CN115914300B - Zero trust realization system and method for Internet of things based on block chain - Google Patents
Zero trust realization system and method for Internet of things based on block chain Download PDFInfo
- Publication number
- CN115914300B CN115914300B CN202211487191.XA CN202211487191A CN115914300B CN 115914300 B CN115914300 B CN 115914300B CN 202211487191 A CN202211487191 A CN 202211487191A CN 115914300 B CN115914300 B CN 115914300B
- Authority
- CN
- China
- Prior art keywords
- access
- module
- zero trust
- blockchain
- zero
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000012795 verification Methods 0.000 claims abstract description 34
- 239000000306 component Substances 0.000 claims abstract description 20
- 239000008358 core component Substances 0.000 claims abstract description 13
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 4
- 230000002457 bidirectional effect Effects 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 abstract 1
- 238000007726 management method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 206010019345 Heat stroke Diseases 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000006866 deterioration Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of blockchains, and provides a blockchain-based zero trust implementation system of the Internet of things, which comprises a zero trust access core component, a blockchain functional component, an external reference information source module, a continuous verification service module and a data sharing service module, wherein the zero trust access core component is used for effectively implementing dynamic continuous verification. The zero trust implementation method of the Internet of things based on the block chain comprises the following steps: 1. registering and storing the identity; 2. making an access strategy and storing; 3. initiating an access request to carry out identity authentication, and forwarding to dPDP to carry out decision if the authentication is successful; 4. dPDP performing identity verification after receiving the request, and obtaining a related information source from the outside to decide permission/rejection, and discarding the request if the permission/rejection is made; if so, informing the zero trust proxy module and the requested zero trust gateway module to allow the access; 5. establishing a dynamic data access channel; 6. and realizing a data access process. By adopting the mode, dynamic continuous verification can be effectively realized.
Description
Technical Field
The invention relates to the technical field of blockchains, in particular to a zero trust realization system and method of the Internet of things based on blockchains.
Background
Along with the high-speed development of the internet of things technology, mass and heterogeneous internet of things equipment changes the existing network structure in order to provide users with more convenient intelligent life. In smart homes, these devices collect environment and user data, and access control other devices through a gateway to provide intelligent services to users in response to access control requests from users. However, these devices, and in particular the gateways that need to make access control decisions, are limited by limited resources and present a certain security risk. Once a malicious user imitates a gateway or an access control command, if an imitates a legal user to set the temperature of a refrigerator to cause food deterioration or controls an air conditioner to open warm air at high temperature to cause heatstroke and the like, the personal safety of members in home, particularly the elderly and children, is easily threatened. With the fusion of technologies such as cloud computing, big data and the like and the Internet of things, security is gradually changed from traditional bordered to borderless, and the concept of zero trust breaks through default trust, and is always verified continuously and never trusted. Zero trust is realized in the architecture of the internet of things, and the problems are as follows:
(1) Most of the Internet of things equipment is limited in resources, and dynamic continuous verification cannot be effectively realized.
(2) The internet of things equipment for realizing access control decision, especially gateway equipment is easy to attack, so that the stored strategy is tampered, and the integrity of the strategy cannot be ensured.
Disclosure of Invention
In order to effectively realize dynamic continuous verification, the application provides a zero trust realization system and method of the Internet of things based on a blockchain.
The invention solves the problems by adopting the following technical scheme:
the zero trust realization system of the Internet of things based on the blockchain comprises a zero trust access core component and a blockchain functional component for realizing zero trust access in the Internet of things, and further comprises a supporting component, wherein the supporting component is used for providing supporting service for the zero trust access, and comprises an external reference information source module for providing external related information sources, a continuous verification service module for service verification and a data sharing service module for data sharing.
Further, the zero trust access core component comprises a data plane and a control plane: the control plane realizes safe access decision by a policy engine module and a policy manager which are paired in a distributed policy decision point dPDP; the data plane realizes the safe access between the Internet of things main body and the Internet of things resources through the data access channels dynamically constructed between the policy execution points PEPs, and the PEPs comprise a zero trust proxy module and a zero trust gateway module.
Further, the blockchain functional component includes a policy management module, an identity management module, and a log management module.
The zero trust realization method of the Internet of things based on the blockchain is applied to the zero trust realization system of the Internet of things based on the blockchain and comprises the following steps:
Step 1, an access subject and an access object register identities of a blockchain, and the zero-trust access core assembly is commonly identified and then stored and managed through the blockchain;
step 2, making an access strategy, uploading the access strategy to a zero-trust access core component by an access object, and storing the access strategy through a blockchain after consensus;
step 3, the user initiates an access request through the zero trust proxy module to carry out identity authentication, and if the identity authentication is successful, the user forwards the access request to a distributed strategy decision point dPDP to carry out decision;
Step 4, after the distributed policy decision point dPDP receives the request, the policy engine module performs identity verification through the blockchain search identity, searches the policy verification authority, obtains the relevant information source from the outside to decide permission/rejection, and discards the request if the request is rejected; if so, informing the zero trust proxy module and the requested zero trust gateway module to allow the access;
step 5, after receiving the request notification of access permission, the zero trust proxy module and the zero trust gateway module perform bidirectional authentication, and after successful authentication, a dynamic data access channel is established between the zero trust proxy module and the zero trust gateway module;
and 6, the user realizes a data access process.
Further, the step 6 further includes monitoring the user data access process by using the zero trust gateway module, and if the violation occurs, reporting to the data sharing service module.
Further, the method also comprises a step 7 of recording an access log.
Compared with the prior art, the invention has the following beneficial effects: the related information sources are obtained from the outside to decide permission/rejection, so that numerical control separation can be realized, and deployment is easier to implement; the related information sources are more real; the integrity of the data is ensured through the block chain certification, and dPDP is liberated; in dynamic continuous verification, because the required information sources are large, the required storage and calculation costs are high, and the cost of attack is higher than that of the distributed external reference of the data stored at the centralized dPDP under the scene of using the blockchain technology, the real-time performance is high, the safety is high, and the dynamic continuous verification can be effectively realized.
Drawings
FIG. 1 is a block chain based zero trust architecture diagram of the Internet of things;
FIG. 2 is a block chain based architecture diagram of a zero trust implementation method for the Internet of things;
FIG. 3 is a timing diagram of a blockchain-based method of zero trust of the Internet of things.
Detailed Description
The present invention will be described in further detail with reference to the following examples in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The zero trust realization system of the Internet of things based on the blockchain comprises a zero trust access core component and a blockchain functional component for realizing zero trust access in the Internet of things, and further comprises a supporting component, wherein the supporting component is used for providing supporting service for the zero trust access, and comprises an external reference information source module for providing external related information sources, a continuous verification service module for service verification and a data sharing service module for data sharing.
Specifically, the zero trust access core component includes a data plane and a control plane: the control plane realizes safe access decision by a policy engine module and a policy manager which are paired in a distributed policy decision point dPDP; the data plane realizes the safe access between the Internet of things main body and the Internet of things resources through the data access channels dynamically constructed between the policy execution points PEPs, and the PEPs comprise a zero trust proxy module and a zero trust gateway module. The blockchain functional component comprises a policy management module, an identity management module and a log management module.
The block chain-based zero trust architecture diagram of the internet of things is shown in fig. 1, and comprises the following components: zero trust access core component, support component, blockchain functionality component.
The zero trust access core component realizes zero trust access in the Internet of things and is divided into a data plane and a control plane. The control plane realizes safe access decision by the policy engine module and the policy manager paired in the distributed policy decision point dPDP; the data access channels dynamically constructed among the policy execution points PEP of the data plane realize the safe access between the Internet of things main body and the Internet of things resources, and the PEP mainly comprises a zero trust proxy module and a zero trust gateway module.
The support component provides support services for zero trust access, and comprises an external reference information source module, a continuous verification service module and a data sharing service module, and provides 'never trust and always verification' services for zero trust decision.
The blockchain functional component provides a blockchain-based functional component for the support component and the zero trust access core component, and comprises a policy management module, an identity management module and a log management module.
As shown in fig. 2, the internet of things main body is implemented in such a way that a user initiates an access request through a system, an application and equipment;
the internet of things resource is realized as access to data and perceptron and control to executor;
The policy execution point PEP is realized as a blockchain client of the zero trust proxy and a blockchain light node in the zero trust gateway;
The distributed policy decision point dPDP is implemented as a full node with consensus capability.
Specifically, the historical access log and the distributed identity are managed by a policy manager module in the distributed policy decision point dPDP;
the continuous verification service module can realize the continuous verification of the identity and log analysis by retrieving and acquiring the distributed identity and the history log from the strategy manager module;
The continuous verification service module sends the identity continuous verification and log analysis results to the information source module and the data sharing service module for synchronization;
the data sharing service module provides support for distributed policy decision point dPDP and data access.
The distributed policy decision point dPDP hashes the latest external reference information source into a chain for storage; the continuous verification service module, the information source module and the data sharing service module acquire hash values from all nodes/chains to carry out integrity verification; the information source module sends the latest relevant information source to support the strategy engine module to acquire for decision.
As shown in fig. 3, the block chain-based internet of things zero trust implementation method includes:
step 1, an access subject and an access object register identities of blockchains, and are managed through blockchain storage after being commonly known by all nodes;
step 2, making an access strategy, uploading the access strategy to all nodes by an access object for release, and storing the access strategy through a blockchain after consensus; the access policy comprises a resource id, a belonging/nearest gateway id and a specific policy;
Step 3, the user initiates an access request through the zero trust proxy module, the blockchain client in the zero trust proxy module verifies the identity, and if the identity authentication is successful, the user forwards the access request to all nodes to make a decision;
step 4, after the full node receives the request, the policy engine module performs identity verification through the blockchain search identity, searches the policy verification authority, obtains relevant information sources from the outside to decide permission/rejection, and discards the request if the request is rejected; after receiving the permission decision given by the policy engine module, the policy manager module informs the zero trust proxy module and the requested zero trust gateway module of permission to access the access;
step 5, after receiving the request notification of access permission, the zero trust proxy module and the zero trust gateway module perform bidirectional authentication, and after successful authentication, a dynamic data access channel is established between the zero trust proxy module and the zero trust gateway module;
and 6, the user realizes a data access process.
Further, the step 6 further includes the zero trust gateway module monitoring the user data access process, and if the violation occurs, reporting to the data sharing service module. The numerical control separation in the zero trust can be truly embodied by adopting the zero trust gateway module to monitor the data; dPDP may be focused on decisions; and the monitoring result is reported to the data sharing service module, the function is decoupled, the integration is strong, and the implementation and deployment of the system are truly facilitated.
Further, the method further comprises the step 7 of recording an access log: and a policy manager module in the full node receives the normal/illegal data access completion sent by the zero trust proxy module/the zero trust gateway module, and links and commonly synchronizes the access log record, thereby being beneficial to audit and tracing.
Claims (4)
1. The zero trust realization system of the Internet of things based on the blockchain comprises a zero trust access core component and a blockchain functional component, which are used for realizing zero trust access in the Internet of things, and is characterized by further comprising a supporting component, wherein the supporting component is used for providing supporting service for the zero trust access, and comprises an external reference information source module for providing an external related information source, a continuous verification service module for service verification and a data sharing service module for data sharing;
specifically, the zero trust access core component includes a data plane and a control plane: the control plane realizes safe access decision by a policy engine module and a policy manager which are paired in a distributed policy decision point dPDP; the data plane realizes the safe access between the Internet of things main body and the Internet of things resources through a data access channel dynamically constructed between policy execution points PEPs, wherein the PEPs comprise a zero trust proxy module and a zero trust gateway module;
The block chain functional component comprises a strategy management module, an identity management module and a log management module;
The policy manager in distributed policy decision point dPDP manages the historical access log and the distributed identities;
The continuous verification service module retrieves and acquires the distributed identity and the history access log from the strategy manager to perform identity continuous verification and log analysis;
The continuous verification service module sends the identity continuous verification and log analysis results to the external reference information source module and the data sharing service module for synchronization;
the data sharing service module provides support for distributed policy decision point dPDP and data access;
The distributed policy decision point dPDP hashes the latest external reference information source into a chain for storage; the continuous verification service module, the external reference information source module and the data sharing service module acquire hash values from all nodes/chains to carry out integrity verification; the external reference information source module sends the latest relevant information source to support the policy engine module to acquire for decision.
2. The zero trust realization method of the Internet of things based on the blockchain is applied to the zero trust realization system of the Internet of things based on the blockchain as claimed in claim 1, and is characterized by comprising the following steps:
Step 1, an access subject and an access object register identities of a blockchain, and the zero-trust access core assembly is commonly identified and then stored and managed through the blockchain;
step 2, making an access strategy, uploading the access strategy to a zero-trust access core component by an access object, and storing the access strategy through a blockchain after consensus;
step 3, the user initiates an access request through the zero trust proxy module to carry out identity authentication, and if the identity authentication is successful, the user forwards the access request to a distributed strategy decision point dPDP to carry out decision;
Step 4, after the distributed policy decision point dPDP receives the request, the policy engine module performs identity verification through the blockchain search identity, searches the policy verification authority, obtains the relevant information source from the outside to decide permission/rejection, and discards the request if the request is rejected; if so, informing the zero trust proxy module and the requested zero trust gateway module to allow the access;
step 5, after receiving the request notification of access permission, the zero trust proxy module and the zero trust gateway module perform bidirectional authentication, and after successful authentication, a dynamic data access channel is established between the zero trust proxy module and the zero trust gateway module;
and 6, the user realizes a data access process.
3. The blockchain-based internet of things zero trust implementation method of claim 2, wherein the step 6 further comprises monitoring the user data access process with a zero trust gateway module, and reporting to a data sharing service module if an violation occurs.
4. The blockchain-based internet of things zero trust implementation method of claim 3, further comprising step 7, recording an access log.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211487191.XA CN115914300B (en) | 2022-11-25 | 2022-11-25 | Zero trust realization system and method for Internet of things based on block chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211487191.XA CN115914300B (en) | 2022-11-25 | 2022-11-25 | Zero trust realization system and method for Internet of things based on block chain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115914300A CN115914300A (en) | 2023-04-04 |
| CN115914300B true CN115914300B (en) | 2024-06-07 |
Family
ID=86475858
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211487191.XA Active CN115914300B (en) | 2022-11-25 | 2022-11-25 | Zero trust realization system and method for Internet of things based on block chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115914300B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116260656B (en) * | 2023-05-09 | 2023-07-14 | 卓望数码技术(深圳)有限公司 | Main body trusted authentication method and system in zero trust network based on blockchain |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113051350A (en) * | 2021-04-26 | 2021-06-29 | 湖南链聚信息科技有限责任公司 | Zero trust network access system based on block chain |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11316933B2 (en) * | 2017-09-13 | 2022-04-26 | Vijay Madisetti | Service meshes and smart contracts for zero-trust systems |
-
2022
- 2022-11-25 CN CN202211487191.XA patent/CN115914300B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| CN113051350A (en) * | 2021-04-26 | 2021-06-29 | 湖南链聚信息科技有限责任公司 | Zero trust network access system based on block chain |
Non-Patent Citations (1)
| Title |
|---|
| 基于区块链共识机制的SDWAN零信任网络架构;罗可人;;集成电路应用;20200709(07);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115914300A (en) | 2023-04-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10917414B2 (en) | Monitoring actions performed by a network of peer devices using a blockchain | |
| CN109919771B (en) | Industrial internet transaction device applying hierarchical block chain technology | |
| CN109120722B (en) | Access control method based on reverse proxy mode | |
| CN105247529A (en) | Synchronizing credential hashes between directory services | |
| CN115914300B (en) | Zero trust realization system and method for Internet of things based on block chain | |
| CN112149105A (en) | Data processing system, method, related device and storage medium | |
| US11792194B2 (en) | Microsegmentation for serverless computing | |
| CN112231692A (en) | Security authentication method, device, equipment and storage medium | |
| CN110677407B (en) | Safety control method of lightweight block chain platform | |
| CN112019330B (en) | Intranet security audit data storage method and system based on alliance chain | |
| EP3834116A1 (en) | System and method for accessing a data repository | |
| CN103595761B (en) | Data processing method based on distributed file system and server | |
| CN115296916A (en) | Zero-trust safety system based on decision tree model | |
| CN114745145B (en) | Business data access method, device and equipment and computer storage medium | |
| Anisetti et al. | A security certification scheme for information-centric networks | |
| CN114844656A (en) | Network access method, device, system, equipment and storage medium | |
| CN117176659A (en) | Load balancing method and device based on zero trust environment | |
| CN115941252A (en) | MQTT dynamic access control method based on trust calculation | |
| Qiu et al. | A software-defined security framework for power IoT cloud-edge environment | |
| CN113807700B (en) | Method and system for issuing and receiving aircraft in-wing command scheduling based on block chain | |
| Wu et al. | Research on security strategy of power internet of things devices based on zero-trust | |
| CN115801292A (en) | Access request authentication method and device, storage medium and electronic equipment | |
| Li et al. | Collaborative intrusion detection in the era of IoT: Recent advances and challenges | |
| CN116029729B (en) | Cross-link method and system based on dynamic access application link management contract mode | |
| Mohammad et al. | A multi-layer security enabled quality of service (QoS) management architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |