CN115987696B - Zero trust security gateway implementation method and device based on block chain structure - Google Patents
Zero trust security gateway implementation method and device based on block chain structure Download PDFInfo
- Publication number
- CN115987696B CN115987696B CN202310275290.XA CN202310275290A CN115987696B CN 115987696 B CN115987696 B CN 115987696B CN 202310275290 A CN202310275290 A CN 202310275290A CN 115987696 B CN115987696 B CN 115987696B
- Authority
- CN
- China
- Prior art keywords
- data
- strategy
- address
- security gateway
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000013507 mapping Methods 0.000 claims abstract description 92
- 238000012795 verification Methods 0.000 claims abstract description 16
- 230000006870 function Effects 0.000 claims description 42
- 238000011217 control strategy Methods 0.000 claims description 21
- 230000003993 interaction Effects 0.000 claims description 9
- 238000013500 data storage Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 6
- 238000013506 data mapping Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 12
- 238000007726 management method Methods 0.000 description 8
- 238000013459 approach Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a zero trust security gateway realization method and device based on a block chain structure, wherein the method comprises the following steps: establishing a mapping table component of strategy indexes in a block chain and strategy data in a distributed file system or a database, calculating the strategy data through a hash function, and constructing a block chain which corresponds to the mapping table component and is used for verifying an operation event of acquiring the strategy data by a security gateway; inquiring policy data according to the policy index and calling an access control policy of the policy data to execute forced access control operation; when the strategy data or the storage address of the strategy data in the distributed file system or the database is changed, the strategy data is calculated again through the hash function to perform updating operation, and the updating operation is verified on the blockchain in a mode of issuing transactions. The invention has the beneficial effects that: the method solves the problem that the existing zero-trust security gateway lacks effective supervision and verification security risks, and ensures the security of the gateway.
Description
Technical Field
The invention relates to the technical field of access control in the field of information security, in particular to a zero trust security gateway realization method and device based on a block chain structure.
Background
Zero trust is a hot topic of the current field of information security and has entered the fall-to-the-ground phase in several industries. In the zero-trust system architecture, a zero-trust security gateway is the most core policy execution point, and in the process of accessing resources by a user, the network exposure surface of an enterprise is closed by a unified proxy for user access and API call, so that fine-granularity dynamic access control is forced. In the process of executing the access control, the security gateway needs to acquire a corresponding access control policy from a policy database of the security gateway or the zero trust management and control center for execution, and in the process, the security protection attribute of the security gateway needs to be additionally paid attention.
The conventional security gateway integrates the access control policy in the storage space of the hardware of the device, so that the security is better ensured, but the stored access control policy data is limited by the storage space of the device, and when the access control policy is used in a zero trust environment, the synchronization of the access control policy data of each security gateway is also a troublesome problem when the access control policy is changed. In the existing solution of the zero-trust security gateway, the access control strategy of the security gateway is usually stored in a unified central database of the management and control center, and the deployment mode is usually based on independent deployment or adopts a mode based on cluster deployment, and the mode based on the existing solution is basically a centralized control means. Although the method can avoid the problems of limitation of the hardware storage space of the gateway equipment and data synchronization, single-point failure and lack of effective guarantee of the safety of the database are caused, sensitive data are easy to leak from a server, the delivery process of the safety gateway and the central database is lack of effective supervision and authentication, the operation log is at risk of being tampered, and the safety of the operation log is not effectively guaranteed.
Therefore, how to design an effective way to eliminate the disadvantage that the zero-trust security gateway system obtains the corresponding access control policy from the policy repository, and realize safe and efficient integrated management has become a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The invention provides a zero trust security gateway realization method and device based on a block chain structure, which solve the problems that in the prior art, single point failure exists, the security of a database is lack of effective guarantee, sensitive data is easy to leak from a server, the delivery process of the security gateway and a central database is lack of effective supervision and authentication, the operation log is at risk of being tampered, and the security of the operation log is not effectively guaranteed.
In order to solve the above problems, in one aspect, the present invention provides a method for implementing a zero trust security gateway based on a block chain structure, including:
establishing a mapping table component of strategy indexes in a block chain and strategy data in a distributed file system or a database, calculating the strategy data through a hash function, and constructing a block chain which corresponds to the mapping table component and is used for verifying an operation event of acquiring the strategy data by a security gateway;
receiving an access control request of a host to a guest resource initiated by a zero trust client to a security gateway, inquiring policy data according to a policy index and calling an access control policy of the policy data to execute forced access control operation;
when the strategy data or the storage address of the strategy data in the distributed file system or the database changes, calculating the strategy data again through a hash function to perform updating operation, and verifying the updating operation on a blockchain in a mode of issuing transactions.
The method for establishing the mapping table component of the strategy index in the blockchain and the strategy data in the distributed file system or the database, calculating the strategy data through a hash function, and constructing the blockchain which corresponds to the mapping table component and is used for verifying the security gateway to acquire the strategy data operation event comprises the following steps:
storing the original data of the strategy data in a preset distributed file system or database;
storing an index address pointing to original data stored in a distributed file system or database in a mapping table component;
interaction and authentication of the blockchain with policy data in the distributed file system or database is generated by a mapping table component.
Storing in a mapping table component an index address pointing to raw data stored in a distributed file system or database, comprising:
setting a storage Key value pair < Key, address > of a mapping table component, wherein the Key value represents a first hash index of an access control strategy, and the Address value represents an Address of the access control strategy stored in a distributed file system or a database;
mapping the data value of the access control policy to the Key value by a hash function:
hash(Data) = Key
wherein, data is the Data value of the access control strategy, and hash () is a hash function;
and storing the data value corresponding to the Key value into a memory space of an Address represented by the Address value.
The querying policy data according to the policy index and calling an access control policy of the policy data to execute the forced access control operation comprises:
issuing a transaction to the blockchain through the security gateway to enable the blockchain to verify the security gateway to acquire the policy data event;
transmitting a first hash index of an access control policy to be accessed by the security gateway to the mapping table component through the blockchain;
the mapping table component searches the corresponding address by utilizing the received first hash index, and the original data of the strategy data in the distributed file system or the database is searched according to the address;
calculating a second hash index of the obtained original data by using a hash function through a mapping table component:
hash()=/>
wherein ,for the original data +.>Indexing for a second hash;
comparing whether the first hash index and the second hash index are identical; if the data events are the same, the verification of the block chain to the security gateway to acquire the strategy data events is passed; if the policy data event is different, the security gateway is terminated to acquire the policy data event.
When the policy data in the distributed file system or the database or the storage address of the policy data changes, calculating the policy data again through a hash function to perform updating operation, and verifying the updating operation on the blockchain through a transaction issuing mode, wherein the method comprises the following steps:
if the strategy data in the distributed file system or the database is changed, carrying out hash function calculation on the first hash index in the mapping table component again;
if the address changes, the corresponding address in the mapping table component is updated, and verification is performed on the blockchain in a transaction issuing mode, so that data updating and synchronization of the security gateway are completed.
In one aspect, a zero trust security gateway implementation device based on a block chain structure is provided, including:
the construction module is used for establishing a mapping table component of strategy indexes in the block chain and strategy data in the distributed file system or the database, calculating the strategy data through a hash function and constructing a block chain which corresponds to the mapping table component and is used for verifying an operation event of acquiring the strategy data by the security gateway;
the calling module is used for receiving an access control request of a host to the object resource, which is initiated by the zero trust client to the security gateway, inquiring policy data according to the policy index and calling an access control policy of the policy data so as to execute forced access control operation;
and the updating module is used for calculating the strategy data through the hash function again to perform updating operation when the strategy data in the distributed file system or the database or the storage address of the strategy data changes, and verifying the updating operation on the blockchain in a mode of issuing transactions.
The construction module comprises a data storage sub-module, an address storage sub-module and an interactive authentication sub-module;
the data storage sub-module is used for storing the original data of the strategy data in a preset distributed file system or database;
an address storage sub-module for storing an index address pointing to original data stored in a distributed file system or database in a mapping table component;
the interaction authentication sub-module is used for generating interaction and authentication of the blockchain and strategy data in the distributed file system or the database through the mapping table component;
the address storage submodule comprises a key value pair setting submodule, a data mapping submodule and a corresponding storage submodule;
a Key value pair setting sub-module, configured to set a stored Key value pair < Key, address > of the mapping table component, where a Key value represents a first hash index of an access control policy, and an Address value represents an Address of the access control policy stored in a distributed file system or database;
the data mapping submodule is used for mapping the data value of the access control strategy to the Key value through a hash function:
hash(Data) = Key
wherein, data is the Data value of the access control strategy, and hash () is a hash function;
and the corresponding storage submodule is used for storing the Key value into a storage space of an Address represented by the Address value.
The calling module comprises a transaction sub-module, an index sending sub-module, a query sub-module and a comparison sub-module;
the transaction sub-module is used for issuing a transaction to the blockchain through the security gateway so that the blockchain verifies the event of the policy data acquired by the security gateway;
an index transmitting sub-module for transmitting a first hash index of an access control policy to be accessed by the security gateway to the mapping table assembly through the blockchain;
the query sub-module is used for searching a corresponding address by using the received first hash index through the mapping table component and searching the original data of the strategy data in the distributed file system or the database according to the address;
the comparison sub-module is used for calculating a second hash index of the obtained original data through the mapping table component by utilizing a hash function:
hash()=/>
wherein ,for the original data +.>Indexing for a second hash;
comparing whether the first hash index and the second hash index are identical; if the data events are the same, the verification of the block chain to the security gateway to acquire the strategy data events is passed; if the policy data event is different, the security gateway is terminated to acquire the policy data event.
The updating module comprises a recalculation sub-module and an address updating sub-module:
the recalculation sub-module is used for recalculating the hash function of the first hash index in the mapping table component when the strategy data in the distributed file system or the database changes;
and the address updating sub-module is used for updating the corresponding address in the mapping table component when the address changes and verifying the address in the block chain in a transaction issuing way, thereby completing the data updating and the synchronization of the security gateway.
In one aspect, a computer readable storage medium having stored therein a plurality of instructions adapted to be loaded by a processor to perform a zero trust security gateway implementation method based on a blockchain structure as described above is provided.
The beneficial effects of the invention are as follows: the blockchain is used as a third party to verify the self safety of the gateway equipment in the zero trust environment, so that the limitation of the storage space of the traditional security gateway is avoided, the safety risk that the access process is lack of effective supervision and verification caused by the fact that the traditional zero trust security gateway stores the access control strategy in the central database is solved, and the risk of single-point failure is avoided.
The block chain system is modified, only the index of the strategy data is stored in the block chain by establishing a mapping table of the strategy data and the index of the data storage address, the real data is stored in a database or a file system under the chain (a distributed mode can be adopted), the reference and the storage of the data are separated, the consistency of the data and the index is ensured by a hash verification mode, the throughput of the block chain system is improved, and the problems of limitation of the storage space and low efficiency of the existing block chain system are avoided.
The traceability and responsibility audit of the access control operation of the security gateway are realized, any activities such as accessing and modifying access control policy data are recorded through the blockchain, the risk that the operation log system of the security gateway is tampered can be effectively avoided, and any malicious attempt to the security gateway can be detected.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a zero trust security gateway system based on a block chain structure according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for implementing a zero trust security gateway based on a block chain structure according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it should be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", etc. indicate orientations or positional relationships based on the drawings are merely for convenience in describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more features. In the description of the present invention, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
In the present invention, the term "exemplary" is used to mean "serving as an example, instance, or illustration. Any embodiment described as "exemplary" in this disclosure is not necessarily to be construed as preferred or advantageous over other embodiments. The following description is presented to enable any person skilled in the art to make and use the invention. In the following description, details are set forth for purposes of explanation. It will be apparent to one of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and processes have not been described in detail so as not to obscure the description of the invention with unnecessary detail. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a zero trust security gateway system based on a block chain structure according to an embodiment of the present invention. In a zero trust environment, various zero trust clients (possibly presented in the form of separate applets, browsers, browser plug-ins, terminal controllers, etc.) deployed on user devices issue access requests to a security gateway. The access control strategy database of the security gateway is stored in a data center of the management and control platform (can be stored in a distributed mode) in a mode of an intermediate mapping table, the security gateway verifies the process of acquiring the access control strategy from the data center by the security gateway in a mode of issuing transactions through a blockchain, namely, the blockchain is used for verifying the operation record of the security gateway, so that the falsification is prevented, and the security of the gateway is guaranteed.
In the system deployment scheme, the functions of each component of the system are introduced as follows:
zero trust client component:
the zero trust client is deployed on the user's device, possibly in the form of a stand-alone applet, browser plug-in, terminal manager, etc., responsible for interacting with the user and providing an encrypted connection from the user to the authorized resource.
A security gateway component:
the security gateway is equivalent to the gate of the enterprise network, and enforces access control policies on all traffic passing through the gateway. When an access request is met, the security gateway immediately reports the access request to the management and control platform, acquires a corresponding access control strategy and releases or blocks according to the strategy. The access control policy data it performs needs to be obtained from the file system/database of the management and control platform.
A blockchain component:
the block chain component is responsible for verifying the operation record of the security gateway, preventing tampering and guaranteeing the security of the gateway. Stored in the block is not the access control policy raw data of the security gateway, but an index of the data, information of which is acquired by the index table component. The blockchain will verify the access of the security gateway to the access control policy, i.e. the access of the security gateway to the access control policy data in a zero trust environment is controlled by most blockchains without any intervention of an additional trusted server.
An index table component:
the mapping table adopts a distributed storage and addressing technology, key value pairs are stored in the table in a mode of < Key, address >, wherein Key values represent hash indexes of specific access control strategies, and Address values store addresses of specific access control strategy data stored in a distributed file system/database. The specific principle is to map a Data (Data) value of an access control policy onto a Key using a hash () function, i.e., hash (Data) =key. Thus, a Key value can be associated with a specific access control policy Data. The Data corresponding to this KEY value is then stored in the memory space marked by Address. Thus, each time the VALUE corresponding to the KEY is to be found, only one hash () operation is required to be performed.
File system/database component:
the file system/database is responsible for storing specific policy data for the access control policies required by the secure network. One preferred approach is to use a distributed file system/database for storage, further avoiding the potential single point failure risk of a centralized server approach.
Thus, the present invention solves the following problems:
1. the invention designs a zero trust security gateway system based on a block chain structure, which solves the problem of single point failure of centralized management and the verification problem of lack of security in the process of acquiring an access control policy from a policy library by using the structural characteristics of decentralization and difficult tampering of the block chain system, and realizes safe and efficient integrated management.
2. In order to improve the transaction processing efficiency of the blockchain and reduce the storage overhead of the blockchain, an under-chain storage scheme is provided, and transaction data originally stored in the blockchain is transferred to an under-chain database or file system (a distributed mode can be adopted) so as to meet the actual requirements of zero-trust security control platform big data processing.
3. The mapping table component is added in the block chain structure, the mapping relation between the data index on the chain and the specific strategy data under the chain is established, the transaction data and the transaction ID produced by the hash are formed into the corresponding relation, and any tampering of the strategy data in the database or the file system is ensured to be checked and recorded by calculating the hash value of the data during each verification.
Referring to fig. 2, fig. 2 is a flowchart of a zero trust security gateway implementation method based on a block chain structure according to an embodiment of the present invention, where the zero trust security gateway implementation method based on a block chain structure includes S1-S4:
s1, establishing a mapping table component of strategy indexes in a block chain and strategy data in a distributed file system or a database, calculating the strategy data through a hash function, and constructing a block chain which corresponds to the mapping table component and is used for verifying an operation event of acquiring the strategy data by a security gateway; step S1 includes steps S11-S13:
s11, storing the original data of the strategy data in a preset distributed file system or database.
In this embodiment, the scheme stores the original data (data) of the access control policy in a distributed file system or database.
S12, storing an index address pointing to original data stored in a distributed file system or a database in a mapping table component; step S12 includes steps S121 to S123:
s121, setting a storage Key value pair < Key, address > of a mapping table component, wherein the Key value represents a first hash index of access control policy corresponding Data (Data), and the Address value represents an Address of the access control policy corresponding Data (Data) stored in a distributed file system or a database.
In this embodiment, the index Address pointing to the stored Data is stored in a mapping table, the mapping table adopts a distributed storage and addressing technique, and Key value pairs are stored in the table in a manner of < Key, address >, wherein the Key value represents a hash index of specific access control policy corresponding Data (Data), and the Address value stores an Address of specific access control policy corresponding Data (Data) stored in a distributed file system/database.
S122, mapping the data value of the access control strategy to the Key value through a hash function.
In this embodiment, a hash () function is used to map the Data (Data) value of one access control policy onto one Key, i.e., hash (Data) =key. Thus, a KEY value may be associated with particular access control policy data.
S123, storing the data value corresponding to the Key value into a storage space of an Address represented by the Address value.
In this embodiment, the Data corresponding to this KEY value is stored in the memory space marked by Address. Thus, each time the VALUE corresponding to the KEY is to be found, only one hash () operation is required to be performed.
S13, interaction and authentication of the blockchain and policy data in the distributed file system or database are generated through the mapping table component.
In this embodiment, the blockchain interacts and authenticates with the access control policies in the distributed file system/database via the mapping table. Thereby constructing a blockchain system corresponding to the mapping table component, and verifying the operation of the security gateway for acquiring the policy data. Only the index of policy data is stored in the blockchain, while the actual data is stored in an off-chain database or file system (which may be in a distributed fashion).
S2, receiving an access control request of a host to the object resource, which is initiated by the zero trust client to the security gateway, inquiring policy data according to the policy index and calling an access control policy of the policy data to execute forced access control operation. Step S2 includes steps S21-S24:
s21, issuing a transaction to the blockchain through the security gateway so that the blockchain verifies the security gateway to acquire the policy data event.
In this embodiment, after verifying the user identity, the zero-trust client sends an access control request for accessing the subject to the guest resource to the security gateway, and before the security gateway asks the control policy database to obtain the corresponding policy data, the security gateway needs to issue a transaction to the blockchain, and the blockchain is used as a trusted third party to verify the policy obtaining process of the security gateway.
S22, a first hash index of an access control strategy to be accessed by the security gateway is sent to the mapping table component through the blockchain.
In this embodiment, the blockchain sends an access control policy data index (Key) to be accessed by the security gateway to the mapping table component, waiting for feedback.
S23, the mapping table component searches the corresponding address by utilizing the received first hash index, and the original data of the strategy data in the distributed file system or the database is searched according to the address.
In this embodiment, the mapping table component uses the received index (Key) to find the corresponding policy data Address (Address), and based on this Address, find the real policy data in the distributed file system/database。
S24, obtaining the original data) Calculating a second hash index by using a hash function through the mapping table component, and comparing whether the first hash index and the second hash index are identical; if the data events are the same, the verification of the block chain to the security gateway to acquire the strategy data events is passed; if the policy data event is different, the security gateway is terminated to acquire the policy data event.
In this embodiment, for the policy data that is foundThe mapping table component calculates the Hash (++) using the Hash algorithm>)=/>. Comparison->If the Key is the same as the Key stored in the mapping table component, continuing the subsequent steps, otherwise, indicating that the policy data in the distributed file system/database is changed, terminating the operation, and enabling a checking mechanism to check the change of the policy data.
If the verification is passed, i.eAnd if the Key stored in the mapping table component is the same as the Key stored in the mapping table component, the mapping table component feeds back the security gateway component and the blockchain component policy data to pass verification, the security gateway is granted to access the access control policy stored in the file system/database, the blockchain is utilized to carry out verification record on the whole operation process, and the result is stored in the blockchain as supervision and audit data.
And S3, when the strategy data in the distributed file system or the database or the storage address of the strategy data changes, calculating the strategy data again through a hash function to perform updating operation, and verifying the updating operation on the blockchain in a transaction issuing mode. Step S3 includes steps S31-S32:
s31, if the strategy data in the distributed file system or the database changes, carrying out hash function calculation on the first hash index in the mapping table component again.
And S32, if the address changes, updating the corresponding address in the mapping table component. And the operations are verified on the blockchain in a transaction issuing mode, so that the data updating and the synchronization of the security gateway are completed.
In this embodiment, when policy data in the distributed file system/database changes, hash computation is required to be synchronously performed again on the corresponding index values in the mapping table component to generate new index values; if the memory Address changes, the corresponding Address value in the mapping table component needs to be updated. And verifying the operations on the blockchain in a transaction issuing mode, thereby completing the data updating and synchronization of the whole security gateway system.
In summary, when the zero-trust client sends an access request of a subject to an object to the security gateway, the security gateway needs to issue a transaction to the blockchain before asking the control policy database to acquire the corresponding policy data, the blockchain is used as a trusted third party to verify the policy acquisition process of the security gateway, if the transaction is verified and written into a block, the security gateway will obtain the authority of acquiring the access control policy from the policy library, find the corresponding control policy, and execute the corresponding forced access control on the request sent by the client according to the policy.
The invention provides a zero trust security gateway realization device based on a block chain structure, which comprises:
the construction module is used for establishing a mapping table component of strategy indexes in the block chain and strategy data in the distributed file system or the database, calculating the strategy data through a hash function and constructing a block chain which corresponds to the mapping table component and is used for verifying an operation event of acquiring the strategy data by the security gateway;
the calling module is used for receiving an access control request of a host to the object resource, which is initiated by the zero trust client to the security gateway, inquiring policy data according to the policy index and calling an access control policy of the policy data so as to execute forced access control operation;
and the updating module is used for calculating the strategy data through the hash function again to perform updating operation when the strategy data in the distributed file system or the database or the storage address of the strategy data changes, and verifying the updating operation on the blockchain in a mode of issuing transactions.
The construction module comprises a data storage sub-module, an address storage sub-module and an interactive authentication sub-module;
the data storage sub-module is used for storing the original data of the strategy data in a preset distributed file system or database;
an address storage sub-module for storing an index address pointing to original data stored in a distributed file system or database in a mapping table component;
the interaction authentication sub-module is used for generating interaction and authentication of the blockchain and strategy data in the distributed file system or the database through the mapping table component;
the address storage submodule comprises a key value pair setting submodule, a data mapping submodule and a corresponding storage submodule;
a Key value pair setting sub-module, configured to set a stored Key value pair < Key, address > of the mapping table component, where a Key value represents a first hash index of an access control policy, and an Address value represents an Address of the access control policy stored in a distributed file system or database;
the data mapping submodule is used for mapping the data value of the access control strategy to the Key value through a hash function:
hash(Data) = Key
wherein, data is the Data value of the access control strategy, and hash () is a hash function;
and the corresponding storage submodule is used for storing the Key value into a storage space of an Address represented by the Address value.
The calling module comprises a transaction sub-module, an index sending sub-module, a query sub-module and a comparison sub-module;
the transaction sub-module is used for issuing a transaction to the blockchain through the security gateway so that the blockchain verifies the event of the policy data acquired by the security gateway;
an index transmitting sub-module for transmitting a first hash index of an access control policy to be accessed by the security gateway to the mapping table assembly through the blockchain;
the query sub-module is used for searching a corresponding address by using the received first hash index through the mapping table component and searching the original data of the strategy data in the distributed file system or the database according to the address;
the comparison sub-module is used for calculating a second hash index of the obtained original data through the mapping table component by utilizing a hash function:
hash()=/>
wherein ,for the original data +.>Indexing for a second hash;
comparing whether the first hash index and the second hash index are identical; if the data events are the same, the verification of the block chain to the security gateway to acquire the strategy data events is passed; if the policy data event is different, the security gateway is terminated to acquire the policy data event.
The updating module comprises a recalculation sub-module and an address updating sub-module:
the recalculation sub-module is used for recalculating the hash function of the first hash index in the mapping table component when the strategy data in the distributed file system or the database changes;
and the address updating sub-module is used for updating the corresponding address in the mapping table component when the address changes and verifying the address in the block chain in a transaction issuing way, thereby completing the data updating and the synchronization of the security gateway.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor. To this end, an embodiment of the present invention provides a storage medium having stored therein a plurality of instructions capable of being loaded by a processor to perform the steps of any of the zero trust security gateway implementation methods based on the blockchain structure provided by the embodiment of the present invention.
Wherein the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.
The instructions stored in the storage medium can execute the steps in any zero-trust security gateway implementation method based on the block chain structure provided by the embodiment of the present invention, so that the beneficial effects that any zero-trust security gateway implementation method based on the block chain structure provided by the embodiment of the present invention can be realized, which are detailed in the previous embodiments and are not described herein.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (7)
1. A zero trust security gateway implementation method based on a block chain structure is characterized by comprising the following steps:
establishing a mapping table component of strategy indexes in a block chain and strategy data in a distributed file system or a database, calculating the strategy data through a hash function, and constructing a block chain which corresponds to the mapping table component and is used for verifying an operation event of acquiring the strategy data by a security gateway;
receiving an access control request of a host to a guest resource initiated by a zero trust client to a security gateway, inquiring policy data according to a policy index and calling an access control policy of the policy data to execute forced access control operation;
when the strategy data in the distributed file system or the database or the storage address of the strategy data changes, calculating the strategy data again through a hash function to perform updating operation, and verifying the updating operation on a blockchain in a transaction issuing mode;
the method for establishing the mapping table component of the strategy index in the blockchain and the strategy data in the distributed file system or the database, calculating the strategy data through a hash function, and constructing the blockchain which corresponds to the mapping table component and is used for verifying the security gateway to acquire the strategy data operation event comprises the following steps:
storing the original data of the strategy data in a preset distributed file system or database;
storing an index address pointing to original data stored in a distributed file system or database in a mapping table component;
generating interactions and authentications of the blockchain with policy data in the distributed file system or database through the mapping table component;
storing in a mapping table component an index address pointing to raw data stored in a distributed file system or database, comprising:
setting a storage Key value pair < Key, address > of a mapping table component, wherein the Key value represents a first hash index of an access control strategy, and the Address value represents an Address of the access control strategy stored in a distributed file system or a database;
mapping the data value of the access control policy to the Key value by a hash function:
hash(Data) = Key
wherein, data is the Data value of the access control strategy, and hash () is a hash function;
and storing the data value corresponding to the Key value into a memory space of an Address represented by the Address value.
2. The method of claim 1, wherein querying policy data according to a policy index and invoking an access control policy of the policy data to perform a mandatory access control operation comprises:
issuing a transaction to the blockchain through the security gateway to enable the blockchain to verify the security gateway to acquire the policy data event;
transmitting a first hash index of an access control policy to be accessed by the security gateway to the mapping table component through the blockchain;
the mapping table component searches the corresponding address by utilizing the received first hash index, and the original data of the strategy data in the distributed file system or the database is searched according to the address;
calculating a second hash index of the obtained original data by using a hash function through a mapping table component:
hash()= />
wherein ,for the original data +.>Indexing for a second hash;
comparing whether the first hash index and the second hash index are identical; if the data events are the same, the verification of the block chain to the security gateway to acquire the strategy data events is passed; if the policy data event is different, the security gateway is terminated to acquire the policy data event.
3. The method according to claim 1, wherein when policy data in a distributed file system or a database or a storage address of the policy data changes, computing the policy data again through a hash function to perform an update operation, and verifying the update operation on a blockchain by means of issuing a transaction, includes:
if the strategy data in the distributed file system or the database is changed, carrying out hash function calculation on the first hash index in the mapping table component again;
if the address changes, the corresponding address in the mapping table component is updated, and verification is performed on the blockchain in a transaction issuing mode, so that data updating and synchronization of the security gateway are completed.
4. A zero trust security gateway implementation device based on a blockchain structure, comprising:
the construction module is used for establishing a mapping table component of strategy indexes in the block chain and strategy data in the distributed file system or the database, calculating the strategy data through a hash function and constructing a block chain which corresponds to the mapping table component and is used for verifying an operation event of acquiring the strategy data by the security gateway;
the calling module is used for receiving an access control request of a host to the object resource, which is initiated by the zero trust client to the security gateway, inquiring policy data according to the policy index and calling an access control policy of the policy data so as to execute forced access control operation;
the updating module is used for calculating the strategy data through a hash function again to perform updating operation when the strategy data in the distributed file system or the database or the storage address of the strategy data changes, and verifying the updating operation on the blockchain in a mode of issuing transactions;
the construction module comprises a data storage sub-module, an address storage sub-module and an interactive authentication sub-module;
the data storage sub-module is used for storing the original data of the strategy data in a preset distributed file system or database;
an address storage sub-module for storing an index address pointing to original data stored in a distributed file system or database in a mapping table component;
the interaction authentication sub-module is used for generating interaction and authentication of the blockchain and strategy data in the distributed file system or the database through the mapping table component;
the address storage submodule comprises a key value pair setting submodule, a data mapping submodule and a corresponding storage submodule;
a Key value pair setting sub-module, configured to set a stored Key value pair < Key, address > of the mapping table component, where a Key value represents a first hash index of an access control policy, and an Address value represents an Address of the access control policy stored in a distributed file system or database;
the data mapping submodule is used for mapping the data value of the access control strategy to the Key value through a hash function:
hash(Data) = Key
wherein, data is the Data value of the access control strategy, and hash () is a hash function;
and the corresponding storage submodule is used for storing the Key value into a storage space of an Address represented by the Address value.
5. The zero-trust security gateway implementation apparatus based on a blockchain structure of claim 4, wherein the invoking module comprises a transaction sub-module, an index sending sub-module, a query sub-module, and a comparison sub-module;
the transaction sub-module is used for issuing a transaction to the blockchain through the security gateway so that the blockchain verifies the event of the policy data acquired by the security gateway;
an index transmitting sub-module for transmitting a first hash index of an access control policy to be accessed by the security gateway to the mapping table assembly through the blockchain;
the query sub-module is used for searching a corresponding address by using the received first hash index through the mapping table component and searching the original data of the strategy data in the distributed file system or the database according to the address;
the comparison sub-module is used for calculating a second hash index of the obtained original data through the mapping table component by utilizing a hash function:
hash()= />
wherein ,for the original data +.>Indexing for a second hash;
comparing whether the first hash index and the second hash index are identical; if the data events are the same, the verification of the block chain to the security gateway to acquire the strategy data events is passed; if the policy data event is different, the security gateway is terminated to acquire the policy data event.
6. The zero trust security gateway implementing apparatus based on a blockchain structure of claim 4, wherein the update module comprises a re-computation sub-module and an address update sub-module:
the recalculation sub-module is used for recalculating the hash function of the first hash index in the mapping table component when the strategy data in the distributed file system or the database changes;
and the address updating sub-module is used for updating the corresponding address in the mapping table component when the address changes and verifying the address in the block chain in a transaction issuing way, thereby completing the data updating and the synchronization of the security gateway.
7. A computer readable storage medium having stored therein a plurality of instructions adapted to be loaded by a processor to perform a zero trust security gateway implementation method based on a blockchain structure as claimed in any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310275290.XA CN115987696B (en) | 2023-03-21 | 2023-03-21 | Zero trust security gateway implementation method and device based on block chain structure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310275290.XA CN115987696B (en) | 2023-03-21 | 2023-03-21 | Zero trust security gateway implementation method and device based on block chain structure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115987696A CN115987696A (en) | 2023-04-18 |
| CN115987696B true CN115987696B (en) | 2023-08-08 |
Family
ID=85959975
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310275290.XA Active CN115987696B (en) | 2023-03-21 | 2023-03-21 | Zero trust security gateway implementation method and device based on block chain structure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987696B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116260656B (en) * | 2023-05-09 | 2023-07-14 | 卓望数码技术(深圳)有限公司 | Main body trusted authentication method and system in zero trust network based on blockchain |
| CN116643300B (en) * | 2023-07-25 | 2023-10-10 | 齐鲁空天信息研究院 | Satellite navigation data distributed real-time processing method and system based on map mapping |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108123936A (en) * | 2017-12-13 | 2018-06-05 | 北京科技大学 | A kind of access control method and system based on block chain technology |
| CN108768988A (en) * | 2018-05-17 | 2018-11-06 | 深圳前海微众银行股份有限公司 | Block chain access control method, equipment and computer readable storage medium |
| CN113872944A (en) * | 2021-09-07 | 2021-12-31 | 湖南大学 | Block chain-oriented zero-trust security architecture and cluster deployment framework thereof |
| CN115618321A (en) * | 2021-07-16 | 2023-01-17 | 中移物联网有限公司 | Access control method and device, electronic equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109086325A (en) * | 2018-06-29 | 2018-12-25 | 阿里巴巴集团控股有限公司 | Data processing method and device based on block chain |
| US10795874B2 (en) * | 2019-07-29 | 2020-10-06 | Alibaba Group Holding Limited | Creating index in blockchain-type ledger |
-
2023
- 2023-03-21 CN CN202310275290.XA patent/CN115987696B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108123936A (en) * | 2017-12-13 | 2018-06-05 | 北京科技大学 | A kind of access control method and system based on block chain technology |
| CN108768988A (en) * | 2018-05-17 | 2018-11-06 | 深圳前海微众银行股份有限公司 | Block chain access control method, equipment and computer readable storage medium |
| CN115618321A (en) * | 2021-07-16 | 2023-01-17 | 中移物联网有限公司 | Access control method and device, electronic equipment and storage medium |
| CN113872944A (en) * | 2021-09-07 | 2021-12-31 | 湖南大学 | Block chain-oriented zero-trust security architecture and cluster deployment framework thereof |
Non-Patent Citations (1)
| Title |
|---|
| 《零信任网络中基于区块链的访问控制机制研究》;陈飞;《信息科技》(第2023年第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115987696A (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10853805B2 (en) | Data processing system utilising distributed ledger technology | |
| US10055561B2 (en) | Identity risk score generation and implementation | |
| CN115987696B (en) | Zero trust security gateway implementation method and device based on block chain structure | |
| US10002152B2 (en) | Client computer for updating a database stored on a server via a network | |
| CN112913203B (en) | Architecture with protective layer at data source | |
| CN113010911B (en) | Data access control method, device and computer readable storage medium | |
| US10484385B2 (en) | Accessing an application through application clients and web browsers | |
| CN114726643B (en) | Data storage and access methods and devices on cloud platform | |
| CN110365695A (en) | The block chain data interactive method and device of changeable common recognition algorithm | |
| US11196772B2 (en) | Data access policies | |
| CN107124431B (en) | Authentication method, device, computer readable storage medium and authentication system | |
| US11863677B2 (en) | Security token validation | |
| US11108811B2 (en) | Methods and devices for detecting denial of service attacks in secure interactions | |
| CN105577835B (en) | Cross-platform single sign-on system based on cloud computing | |
| US11836243B2 (en) | Centralized applications credentials management | |
| CN111031074B (en) | Authentication method, server and client | |
| EP3580684A1 (en) | Authentication based on client access limitation | |
| CN114422197A (en) | Permission access control method and system based on policy management | |
| US20230334140A1 (en) | Management of applications’ access to data resources | |
| CN116996305A (en) | Multi-level security authentication method, system, equipment, storage medium and entry gateway | |
| CN117118640A (en) | Data processing method, device, computer equipment and readable storage medium | |
| Tu et al. | A blockchain-based user identity authentication method for 5G | |
| CN114189375B (en) | Service system management method and device | |
| CN114444060A (en) | Authority verification method, device and system and storage medium | |
| CN118118238A (en) | Access right verification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |