CN115914300A - Block chain-based zero-trust implementation system and method for Internet of things - Google Patents
Block chain-based zero-trust implementation system and method for Internet of things Download PDFInfo
- Publication number
- CN115914300A CN115914300A CN202211487191.XA CN202211487191A CN115914300A CN 115914300 A CN115914300 A CN 115914300A CN 202211487191 A CN202211487191 A CN 202211487191A CN 115914300 A CN115914300 A CN 115914300A
- Authority
- CN
- China
- Prior art keywords
- access
- zero
- trust
- module
- internet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000012795 verification Methods 0.000 claims abstract description 27
- 239000000306 component Substances 0.000 claims description 18
- 239000008358 core component Substances 0.000 claims description 13
- 230000002457 bidirectional effect Effects 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 abstract 1
- 238000007726 management method Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 206010019345 Heat stroke Diseases 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000006866 deterioration Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of block chains, and provides an Internet of things zero trust realization system based on a block chain for effectively realizing dynamic continuous verification. The zero-trust realization method of the Internet of things based on the block chain comprises the following steps: 1. identity registration and storage; 2. making an access strategy and storing; 3. initiating an access request for identity authentication, and forwarding the access request to a dPDP for decision making if the authentication is successful; 4. the dPDP carries out identity authentication after receiving the request, obtains a related information source from the outside for deciding permission/rejection, and discards the request if the permission/rejection is rejected; if the access is allowed, informing the zero trust proxy module and the requested zero trust gateway module to allow the access; 5. establishing a dynamic data access channel; 6. and realizing a data access process. By adopting the mode, dynamic continuous verification can be effectively realized.
Description
Technical Field
The invention relates to the technical field of block chains, in particular to a block chain-based zero trust realization system and method for the Internet of things.
Background
With the rapid development of the internet of things technology, in order to provide more convenient and faster intelligent life for users, massive and heterogeneous internet of things equipment changes the existing network structure. In an intelligent home, the devices collect environment and user data, respond to access control requests of users, and access control other devices through a gateway to provide intelligent services for the users. However, these devices, especially gateways that need access control decisions, are limited to limited resources and present some security risk. Once a malicious user counterfeits a gateway or counterfeits an access control command, for example, a legitimate user setting the refrigerator temperature to cause food deterioration, or controls an air conditioner to turn on warm air at high temperature to cause heatstroke, and the like, the personal safety of the family members, especially the old and children, is extremely easy to threaten. With the integration of technologies such as cloud computing and big data and the Internet of things, the security gradually changes from traditional bounded to unbounded, the zero-trust concept breaks through default 'trust', and 'continuous verification and never trust' are realized all the time. The zero trust is realized in the Internet of things architecture, and the following problems exist:
(1) Most of the Internet of things equipment is resource-limited, and dynamic continuous verification cannot be effectively realized.
(2) The internet of things equipment for realizing the access control decision, especially the gateway equipment, is easy to attack, so that the stored strategy is tampered, and the integrity of the strategy cannot be ensured.
Disclosure of Invention
In order to effectively realize dynamic continuous verification, the application provides a block chain-based zero-trust realization system and method for the Internet of things.
The technical scheme adopted by the invention for solving the problems is as follows:
the zero-trust realization system of the Internet of things based on the block chain comprises a zero-trust access core component for realizing zero-trust access in the Internet of things, a block chain functional component and a support component, wherein the support component is used for providing support service for the zero-trust access, and comprises an external reference information source module for providing an external related information source, a continuous verification service module for service verification and a data sharing service module for data sharing.
Further, the zero trust access core component comprises a data plane and a control plane: the control plane realizes safe access decision by a strategy engine module and a strategy manager which are paired in a distributed strategy decision point dPDP; the data plane realizes the safe access from the main body of the internet of things to the resources of the internet of things through a data access channel dynamically constructed between strategy execution points (PEPs), and each PEP comprises a zero trust agent module and a zero trust gateway module.
Further, the blockchain function component comprises a policy management module, an identity management module and a log management module.
The zero trust realization method of the Internet of things based on the block chain is applied to a zero trust realization system of the Internet of things based on the block chain, and comprises the following steps:
step 1, identity registration is carried out on an access subject and an access object to a block chain, and after being identified by a zero trust access core component, storage management is carried out through the block chain;
step 2, an access strategy is formulated, the access strategy is uploaded to a zero trust access core component by an access object, and the access strategy is stored through a block chain after consensus;
step 3, the user initiates an access request through the zero trust proxy module to perform identity authentication, and if the identity authentication is successful, the user forwards the access request to a distributed policy decision point dPDP to perform decision making;
step 4, after the distributed policy decision point dPDP receives the request, the policy engine module searches the identity through the block chain to carry out identity verification, searches the policy verification authority and obtains a relevant information source from the outside to decide permission/rejection, and if the permission/rejection is rejected, the request is discarded; if the access is allowed, informing the zero trust proxy module and the requested zero trust gateway module to allow the access;
step 5, after receiving the request notice of allowing access, the zero trust proxy module and the zero trust gateway module carry out bidirectional authentication, and after the authentication is successful, a dynamic data access channel is established between the zero trust proxy module and the zero trust gateway module;
and 6, the user realizes the data access process.
Further, the step 6 further includes monitoring the user data access process by using a zero-trust gateway module, and reporting to the data sharing service module if an illegal action occurs.
Further, step 7 of recording an access log is also included.
Compared with the prior art, the invention has the beneficial effects that: the numerical control separation can be realized by acquiring the relevant information source from the outside for decision permission/rejection, and the deployment is easier to implement; the related information source is more real; the integrity of data is ensured through block chain storage, and dPDP is liberated; in the dynamic continuous verification, because the required information source is large and the required storage and calculation cost is high, in a scene that the block chain technology is used, the cost of attack is higher than that of the attack stored in the centralized dPDP for the distributed external reference of the data, so that the real-time performance and the safety are high when the data are obtained from the outside, and the dynamic continuous verification can be effectively realized.
Drawings
FIG. 1 is a block chain-based zero trust architecture diagram of the Internet of things;
FIG. 2 is a block chain-based zero trust implementation method structure diagram of the Internet of things;
fig. 3 is a timing diagram of a zero trust method of the internet of things based on a block chain.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
The zero-trust realization system of the Internet of things based on the block chain comprises a zero-trust access core component for realizing zero-trust access in the Internet of things, a block chain functional component and a support component, wherein the support component is used for providing support service for the zero-trust access, and comprises an external reference information source module for providing an external related information source, a continuous verification service module for service verification and a data sharing service module for data sharing.
Specifically, the zero trust access core component includes a data plane and a control plane: the control plane realizes safe access decision by a strategy engine module and a strategy manager which are paired in a distributed strategy decision point dPDP; the data plane realizes the safe access from the main body of the internet of things to the resources of the internet of things through a data access channel dynamically constructed between strategy execution points (PEPs), and each PEP comprises a zero trust agent module and a zero trust gateway module. The block chain function component comprises a policy management module, an identity management module and a log management module.
The block chain-based zero-trust architecture diagram of the internet of things is shown in fig. 1, and includes: the zero trust access system comprises a zero trust access core component, a support component and a block chain functional component.
The zero trust access core component realizes zero trust access in the Internet of things and is divided into a data plane and a control plane. The control plane realizes safe access decision by a strategy engine module and a strategy manager which are paired in a distributed strategy decision point dPDP; the data plane realizes the safe access from the main body of the internet of things to the resources of the internet of things through a data access channel dynamically constructed between strategy execution points PEP, and the PEP mainly comprises a zero trust agent module and a zero trust gateway module.
The support component provides support services for zero trust access, comprises an external reference information source module, a continuous verification service module and a data sharing service module, and provides 'never trust and always verification' services for zero trust decision making.
The block chain functional component provides functional components based on the block chain for the support component and the zero trust access core component, and comprises a policy management module, an identity management module and a log management module.
As shown in fig. 2, the main body of the internet of things is implemented such that a user initiates an access request through a system, an application, and a device;
the resources of the Internet of things are realized by accessing data and a sensor and controlling an actuator;
the policy enforcement point PEP is realized as a block chain client of a zero trust proxy and a block chain light node in a zero trust gateway;
the distributed policy decision point dppdp is implemented as a full node with consensus capabilities.
Specifically, a policy manager module in a distributed policy decision point dPDP manages a historical access log and distributed identities;
the continuous verification service module can retrieve and acquire distributed identities and historical logs from the policy manager module to perform identity continuous verification and log analysis;
the continuous verification service module sends the identity continuous verification and log analysis results to the information source module and the data sharing service module for synchronization;
and the data sharing service module provides support for distributed policy decision points dPDP and data access.
The distributed strategy decision point dPDP stores the latest external reference information source Hash uplink; the continuous verification service module, the information source module and the data sharing service module acquire a hash value from a whole node/chain for integrity verification; and the information source module sends the latest relevant information source to support the strategy engine module to obtain for decision making.
As shown in fig. 3, the zero trust implementation method of the internet of things based on the block chain includes:
step 1, identity registration is carried out on an access subject and an access object to a block chain, and the identity registration is carried out through the block chain after being identified by all nodes;
step 2, an access strategy is formulated, the access strategy is uploaded to a full node by an access object for issuing, and after consensus, the access strategy is stored through a block chain; the access strategy comprises a resource id, an affiliated/nearest gateway id and a specific strategy;
step 3, a user initiates an access request through the zero trust proxy module, the identity is verified by a block chain client in the zero trust proxy module, and if the identity authentication is successful, the block chain client is forwarded to a full node for decision making;
step 4, after the whole node receives the request, the strategy engine module searches the identity through the block chain to carry out identity verification, searches the strategy verification authority, obtains a relevant information source from the outside to decide permission/refusal, and discards the request if refusal; after receiving the permission decision given by the policy engine module, the policy manager module informs the zero trust agent module and the requested zero trust gateway module to allow the access;
step 5, after receiving the request notice of allowing access, the zero trust proxy module and the zero trust gateway module carry out bidirectional authentication, and after the authentication is successful, a dynamic data access channel is established between the zero trust proxy module and the zero trust gateway module;
and 6, the user realizes the data access process.
Further, the step 6 further includes that the zero-trust gateway module monitors the user data access process, and reports the user data access process to the data sharing service module if an illegal action occurs. The numerical control separation in the zero trust can be really embodied by adopting the zero trust gateway module to monitor the data; dPDP may be focused on decisions; the monitoring result is reported to the data sharing service module, the function is decoupled, the integration is strong, and the implementation and the deployment on a real system are facilitated.
Further, step 7, recording the access log: and the strategy manager module in the whole node receives normal/illegal completion of data access sent by the zero trust agent module/zero trust gateway module, uplinks the access log record and synchronizes consensus, thereby being beneficial to audit and tracing.
Claims (6)
1. The zero-trust realization system of the Internet of things based on the block chain comprises a zero-trust access core component for realizing zero-trust access in the Internet of things and a block chain functional component, and is characterized by further comprising a support component, wherein the support component is used for providing support service for the zero-trust access, and comprises an external citation information source module for providing an external related information source, a continuous verification service module for service verification and a data sharing service module for data sharing.
2. The system for realizing zero trust of the internet of things based on the block chain as claimed in claim 1, wherein the zero trust access core component comprises a data plane and a control plane: the control plane realizes safe access decision by a strategy engine module and a strategy manager which are paired in a distributed strategy decision point dPDP; the data plane realizes the safe access from the main body of the internet of things to the resources of the internet of things through a data access channel dynamically constructed between strategy execution points (PEPs), and each PEP comprises a zero trust agent module and a zero trust gateway module.
3. The zero-trust implementation system of the internet of things based on the blockchain as claimed in claim 2, wherein the blockchain function component comprises a policy management module, an identity management module and a log management module.
4. The block chain-based zero-trust implementation method of the internet of things is applied to the block chain-based zero-trust implementation system of the internet of things of claim 3, and is characterized by comprising the following steps:
step 1, identity registration is carried out on an access subject and an access object to a block chain, and after being identified by a zero-trust access core component, storage management is carried out through the block chain;
step 2, an access strategy is formulated, the access strategy is uploaded to a zero trust access core component by an access object, and the access strategy is stored through a block chain after consensus;
step 3, the user initiates an access request through the zero trust proxy module to perform identity authentication, and if the identity authentication is successful, the user forwards the access request to a distributed policy decision point dPDP to perform decision making;
step 4, after the distributed policy decision point dPDP receives the request, the policy engine module searches the identity through the block chain to carry out identity verification, searches the policy verification authority and obtains a relevant information source from the outside to decide permission/rejection, and if the permission/rejection is rejected, the request is discarded; if the access is allowed, informing the zero trust proxy module and the requested zero trust gateway module to allow the access;
step 5, after receiving the request notice of allowing access, the zero trust proxy module and the zero trust gateway module carry out bidirectional authentication, and after the authentication is successful, a dynamic data access channel is established between the zero trust proxy module and the zero trust gateway module;
and 6, the user realizes the data access process.
5. The realization method of zero trust in the internet of things based on the blockchain as claimed in claim 4, wherein the step 6 further comprises monitoring the user data access process by using a zero trust gateway module, and reporting to the data sharing service module if a violation occurs.
6. The zero-trust implementation method of the internet of things based on the blockchain as claimed in claim 5, further comprising the step of 7, recording an access log.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211487191.XA CN115914300B (en) | 2022-11-25 | Zero trust realization system and method for Internet of things based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211487191.XA CN115914300B (en) | 2022-11-25 | Zero trust realization system and method for Internet of things based on block chain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115914300A true CN115914300A (en) | 2023-04-04 |
| CN115914300B CN115914300B (en) | 2024-06-07 |
Family
ID=
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116260656A (en) * | 2023-05-09 | 2023-06-13 | 卓望数码技术(深圳)有限公司 | Main body trusted authentication method and system in zero trust network based on blockchain |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113051350A (en) * | 2021-04-26 | 2021-06-29 | 湖南链聚信息科技有限责任公司 | Zero trust network access system based on block chain |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| US20210337033A1 (en) * | 2017-09-13 | 2021-10-28 | Vijay Madisetti | Service meshes and smart contracts for zero-trust systems |
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210337033A1 (en) * | 2017-09-13 | 2021-10-28 | Vijay Madisetti | Service meshes and smart contracts for zero-trust systems |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| CN113051350A (en) * | 2021-04-26 | 2021-06-29 | 湖南链聚信息科技有限责任公司 | Zero trust network access system based on block chain |
Non-Patent Citations (1)
| Title |
|---|
| 罗可人;: "基于区块链共识机制的SDWAN零信任网络架构", 集成电路应用, no. 07, 9 July 2020 (2020-07-09) * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116260656A (en) * | 2023-05-09 | 2023-06-13 | 卓望数码技术(深圳)有限公司 | Main body trusted authentication method and system in zero trust network based on blockchain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115189927B (en) | Zero trust-based power network safety protection method | |
| CN109120722B (en) | Access control method based on reverse proxy mode | |
| CN113872944A (en) | Block chain-oriented zero-trust security architecture and cluster deployment framework thereof | |
| CN110677407B (en) | Safety control method of lightweight block chain platform | |
| CN112231692A (en) | Security authentication method, device, equipment and storage medium | |
| CN112019330B (en) | Intranet security audit data storage method and system based on alliance chain | |
| CN115996122A (en) | Access control method, device and system | |
| CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
| CN116260656B (en) | Main body trusted authentication method and system in zero trust network based on blockchain | |
| CN115914300A (en) | Block chain-based zero-trust implementation system and method for Internet of things | |
| CN115914300B (en) | Zero trust realization system and method for Internet of things based on block chain | |
| CN114745145A (en) | Business data access method, device and equipment and computer storage medium | |
| CN116192497B (en) | Network access and user authentication safe interaction method based on zero trust system | |
| CN116170806B (en) | Smart power grid LWM2M protocol security access control method and system | |
| CN115941252A (en) | MQTT dynamic access control method based on trust calculation | |
| CN115118465B (en) | Cloud edge end cooperative zero trust access control method and system based on trusted label | |
| CN113807700B (en) | Method and system for issuing and receiving aircraft in-wing command scheduling based on block chain | |
| CN115720171A (en) | Safe intelligent gateway system and data transmission method | |
| KR20210123811A (en) | Apparatus and Method for Controlling Hierarchical Connection based on Token | |
| CN111931142B (en) | Distributed dynamic identity control method based on block chain and non-directional approval mechanism | |
| US9680871B2 (en) | Adopting policy objects for host-based access control | |
| CN117082147B (en) | Application network access control method, system, device and medium | |
| CN115883140A (en) | Data security model architecture and data security system | |
| CN114915482B (en) | Working method of safe power resource access system for distribution network interoperation protocol | |
| CN118101255A (en) | Access control method and system for zero trust security of power monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |