a cross-domain access attribute, if so, acquiring a cross-domain resource authority X ' of the requester, and then matching the cross-domain resource authority X ' of the requester with the cross-domain access authority of the target resource to acquire an open parameter F ' of the target resource; meanwhile, the digital identity of the requester and the attribute information of the target resource are sent to a distributed authentication group generation unit, the distributed authentication group generation unit is used for establishing a distributed authentication group, a rating unit of each member of the distributed authentication group calls a historical behavior log of a resource requester stored in a cloud public database and an access behavior log of the resource requester stored in a behavior log recording module of each member according to the digital identity of the requester and the attribute information of the target resource, the trust condition of the resource requester is comprehensively evaluated, if the requester is deemed to be trusted, the rating data is encrypted and submitted to a policy center of a trust domain where the resource is located based on a threshold signature algorithm of an elliptic curve encryption mechanism, and if the requester is not deemed to be trusted, the rating information is returned;
after receiving the submission results of all members in the distributed authentication group, the authentication management unit triggers the scoring authentication unit if the total quantity of the scoring data reaches t, so that the scoring authentication unit performs trust authentication on the resource request according to the submission results of all members in the distributed authentication group, and otherwise, returns authentication failure information to the requester; the authentication management unit sends an authentication result to the cross-domain resource access management unit; the cross-domain resource access management unit informs the proxy gateway to open a corresponding access port for the resource request passing the authentication, opens the access authority of the resource corresponding to the authority to the requester within a limited time, opens the access authority with the parameter F 'on the accessed object to the requester, starts a timer T', informs the local proxy gateway to close the access authority again after the timing is finished, and records the current access log of the requester to the behavior log recording module.
Further, the distributed authentication group generation unit comprises a related domain acquisition component, a target resource analysis component and a member screening component;
the related domain acquisition component is used for accessing a cloud resource navigation server, and acquiring policy centers of t trust domains related to a requester according to the digital identity of the requester to form an access route set R { };
the target resource analysis component analyzes the attribute information of the target resource, extracts relevant features and obtains a corresponding attribute vector;
the member screening component circularly accesses elements in the R { }, acquires a trust domain policy center set S { } which is allowed to participate in distributed authentication according to the attribute information of the target resource until the number of members in the trust domain policy center set S { } reaches a threshold value t, and forms a distributed authentication group; the difference value between the attribute vector of the historical resource and the attribute vector of the target resource in the access log record of the selected member is larger as the cycle number is increased; t is a positive integer greater than 1.
Furthermore, each member in the distributed authentication group comprehensively evaluates the trust condition of the resource requester according to the historical cross-domain access behavior log of the resource requester stored in the cloud public database and the historical local domain access behavior log of the resource requester stored in the behavior log recording module, and the specific process includes:
initializing all nodes, and assigning initial values to the trust values of all nodes to the resource requester;
setting a plurality of positive action elements and a plurality of negative action elements according to the resource access flow and the resource access result; the forward behavior elements are used for representing each successful access state of the resources, and comprise successful resource request, successful resource obtaining authorization, successful resource access and successful access completion; the negative action elements are used for representing various failure access states of the resources, including resource request failure, resource access failure, attempt to access unauthorized resources, request resource not found and exceeding a request range;
each member in each distributed authentication group sets weight for each resource according to the access authority corresponding to the resource stored in the local; the higher the access right is, the higher the weight corresponding to the resource is;
analyzing the historical local access behavior log of the resource requester stored in the behavior log recording module to obtain a forward behavior vector X corresponding to each local access behavior 1 And a negative behavior vector Y 1 (ii) a Combining the weight of the resource corresponding to each local domain access behavior and a forward behavior vector X 1 And a negative behavior vector Y 1 And calculating the local trust Score of the resource requester 1
Analyzing a historical cross-domain access behavior log of a resource requester stored in a cloud public database to obtain a forward behavior vector x corresponding to each cross-domain access behavior 2 And a negative behavior vector Y 2 (ii) a Combined with forward rowIs a vector X 2 And a negative behavior vector Y 2 And calculating the cross-domain trust Score of the resource requester 2
Comprehensive local domain trust Score 1 And Cross-Domain Trust Score Score 2 A trust score for the resource requestor is generated.
Further, the cross-domain zero-trust authentication system comprises a secret key management center deployed at the cloud end and used for generating a public key and a private key pair for threshold signature based on an elliptic curve encryption system;
the key management center comprises a security parameter setting module, a public key issuing module and a private key issuing module;
the security parameter setting module is used for setting security parameters in each key updating period; the setting process comprises the following steps: selecting prime number q ∈ Z q Selecting an elliptic curve y over a finite field GF (q) 2 =x 3 + x +1; selecting a random integer r as a signature private key, and calculating a signature public key K pub = rG = (x, y), G is a base point on the elliptic curve, and a public parameter a is selected and issued; x and y are independent variable and dependent variable respectively;
the public key issuing module is used for issuing the signature public key in the strategy centers of all trust domains;
the private key issuing module is used for generating a signature sub-key and sending the signature sub-key to a corresponding trust domain policy center; specifically, setting an authentication threshold as t, and selecting a t-1 order polynomial on a finite field: f (x) = r + a 1 x+a 2 x 2 +…+a t-1 x t-1 mod q, calculation < x i ,r i =f(x i )>If i is more than 1 and less than n, sending the data as a signature sub-key to a corresponding trust domain strategy center, and marking as i; n is the number of trust domains; t is a member threshold value of the distributed authentication group; a is a 1 ,a 2 ,...,a t-1 Is a polynomial coefficient, x i Is the identity of the ith trust domain, r i Is a subkey of the ith trust domain, f (x) i ) Is given by x i Is the result of a function f () of an argument.
Further, the distribution typeEach member of the authentication group will sign information < a i ,m i ,s i >I is more than or equal to 0 and less than or equal to t-1 and is sent to a strategy center of a trust domain where the requesting party is located; in the formula s i =H 2 (m i )+ax,m i To confirm the coding of the document, H 2 () Is a one-way hash function;
the strategy center of the trust domain where the requester is located collects t signature sub-keys, and a Lagrange interpolation polynomial is adopted to obtain a shared signature key:
Figure BDA0003875228160000051
if all members' information satisfies the equation
Figure BDA0003875228160000052
Generating an authentication pass instruction; in the formula (I), the compound is shown in the specification,
Figure BDA0003875228160000053
r j is a subkey for the jth trust domain.
The invention also provides a cross-domain zero-trust authentication method of the cloud-edge-end-fused power information communication system, wherein the cross-domain zero-trust authentication method is based on the cross-domain zero-trust authentication system and is used for processing the resource request of the registered member;
the cross-domain zero trust authentication method comprises the following steps:
s1, a registered user submits a resource access request to a proxy gateway of a trust domain where the registered user is located as a request direction, the proxy gateway intercepts the resource access request, returns the digital identity of the registered user, generates an access request event and submits the access request event to a policy center of the trust domain where the registered user is located;
s2, the policy center where the requester is located judges the domain to which the resource corresponding to the access request event belongs, and if the resource belongs to the domain to which the requester is located, the step S3 is carried out; otherwise, go to step S4;
s3, matching the digital identity D1 of the requester with the local domain access policy library to obtain a resource authority X corresponding to the digital identity D1 of the requester; matching the resource authority X with the target resource to obtain an opening parameter F of the target resource; informing the local proxy gateway to open the access right with the target resource opening parameter of F to the requester, and starting a timer T; closing the access right when the timing is finished, and recording the current access log of the requester to a behavior log recording module; ending the flow;
s4, inquiring whether cross-domain routing of the domain where the requester is located and the domain where the resource is located exists from a resource navigation server deployed in the cloud by a proxy gateway of the domain where the requester is located, if yes, initiating authentication request detection information to a policy center of the domain where the target resource is located, and if an authentication request detection response returned by the policy center of the domain where the target resource is located is received, indicating that the policy center of the domain where the target resource is located is triggered to enter an authentication process, and turning to the step S5; otherwise, returning: the target resource cannot be accessed, and the process is ended;
s5, the strategy center of the domain where the target resource is located carries out threshold signature authentication on the access request event, and the method specifically comprises the following substeps:
s51, extracting the digital identity and the target resource information of the requester from the access request event, inquiring a cross-domain access policy library, verifying whether the target resource has a cross-domain access attribute, and returning to the requester if the target resource does not have the cross-domain access attribute: access is denied, and the process is ended; otherwise, acquiring a cross-domain access attribute parameter F' of the target resource;
s52, accessing a cloud resource navigation server, and acquiring a distributed authentication group consisting of policy centers of a plurality of trust domains associated with a requester; the distributed authentication group does not comprise a trust domain where a requesting party is located and a trust domain where resources are located;
s53, issuing an authentication task to members of a distributed authentication group, analyzing the authentication task by all the members of the distributed authentication group, comprehensively evaluating the trust condition of the resource requester according to the historical behavior log of the resource requester stored in a cloud public database and the access behavior log of the resource requester stored in respective behavior log recording modules, if the requester is deemed to be trusted, encrypting the scoring data based on a threshold signature algorithm of an elliptic curve encryption mechanism and submitting the scoring data to a policy center of a trust domain where the resource is located, and otherwise, returning information which cannot be evaluated;
s54, the strategy center of the trust domain where the resource is located obtains the score values submitted by all members in the distributed authentication group, and performs trust authentication on the resource request; if the authentication is passed, the proxy gateway is informed to open a corresponding access port for the resource request passed by the authentication, and the access authority of the resource corresponding to the authority is opened to the requesting party within a limited time; otherwise, returning: the authentication is not passed.
The beneficial effects of the invention are:
first, the cloud-edge-fused cross-domain zero trust authentication system and method of the power information communication system of the invention realize zero trust by adopting a cloud-edge-integrated architecture, can fully exert the advantages of cloud data sharing, abundant edge-side computing resources, convenient terminal-side access mode and the like, have good adaptability to the prior power information communication system, can be conveniently deployed in various power application scenes, and have better compatibility.
Secondly, the cloud-edge-fused cross-domain zero-trust authentication system and method for the power information communication system can conveniently expand the trust domain on the basis of cloud computing, can cover cross-domain access of heterogeneous trust domains, and have the characteristics of convenience in deployment, convenience in management and easiness in operation and maintenance.
Thirdly, the cloud side-end integrated cross-domain zero trust authentication system and method provided by the invention encrypt the information transmitted by each trust domain by adopting a threshold signature system based on an elliptic curve, so that stronger security can be realized under a shorter key length, light-weight deployment is facilitated, and storage and communication expenses can be saved. In addition, the invention is based on the distributed authentication in the zero trust framework, and in the specific implementation process, the encryption algorithm can be conveniently replaced by a more advanced public key encryption system, so that the invention has certain deployment flexibility.
Fourthly, according to the cross-domain zero-trust authentication system and method of the cloud-edge-end-fused power information communication system, the distributed authentication group performs authentication and evaluation on historical access logs of the same or similar resources based on users, the evaluation process does not depend on real-time management on registered users, the evaluation result has extremely strong pertinence, the authentication result is high in accuracy, and the user experience is good.
Drawings
Fig. 1 is a schematic structural diagram of a cross-domain zero-trust authentication system of a cloud-edge-converged power information communication system of the present invention.
FIG. 2 is a cross-domain authentication request and verification interaction flow diagram of the present invention.
Detailed Description
The present invention will now be described in further detail with reference to the accompanying drawings.
It should be noted that the terms "upper", "lower", "left", "right", "front", "back", etc. used in the present invention are for clarity of description only, and are not intended to limit the scope of the present invention, and the relative relationship between the terms and the terms is not limited by the technical contents of the essential changes. A
Example one
Referring to fig. 1, the embodiment provides a cloud-edge-integrated cross-domain zero-trust authentication system of a power information communication system, and the cross-domain zero-trust authentication system is applied to a cloud-edge-integrated power information communication system.
The cross-domain zero-trust authentication system comprises a cloud resource navigation server and a plurality of trust domains which are isolated from each other; each trust domain is provided with a plurality of registered users, and resource data to be accessed are stored in the trust domains; and the cloud resource navigation server is used for managing trust domain routing information and trust domain information associated with each registered user.
Each trust domain comprises a policy center and a proxy gateway; a physical resource access channel is constructed between the proxy gateways of the trust domains with the resource access service; a zero trust authentication channel is constructed between the strategy centers of the trust domains participating in the distributed authentication; the policy center runs on the edge side.
The proxy gateway intercepts the received resource access request of the requester, returns the digital identity of the requester, generates an access request event and submits the access request event to the strategy center of the trust domain.
A domain judgment module, a local domain authentication module, a cross-domain authentication module and a behavior log recording module are deployed in the strategy center; the behavior log recording module is used for storing access behavior logs of all users accessing a domain where the strategy center is located; the domain judgment module is used for judging the domain to which the resource corresponding to the access request event belongs, if the domain belongs to the domain to which the user belongs, the access request event is transferred to the local domain authentication module, otherwise, the access request event is transferred to the cross-domain authentication module, and the cross-domain authentication module of the domain to which the target resource belongs is triggered to enter an authentication process; the local domain authentication module is combined with the digital identity of the requester and the matching result of the access policy library to inform the local proxy gateway of opening the access authority of the resource corresponding to the authority of the user within a limited time; and the cross-domain authentication module of the domain where the target resource is located accesses the cloud resource navigation server, acquires the strategy centers of the trust domains associated with the requester to form a distributed authentication group, and the distributed authentication group does not comprise the trust domain where the requester is located and the trust domain where the resource is located.
Each member in the distributed authentication group comprehensively evaluates the trust condition of the resource requester according to the historical behavior log of the resource requester stored in the cloud public database and the access behavior log of the resource requester stored in the behavior log recording module of each member, encrypts the scoring data based on a threshold signature algorithm of an elliptic curve encryption mechanism if the requester is considered to be trusted and submits the scoring data to a policy center of a trust domain where the resource is located, and otherwise, returns the information which cannot be evaluated; and the policy center of the trust domain where the resource is located performs trust authentication on the resource request according to the submission results of all members in the distributed authentication group, informs the proxy gateway to open a corresponding access port for the resource request passing the authentication, and opens the access authority of the resource corresponding to the authority of the proxy gateway to the requesting party within a limited time.
As shown in fig. 1, the policy center implements authentication and authorization for user access through the zero trust authentication channel, and the proxy gateway is responsible for opening corresponding resources according to user permissions and implementing resource access through the resource access channel. The present embodiment involves two data channels: a resource access channel and a zero trust authentication channel; preferably, 5G slice or IP tunnel technology can be adopted to switch the resource access channel and the zero trust authentication channel.
(1) User registration module
The policy center comprises a user registration module; the user registration module receives a unique identifier Id and a validity period T sent by a user 1 Generating a new message with a predetermined validity period T 1 DID = < H of the user 1 (Id||T 1 ) P); wherein, P is access authority; h 1 () The hash algorithm is a one-way hash function and can be any hash algorithm of SHA-2 or SHA-3; the digital identity can be used for resource access during the validity period, otherwise, the digital identity needs to be updated.
After the validity period is reached, the user registration module periodically or according to an updating request sent by the user updates the digital identity of the user, the updating is calculated according to the superposition of the running time, and the result is T 2 The digital identity updated after the time period is DID = < H 1 (Id||(T 1 +T 2 ) P)). The updating mode can be periodic updating or triggered updating.
And the user registers in the trust domain, and submits an access application to the local proxy gateway after the registration is successful. The local proxy gateway intercepts the request information, returns the digital identity of the requesting user, and submits the access request event to the policy center. The policy center judges whether the requested resource is in the local domain according to the identification of the requested resource. If the access is the local domain access, the local domain authentication module directly authorizes through the local policy, and informs the local proxy gateway of opening resources according to the local security policy for the authorized access request. And if the cross-domain resource is accessed, the cross-domain resource is delivered to a cross-domain authentication module, and a resource request is made to a policy center of a trust domain where the resource is located through a zero trust authentication channel.
(2) Local domain authentication module
The local domain authentication module comprises a resource management unit, a registered user management unit, a local domain access strategy library, a user authority authentication unit and a local domain resource access management unit.
The resource management unit is used for managing the resource library of the trust domain, and each resource is provided with a corresponding local domain access authority. The registered user management unit is used for managing registered users of the trust domain, and each registered user has an independent digital identity. The local domain access strategy library is used for storing local domain resource authorities corresponding to all access authorities of registered users. The user authority authentication unit extracts the digital identity D1 of the requester from the access request event, matches the extracted digital identity D1 of the requester with the storage information of the local domain access policy library, and acquires the local domain resource authority X of the requester; and matching the local domain resource authority X with the accessed object to obtain an open parameter F of the accessed object. The local domain resource access management unit is used for notifying the local proxy gateway according to the opening parameter F of the accessed object and the information of the requester, which are sent by the user authority authentication unit, opening the access authority with the opening parameter F on the accessed object to the requester, starting the timer T, notifying the local proxy gateway to close the access authority again when the timing is finished, and recording the current access log of the requester to the behavior log recording module.
(3) Cross-domain authentication module
The cross-domain authentication module comprises a route query unit, an authentication request detection unit, a cross-domain access strategy library, an authentication management unit, a distributed authentication group generation unit, a scoring authentication unit and a cross-domain resource access management unit.
The route query unit is used for extracting information domain information of resources contained in the access request event from the access request event, querying the cloud resource navigation server whether corresponding cross-domain routes exist or not, if so, triggering the authentication request detection unit to enable the authentication request detection unit to initiate authentication request detection information to a policy center of a domain where the target resources exist, otherwise, returning information that the requester cannot access through the cross-domain resource access management unit; and if the authentication request detection unit receives an authentication request detection response sent by the authentication request detection unit of the domain where the requester is located, the authentication request detection unit indicates that the authentication management unit of the domain where the target resource is located is triggered, and the authentication process is started.
The cross-domain access strategy library is used for storing cross-domain access attributes and cross-domain access permissions of resources of the domain where the resources are located, and cross-domain resource permissions corresponding to the access permissions of the registered users.
After an authentication management unit of a domain where the target resource is located is triggered, extracting a digital identity of a requester and the target resource requested by the requester from an access request event, calling a cross-domain access policy library to verify whether the target resource has a cross-domain access attribute, if so, acquiring a cross-domain resource authority X ' of the requester, and matching the cross-domain resource authority X ' of the requester with the cross-domain access authority of the target resource to acquire an open parameter F ' of the target resource; meanwhile, the digital identity of the requester and the attribute information of the target resource are sent to a distributed authentication group generation unit, the distributed authentication group generation unit is used for establishing a distributed authentication group, a scoring unit of each member of the distributed authentication group calls a historical behavior log of the resource requester stored in a cloud public database and an access behavior log of the resource requester stored in a behavior log recording module of each member according to the digital identity of the requester and the attribute information of the target resource, the trust condition of the resource requester is comprehensively evaluated, if the requester is deemed to be trusted, scoring data is encrypted and submitted to a policy center of a trust domain where the resource is located based on a threshold signature algorithm of an elliptic curve encryption mechanism, and if the requester is deemed to be trusted, information which cannot be evaluated is returned. After receiving the submission results of all the members in the distributed authentication group, the authentication management unit triggers the scoring authentication unit if the total quantity of the scoring data reaches t, so that the scoring authentication unit performs trust authentication on the resource request according to the submission results of all the members in the distributed authentication group, and otherwise, returns authentication failure information to the requester. And the authentication management unit sends the authentication result to the cross-domain resource access management unit. The cross-domain resource access management unit informs the proxy gateway to open a corresponding access port for the resource request passing the authentication, opens the access authority of the resource corresponding to the authority of the request party within a limited time, opens the access authority with the parameter of F 'on the accessed object for the request party, starts a timer T', informs the local proxy gateway to close the access authority again after the timing is finished, and records the current access log of the request party to the behavior log recording module.
Illustratively, the distributed authentication group generation unit includes a correlation domain acquisition component, a target resource parsing component, and a member screening component.
The related domain acquisition component is used for accessing a cloud resource navigation server, and acquiring policy centers of t trust domains related to a requester according to the digital identity of the requester to form an access route set R { }; the target resource analysis component analyzes the attribute information of the target resource, extracts relevant features and obtains a corresponding attribute vector; the member screening component circularly accesses elements in the R { }, acquires a trust domain policy center set S { } which is allowed to participate in distributed authentication according to the attribute information of the target resource until the number of members in the trust domain policy center set S { } reaches a threshold value t, and forms a distributed authentication group; the difference value between the attribute vector of the historical resource and the attribute vector of the target resource in the access log record of the selected member is larger as the cycle number is increased; t is a positive integer greater than 1.
Whether the resource requester can successfully access the resource across domains or not actually depends on the evaluation of the authentication group members, and if all the authentication group members adopt the same evaluation standard to evaluate according to the historical access behavior log of the resource requester, the significance of establishing the authentication group is greatly reduced, and the resource access safety is reduced. And if all authentication groups judge the historical access behavior logs of the resource requesters according to respective judgment standards, the access threshold of the resource requesters is increased, so that the security can be increased, but the cross-domain access success rate is also reduced. Therefore, in the embodiment, a comprehensive evaluation mode is set in combination with a unique access mode of the cross-domain zero-trust authentication system of the power information communication system, and the success rate of resource access of a requester is improved as much as possible on the basis of ensuring the resource security. Specifically, each member in the distributed authentication group performs comprehensive evaluation on the trust condition of the resource requester according to the historical cross-domain access behavior log of the resource requester stored in the cloud public database and the historical local domain access behavior log of the resource requester stored in the respective behavior log recording module, and the specific process includes:
initializing all nodes, and assigning initial values to the trust values of all nodes to the resource requester; setting a plurality of positive behavior elements and a plurality of negative behavior elements according to the resource access flow and the resource access result; the forward behavior elements are used for representing each successful access state of the resources, and comprise successful resource request, successful resource obtaining authorization, successful resource access and successful access completion; the negative action elements are used for representing various failure access states of the resources, including resource request failure, resource access failure, attempt to access unauthorized resources, request resource not found and exceeding a request range; each member in each distributed authentication group sets weight for each resource according to the access authority corresponding to the resource stored locally; the higher the access right is, the higher the weight corresponding to the resource is; analyzing historical local access behavior logs of the resource requesters stored in the behavior log recording module to obtain a forward behavior vector X corresponding to each local access behavior 1 And a negative behavior vector Y 1 (ii) a Combining the weight of the resource corresponding to each local domain access behavior and a forward behavior vector X 1 And a negative behavior vector Y 1 And calculating the local trust Score of the resource requester 1 (ii) a Analyzing historical cross-domain access behavior logs of resource requesters stored in a cloud public database to obtain a forward behavior vector X corresponding to each cross-domain access behavior 2 And a negative behavior vector Y 2 (ii) a Incorporating a forward behavior vector X 2 And a negative behavior vector Y 2 And calculating the cross-domain trust Score of the resource requester 2 (ii) a Comprehensive local domain trust Score 1 And Cross-Domain Trust Score Score 2 A trust score for the resource requestor is generated. Illustratively, the trust Score of a resource requestor may Score the trust Score of a local domain 1 And Cross-Domain Trust Score Score 2 Weighted addition, or selecting the smaller of them.
Forward behavior vector X 1 And forward behavior vectorX 2 May or may not be the same, and illustratively includes the following: (1) successfully requesting resource x1; (2) successfully obtaining the authorized resource x2; (3) successfully accessing resource x3; and (4) successfully completing the access x4. Likewise, a negative behavior vector Y 1 And a negative behavior vector Y 2 May or may not be the same, and illustratively includes the following: (1) resource request failure y1; (2) resource access failure y2; (3) attempting to access an unauthorized resource y3; (4) requesting that the resource not find y4; and (5) exceeding the request range y5.
According to the analysis result of the access behavior log of the resource requester, the positive behavior elements and the negative behavior elements corresponding to each access behavior of the resource requester can be obtained, and the positive behavior vectors and the negative behavior vectors of the resource requester can be obtained by integrating the positive behavior elements and the negative behavior elements of all the access behavior logs. For example, if a certain access action of the resource requester successfully requests the resource but does not successfully obtain the authorized resource because the access action exceeds the request range, the positive action elements are x1 and x3, and the negative action element is y5. For a certain authentication group member, if the resource requester requests to access the local domain resource, considering the resource access authority, correcting the element values by multiplying the acquired positive behavior elements x1 and x3 and the negative behavior element y5 by the weight of the corresponding resource, and analyzing to obtain the local domain trust score of the resource requester in the access behavior; correspondingly, the access is cross-domain access to other authentication group members, and the cross-domain trust score of the resource requester on the access behavior is directly obtained through analysis without multiplying by the resource weight. According to the method, different trust domains do not need to share the resource access authority of the domain in the log, the independence of each trust domain is ensured, meanwhile, the resource access authority is adopted to correct the evaluation result of the access behavior of the domain, the access success rate of the honest resource accessor is improved, the resource access failure caused by the failure access record of part of low-authority resources is avoided, or the random access of part of low-authority resources with high access success rate to high-authority resources by the resource accessor is avoided, and the resource safety is reduced. Because the authentication group members are randomly selected, the trust scoring result is also random, and the security of resource access is increased to a certain extent.
Exemplarily, the resource authority types in the zero trust management of the power information communication system are shown in table 1.
TABLE 1
Figure BDA0003875228160000111
Figure BDA0003875228160000121
(4) Authentication procedure
The cross-domain zero-trust authentication system comprises a secret key management center which is deployed at the cloud and is responsible for generating a public key and a private key pair for threshold signature based on an elliptic curve encryption system.
The key management center comprises a security parameter setting module, a public key issuing module and a private key issuing module; the security parameter setting module is used for setting security parameters in each key updating period; the setting process comprises the following steps: selecting prime number q ∈ Z q Selecting an elliptic curve E (a, b) in a finite field GF (q): y is 2 =x 3 +ax+b,a∈Z q ,b∈Z q G is a base point on the elliptic curve; selecting a random integer r as a signature private key, and calculating a signature public key K pub = rG = (x, y), selecting and issuing a public parameter a; the public key issuing module is used for issuing the signature public key in the strategy centers of all trust domains; the private key issuing module is used for generating a signature sub-key and sending the signature sub-key to a corresponding trust domain policy center; specifically, the authentication threshold is set as t, and a t-1 order polynomial on a finite field is selected: f (x) = r + a 1 x+a 2 x 2 +…+a t-1 x t-1 mod q, calculation < x i ,r i =f(x i )>If 1 < i < n, sending the data as a signature sub-key to a corresponding trust domain strategy center; and t is the member threshold value of the distributed authentication group.
And the trust domain strategy center participating in the distributed authentication evaluates the trust condition of the resource requester according to the historical behavior log of the resource requester stored in the cloud public database and the access behavior log stored in the local domain strategy center, submits a threshold signature of the requester as confirmation information if the requester is considered to be trusted, and otherwise, does not adopt any operation. Specifically, each member of the distributed authentication group will sign information < a i ,m i ,s i >Sending the information to a strategy center of a trust domain where the requesting party is located; in the formula, s i =H 2 (m i )+ax,m i To confirm the coding of the document, H 2 () Is a one-way hash function.
The strategy center of the authentication request trust domain collects the signature information sent by the strategy center of the authentication group, if the signature information is sent by the strategy centers of t trust domains exceeding the threshold value, the strategy center of the authentication request trust domain can recover the group signature private key so as to obtain the confirmation information. Specifically, a policy center of a trust domain where the requesting party is located collects t signature sub-keys, and a lagrangian interpolation polynomial is adopted to obtain a shared signature key:
Figure BDA0003875228160000131
if all members' information satisfies the equation
Figure BDA0003875228160000132
Generating an authentication pass instruction; in the formula (I), the compound is shown in the specification,
Figure BDA0003875228160000133
example two
Referring to fig. 2, the invention also provides a cloud-edge-fused cross-domain zero trust authentication method for an electric power information communication system, wherein the cross-domain zero trust authentication method is based on the cross-domain zero trust authentication system and is used for processing resource requests of registered members;
the cross-domain zero trust authentication method comprises the following steps:
s1, a registered user submits a resource access request to a proxy gateway of a trust domain where the registered user is located as a request direction, the proxy gateway intercepts the resource access request, returns the digital identity of the registered user, generates an access request event and submits the access request event to a policy center of the trust domain where the registered user is located;
s2, the policy center where the requester is located judges the domain to which the resource corresponding to the access request event belongs, and if the resource belongs to the domain to which the requester is located, the step S3 is carried out; otherwise, go to step S4.
S3, matching the digital identity D1 of the requester with the local domain access policy library to obtain a resource authority X corresponding to the digital identity D1 of the requester; matching the resource authority X with the target resource to obtain an open parameter F of the target resource; informing the local proxy gateway to open the access right with the target resource opening parameter of F to the requester, and starting a timer T; closing the access right when the timing is finished, and recording the current access log of the requester to a behavior log recording module; and ending the flow.
S4, inquiring whether cross-domain routing of the domain where the requester is located and the domain where the resource is located exists from a resource navigation server deployed in the cloud by a proxy gateway of the domain where the requester is located, if yes, initiating authentication request detection information to a policy center of the domain where the target resource is located, and if an authentication request detection response returned by the policy center of the domain where the target resource is located is received, indicating that the policy center of the domain where the target resource is located is triggered to enter an authentication process, and turning to the step S5; otherwise, returning: and ending the process if the target resource cannot be accessed.
S5, the strategy center of the domain where the target resource is located carries out threshold signature authentication on the access request event, and the method specifically comprises the following substeps:
s51, extracting the digital identity and the target resource information of the requester from the access request event, inquiring a cross-domain access policy library, verifying whether the target resource has a cross-domain access attribute, and returning to the requester if the target resource does not have the cross-domain access attribute: access is refused, and the process is ended; otherwise, acquiring the cross-domain access attribute parameter F' of the target resource.
S52, accessing a cloud resource navigation server, and acquiring a distributed authentication group consisting of policy centers of a plurality of trust domains associated with a requester; the distributed authentication group does not include a trust domain in which the requester is located and a trust domain in which the resource is located.
And S53, issuing an authentication task to the members of the distributed authentication group, analyzing the authentication task by all the members of the distributed authentication group, comprehensively evaluating the trust condition of the resource requester according to the historical behavior log of the resource requester stored in the cloud public database and the access behavior log of the resource requester stored in the behavior log recording module, if the requester is deemed to be trusted, encrypting the scoring data based on a threshold signature algorithm of an elliptic curve encryption mechanism and submitting the scoring data to a policy center of a trust domain where the resource is located, and otherwise, returning the information which cannot be evaluated.
S54, the strategy center of the trust domain where the resource is located obtains the credit values submitted by all members in the distributed authentication group, and performs trust authentication on the resource request; if the authentication is passed, the proxy gateway is informed to open a corresponding access port for the resource request passed by the authentication, and the access authority of the resource corresponding to the authority of the proxy gateway is opened to the requesting party within a limited time; otherwise, returning: the authentication is not passed.
The above are only preferred embodiments of the present invention, and the scope of the present invention is not limited to the above examples, and all technical solutions that fall under the spirit of the present invention belong to the scope of the present invention. It should be noted that modifications and adaptations to those skilled in the art without departing from the principles of the present invention may be apparent to those skilled in the relevant art and are intended to be within the scope of the present invention.

Claims (10)

1. A cloud-edge-integrated cross-domain zero-trust authentication system of a power information communication system is characterized in that the cross-domain zero-trust authentication system is applied to the cloud-edge-integrated power information communication system;
the cross-domain zero-trust authentication system comprises a cloud resource navigation server and a plurality of trust domains which are isolated from each other; each trust domain is provided with a plurality of registered users, and resource data related to the power information to be accessed is stored in the trust domain; the cloud resource navigation server is used for managing trust domain routing information and trust domain information associated with each registered user;
each trust domain comprises a policy center and a proxy gateway; a physical resource access channel is constructed between the proxy gateways of the trust domains with the resource access service; a zero trust authentication channel is constructed between the strategy centers of the trust domains participating in the distributed authentication; the strategy center runs at the edge side;
the proxy gateway intercepts a received resource access request of a requester, returns the digital identity of the requester, generates an access request event and submits the access request event to a policy center of a trust domain;
a domain judgment module, a local domain authentication module, a cross-domain authentication module and a behavior log recording module are deployed in the strategy center; the behavior log recording module is used for storing access behavior logs of all users accessing a domain where the strategy center is located; the domain judgment module is used for judging the domain to which the resource corresponding to the access request event belongs, if the domain belongs to the domain in which the user is located, the access request event is transferred to the domain authentication module, otherwise, the access request event is transferred to the cross-domain authentication module, and the cross-domain authentication module of the domain in which the target resource is located is triggered to enter an authentication process; the local domain authentication module is combined with the digital identity of the requester and the matching result of the access policy library to inform the local proxy gateway of opening the access authority of the resource corresponding to the authority of the user within a limited time; a cross-domain authentication module of a domain where the target resource is located accesses a cloud resource navigation server, a plurality of strategy centers of trust domains associated with a requester are obtained to form a distributed authentication group, and the distributed authentication group does not include the trust domain where the requester is located and the trust domain where the resource is located;
each member in the distributed authentication group comprehensively evaluates the trust condition of the resource requester according to the historical cross-domain access behavior log of the resource requester stored in the cloud public database and the historical local domain access behavior log of the resource requester stored in the behavior log recording module, encrypts the scoring data based on a threshold signature algorithm of an elliptic curve encryption mechanism and submits the scoring data to a policy center of a trust domain where the resource is located if the requester is considered to be trusted, and returns the information which cannot be evaluated if the requester is not considered to be trusted; and the strategy center of the trust domain where the resource is located carries out trust authentication on the resource request according to the submission results of all members in the distributed authentication group, informs the proxy gateway to open a corresponding access port for the resource request passing the authentication, and opens the access authority of the resource corresponding to the authority of the proxy gateway to the requesting party within a limited time.
2. The cloud-edge-fused cross-domain zero-trust authentication system of the power information communication system according to claim 1, wherein a 5G slice or an IP tunnel technology is adopted to switch the resource access channel and the zero-trust authentication channel.
3. The cloud-edge converged power information communication system cross-domain zero-trust authentication system according to claim 1, wherein the policy center comprises a user registration module;
the user registration module receives a unique identifier Id and a validity period T sent by a user 1 Generating a new message with a predetermined validity period T 1 DID = < H of the user 1 (Id||T 1 ) P); wherein, P is access authority; h 1 () Is a one-way hash function;
after the validity period is reached, the user registration module periodically or according to the update request sent by the user updates the digital identity of the user, the update is calculated according to the superposition of the running time, and the T is passed 2 The digital identity updated after the time period is DID = < H 1 (Id||(T 1 +T 2 )),P)。
4. The cloud-edge-fused cross-domain zero-trust authentication system of the power information communication system according to claim 1, wherein the local domain authentication module comprises a resource management unit, a registered user management unit, a local domain access policy library, a user authority authentication unit and a local domain resource access management unit;
the resource management unit is used for managing a resource library of the trust domain, and each resource is provided with a corresponding local domain access authority; the registered user management unit is used for managing registered users of the trust domain, and each registered user has an independent digital identity; the local domain access strategy library is used for storing local domain resource authorities corresponding to all access authorities of registered users;
the user authority authentication unit extracts the digital identity D1 of the requester from the access request event, matches the extracted digital identity D1 of the requester with the storage information of the local domain access policy library, and acquires the local domain resource authority X of the requester; matching the local domain resource authority X with the accessed object to obtain an open parameter F of the accessed object;
the local domain resource access management unit is used for notifying the local proxy gateway according to the open parameter F of the accessed object and the information of the requester, which are sent by the user authority authentication unit, opening the access authority with the open parameter F on the accessed object to the requester, starting a timer T, notifying the local proxy gateway to close the access authority again when the timing is finished, and recording the current access log of the requester to the behavior log recording module.
5. The cloud-edge-fused cross-domain zero-trust authentication system of the power information communication system according to claim 1, wherein the cross-domain authentication module comprises a routing query unit, an authentication request detection unit, a cross-domain access policy library, an authentication management unit, a distributed authentication group generation unit, a scoring authentication unit and a cross-domain resource access management unit;
the route query unit is used for extracting information domain information of resources contained in the access request event from the access request event, querying the cloud resource navigation server whether corresponding cross-domain routes exist or not, if so, triggering the authentication request detection unit to enable the authentication request detection unit to initiate authentication request detection information to a policy center of a domain where the target resources exist, otherwise, returning information that the requester cannot access through the cross-domain resource access management unit; if the authentication request detection unit receives an authentication request detection response sent by the authentication request detection unit of the domain where the requester is located, the authentication request detection unit indicates that the authentication management unit of the domain where the target resource is located is triggered, and the authentication process is started;
the cross-domain access strategy library is used for storing cross-domain access attributes and cross-domain access permissions of resources of a domain where the resources are located and cross-domain resource permissions corresponding to the access permissions of registered users;
after an authentication management unit of a domain where the target resource is located is triggered, extracting a digital identity of a requester and the target resource requested by the requester from an access request event, calling a cross-domain access policy library to verify whether the target resource has a cross-domain access attribute, if so, acquiring a cross-domain resource authority X ' of the requester, and then matching the cross-domain resource authority X ' of the requester with the cross-domain access authority of the target resource to acquire an open parameter F ' of the target resource; meanwhile, the digital identity of the requester and the attribute information of the target resource are sent to a distributed authentication group generation unit, the distributed authentication group generation unit is used for establishing a distributed authentication group, a scoring unit of each member of the distributed authentication group is enabled to call a historical behavior log of the resource requester stored in a cloud public database and access behavior logs of the resource requester stored in respective behavior log recording modules according to the digital identity of the requester and the attribute information of the target resource, the trust condition of the resource requester is comprehensively evaluated, if the requester is deemed to be trusted, scoring data are encrypted and submitted to a policy center of a trust domain where the resource is located based on a threshold signature algorithm of an elliptic curve encryption mechanism, and if the requester is deemed to be trusted, information which cannot be evaluated is returned;
after receiving the submission results of all the members in the distributed authentication group, the authentication management unit triggers the scoring authentication unit if the total amount of the scoring data reaches t, so that the scoring authentication unit performs trust authentication on the resource request according to the submission results of all the members in the distributed authentication group, and otherwise, returns authentication failure information to the requester; the authentication management unit sends an authentication result to the cross-domain resource access management unit; the cross-domain resource access management unit informs the proxy gateway to open a corresponding access port for the resource request passing the authentication, opens the access authority of the resource corresponding to the authority to the requester within a limited time, opens the access authority with the parameter F 'on the accessed object to the requester, starts a timer T', informs the local proxy gateway to close the access authority again after the timing is finished, and records the current access log of the requester to the behavior log recording module.
6. The cloud-edge-fused cross-domain zero-trust authentication system of the power information communication system according to claim 5, wherein the distributed authentication group generation unit comprises a related domain acquisition component, a target resource analysis component and a member screening component;
the related domain acquisition component is used for accessing a cloud resource navigation server, and acquiring policy centers of t trust domains related to a requester according to the digital identity of the requester to form an access route set R { };
the target resource analysis component analyzes the attribute information of the target resource, extracts relevant features and obtains a corresponding attribute vector;
the member screening component circularly accesses elements in the R { }, acquires a trust domain policy center set S { } which is allowed to participate in distributed authentication according to the attribute information of the target resource until the number of members in the trust domain policy center set S { } reaches a threshold value t, and forms a distributed authentication group; the difference value between the attribute vector of the historical resource and the attribute vector of the target resource in the access log record of the selected member is larger along with the increase of the cycle number; t is a positive integer greater than 1.
7. The cloud-edge-fused cross-domain zero-trust authentication system of the power information communication system according to claim 1, wherein each member in the distributed authentication group comprehensively evaluates the trust condition of the resource requester according to a historical cross-domain access behavior log of the resource requester stored in a cloud public database and a historical local domain access behavior log of the resource requester stored in a respective behavior log recording module, and the specific process includes:
initializing all nodes, and assigning initial values to the trust values of all nodes to the resource requester;
setting a plurality of positive behavior elements and a plurality of negative behavior elements according to the resource access flow and the resource access result; the forward behavior elements are used for representing each successful access state of the resources, and comprise successful resource request, successful resource obtaining authorization, successful resource access and successful access completion; the negative action elements are used for representing various failure access states of the resources, including resource request failure, resource access failure, attempt to access unauthorized resources, request resource not found and exceeding a request range;
each member in each distributed authentication group sets weight for each resource according to the access authority corresponding to the resource stored in the local; the higher the access right, the higher the weight corresponding to the resource;
analyzing the historical local access behavior log of the resource requester stored in the behavior log recording module to obtain a forward behavior vector X corresponding to each local access behavior 1 And a negative behavior vector Y 1 (ii) a Combining the weight of the resource corresponding to each local domain access behavior and a forward behavior vector X 1 And a negative behavior vector Y 1 And calculating the local trust Score of the resource requester 1
Analyzing historical cross-domain access behavior logs of resource requesters stored in a cloud public database to obtain a forward behavior vector X corresponding to each cross-domain access behavior 2 And a negative behavior vector Y 2 (ii) a Combining forward behavior vector X 2 And a negative behavior vector Y 2 And calculating the cross-domain trust Score of the resource requester 2
Comprehensive local domain trust Score 1 And Cross-Domain Trust Score Score 2 A trust score for the resource requestor is generated.
8. The cloud-edge-fused cross-domain zero-trust authentication system of the power information communication system according to claim 1, wherein the cross-domain zero-trust authentication system comprises a key management center deployed in a cloud end and used for generating a public key and a private key pair for threshold signature based on an elliptic curve encryption system;
the key management center comprises a security parameter setting module, a public key issuing module and a private key issuing module;
the security parameter setting module is used for setting security parameters in each key updating period; the setting process comprises the following steps: selecting prime number q ∈ Z q Selecting an elliptic curve y over a finite field GF (q) 2 =x 3 + x +1; selecting a random integer r as a signature private key, and calculating a signature public key K pub = rG = (x, y), G is a base point on the elliptic curve, and a public parameter a is selected and issued; x and y are independent variable and dependent variable respectively;
the public key issuing module is used for publicly issuing the signature public key in the strategy centers of all trust domains;
the private key issuing module is used for generating a signature sub-key and sending the signature sub-key to a corresponding trust domain policy center; specifically, the authentication threshold is set as t, and a t-1 order polynomial on a finite field is selected: f (x) = r + a 1 x+a 2 x 2 +…+a t-1 x t-1 mod q, calculation < x i ,r i =f(x i ) 1 < i < n, sending the data as a signature sub-key to a corresponding trust domain policy center, and marking as i; n is the number of trust domains; t is a member threshold value of the distributed authentication group; a is a 1 ,a 2 ,...,a t-1 Is a polynomial coefficient, x i Is the identity of the ith trust domain, r i Is a subkey of the ith trust domain, f (x) i ) Is represented by x i Is the result of a function f () of an argument.
9. The cloud-edge converged power information communication system cross-domain zero-trust authentication system of claim 8, wherein each member of the distributed authentication group has signature information < a i ,m i ,s i I is more than or equal to 0 and less than or equal to t-1 and is sent to a strategy center of a trust domain where a requesting party is located; in the formula, s i =H 2 (m i )+ax,m i To confirm the coding of the ticket, H 2 () Is a one-way hash function;
the strategy center of the trust domain where the requester is located collects t signature sub-keys, and adoptsUsing lagrange interpolation polynomial to obtain shared signature key:
Figure FDA0003875228150000041
if the information of all members satisfies the equation
Figure FDA0003875228150000042
Generating an authentication pass instruction; in the formula (I), the compound is shown in the specification,
Figure FDA0003875228150000043
r j is a subkey for the jth trust domain.
10. A cloud-edge-fused cross-domain zero-trust authentication method for an electric power information communication system is characterized in that the cross-domain zero-trust authentication method is based on the cross-domain zero-trust authentication system in any one of claims 1 to 9 and is used for processing resource requests of registered members;
the cross-domain zero-trust authentication method comprises the following steps:
s1, a registered user serves as a proxy gateway of a trust domain where a request direction is located to submit a resource access request, the proxy gateway intercepts the resource access request, returns the digital identity of the registered user, generates an access request event and submits the access request event to a policy center of the trust domain where the access request event belongs;
s2, the policy center where the requester is located judges the domain to which the resource corresponding to the access request event belongs, and if the resource belongs to the domain to which the requester is located, the step S3 is carried out; otherwise, go to step S4;
s3, matching the digital identity D1 of the requester with the local domain access policy library to obtain a resource authority X corresponding to the digital identity D1 of the requester; matching the resource authority X with the target resource to obtain an open parameter F of the target resource; informing the local proxy gateway to open the access right with the target resource opening parameter of F to the requester, and starting a timer T; closing the access right when the timing is finished, and recording the current access log of the requester to a behavior log recording module; ending the flow;
s4, inquiring whether cross-domain routing of the domain where the requester is located and the domain where the resource is located exists in a resource navigation server deployed at the cloud by a proxy gateway of the domain where the requester is located, if yes, initiating authentication request detection information to a policy center of the domain where the target resource is located, and if an authentication request detection response returned by the policy center of the domain where the target resource is located is received, indicating that the policy center of the domain where the target resource is located is triggered to enter an authentication process, and turning to the step S5; otherwise, returning: the target resource cannot be accessed, and the process is ended;
s5, the policy center of the domain where the target resource is located carries out threshold signature authentication on the access request event, and the method specifically comprises the following substeps:
s51, extracting the digital identity and the target resource information of the requester from the access request event, inquiring a cross-domain access policy library, verifying whether the target resource has a cross-domain access attribute, and returning to the requester if the target resource does not have the cross-domain access attribute: access is refused, and the process is ended; otherwise, acquiring a cross-domain access attribute parameter F' of the target resource;
s52, accessing a cloud resource navigation server, and acquiring a distributed authentication group consisting of policy centers of a plurality of trust domains associated with a requester; the distributed authentication group does not comprise a trust domain where a requester is located and a trust domain where resources are located;
s53, issuing an authentication task to members of a distributed authentication group, analyzing the authentication task by all the members of the distributed authentication group, comprehensively evaluating the trust condition of the resource requester according to the historical behavior log of the resource requester stored in a cloud public database and the access behavior log of the resource requester stored in respective behavior log recording modules, if the requester is deemed to be trusted, encrypting the scoring data based on a threshold signature algorithm of an elliptic curve encryption mechanism and submitting the scoring data to a policy center of a trust domain where the resource is located, and otherwise, returning information which cannot be evaluated;
s54, the strategy center of the trust domain where the resource is located obtains the credit values submitted by all members in the distributed authentication group, and performs trust authentication on the resource request; if the authentication is passed, the proxy gateway is informed to open a corresponding access port for the resource request passed by the authentication, and the access authority of the resource corresponding to the authority is opened to the requesting party within a limited time; otherwise, returning: the authentication is not passed.
CN202211219681.1A 2022-09-30 2022-09-30 Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system Pending CN115603987A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211219681.1A CN115603987A (en) 2022-09-30 2022-09-30 Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211219681.1A CN115603987A (en) 2022-09-30 2022-09-30 Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system

Publications (1)

Publication Number Publication Date
CN115603987A true CN115603987A (en) 2023-01-13

Family

ID=84844398

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211219681.1A Pending CN115603987A (en) 2022-09-30 2022-09-30 Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system

Country Status (1)

Country Link
CN (1) CN115603987A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116389167A (en) * 2023-05-29 2023-07-04 南京信息工程大学 Information access security system based on growing type iterative trust strategy
CN117411724A (en) * 2023-12-13 2024-01-16 北京持安科技有限公司 Method and device for sharing credentials across multiple applications of zero-trust application gateway

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116389167A (en) * 2023-05-29 2023-07-04 南京信息工程大学 Information access security system based on growing type iterative trust strategy
CN116389167B (en) * 2023-05-29 2023-08-15 南京信息工程大学 Information access security system based on growing type iterative trust strategy
CN117411724A (en) * 2023-12-13 2024-01-16 北京持安科技有限公司 Method and device for sharing credentials across multiple applications of zero-trust application gateway
CN117411724B (en) * 2023-12-13 2024-03-19 北京持安科技有限公司 Method and device for sharing credentials across multiple applications of zero-trust application gateway

Similar Documents

Publication Publication Date Title
Wazid et al. Design of secure key management and user authentication scheme for fog computing services
Pourvahab et al. An efficient forensics architecture in software-defined networking-IoT using blockchain technology
Adavoudi-Jolfaei et al. Lightweight and anonymous three-factor authentication and access control scheme for real-time applications in wireless sensor networks
US7600255B1 (en) Preventing network denial of service attacks using an accumulated proof-of-work approach
Xue et al. A distributed authentication scheme based on smart contract for roaming service in mobile vehicular networks
CN115603987A (en) Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system
US20080005359A1 (en) Method and apparatus for OS independent platform based network access control
CN112134892B (en) Service migration method in mobile edge computing environment
CN113381975B (en) Internet of things security access control method based on block chain and fog node credit
Niu et al. An anonymous and accountable authentication scheme for Wi-Fi hotspot access with the Bitcoin blockchain
Sani et al. Xyreum: A high-performance and scalable blockchain for iiot security and privacy
CN116405187B (en) Distributed node intrusion situation sensing method based on block chain
CN113572765B (en) Lightweight identity authentication key negotiation method for resource-limited terminal
Lu et al. An privacy-preserving cross-organizational authentication/authorization/accounting system using blockchain technology
WO2013034187A1 (en) Secure communication
Amuthan et al. Hybrid GSW and DM based fully homomorphic encryption scheme for handling false data injection attacks under privacy preserving data aggregation in fog computing
Wang et al. Achieving fine-grained and flexible access control on blockchain-based data sharing for the Internet of Things
El-Zawawy et al. SETCAP: Service-based energy-efficient temporal credential authentication protocol for Internet of Drones
Yan et al. Blockchain-based verifiable and dynamic multi-keyword ranked searchable encryption scheme in cloud computing
Ali et al. Trust‐aware task load balancing in multi‐access edge computing based on blockchain and a zero trust security capability framework
Ferretti et al. Authorization transparency for accountable access to IoT services
Feng et al. One-stop efficient PKI authentication service model based on blockchain
Gao et al. Bc-aka: Blockchain based asymmetric authentication and key agreement protocol for distributed 5g core network
CN116170806A (en) Smart power grid LWM2M protocol security access control method and system
US11777735B2 (en) Method and device for anonymous access control to a collaborative anonymization platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination