CN116055486B - Policy security management device and method based on blockchain - Google Patents
Policy security management device and method based on blockchain Download PDFInfo
- Publication number
- CN116055486B CN116055486B CN202211619125.3A CN202211619125A CN116055486B CN 116055486 B CN116055486 B CN 116055486B CN 202211619125 A CN202211619125 A CN 202211619125A CN 116055486 B CN116055486 B CN 116055486B
- Authority
- CN
- China
- Prior art keywords
- policy
- strategy
- domain
- service
- edge node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 16
- 238000012795 verification Methods 0.000 claims description 27
- 238000007726 management method Methods 0.000 claims description 24
- 230000001360 synchronised effect Effects 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 238000012217 deletion Methods 0.000 claims description 4
- 230000037430 deletion Effects 0.000 claims description 4
- 238000009472 formulation Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 239000000203 mixture Substances 0.000 claims description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the field of policy security management, and discloses a block chain-based policy security management device and method, which effectively solve the pressure of policy access and improve the security of policy management. The method comprises the following steps: configuring a strategy domain and a strategy in the strategy domain, and carrying out uplink on the strategy domain and the strategy; the policy service edge node subscribes to a cloud policy set, and if the cloud policy set has updating operation, the policy service edge node is automatically updated synchronously; when a user accesses a service system by using terminal equipment, a service server firstly authenticates according to own service logic, and then authenticates by utilizing relevant information of the user to a policy service edge node; and after receiving the authentication request, the policy service edge node performs chain-off authentication on the policy domain ID and the policy version number respectively, and returns an authentication result to the service system after the authentication is passed.
Description
Technical Field
The invention relates to the field of policy security management, in particular to a block chain-based policy security management device and method.
Background
With the development of the internet of things, devices are more and more, and after the devices are accessed to the internet, the problems of identity authority and the like of the devices are highlighted, and the devices are bound with people in the traditional method, and are authorized through accounts. However, as devices increase, users increase, and service providers increase, access policies increase, and conventional centralized management policies and authorization methods face various pressures, including management policy pressure, storage pressure, and security protection pressure. Therefore, verifying all policy management and authorization in the centralized cloud is somewhat laborious.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: the device and the method for managing the policy security based on the blockchain effectively solve the pressure of policy access and improve the security of policy management.
The technical scheme adopted for solving the technical problems is as follows:
in one aspect, the present invention provides a policy security management device based on a blockchain, which is applied to a business service system, and the device includes: the system comprises a policy uplink module, a policy request module, a policy synchronization module and a policy security management module;
The strategy uplink module is deployed in cloud strategy security management service and is responsible for strategy domain and strategy uplink operation;
The strategy request module is deployed on the edge strategy node and is used for accessing the blockchain to carry out strategy verification according to the strategy verification request;
the strategy synchronization module is deployed on the cloud strategy set service and at the edge strategy nodes at the same time and is used for synchronously modifying the edge nodes subscribing related strategies according to the operation of the cloud strategy set so as to realize strategy synchronization;
the policy security management module is deployed at the cloud end, is used for managing all policies, comprises the formulation, modification and deletion of the policies, and performs data interaction with the policy uplink module, the policy request module and the policy synchronization module.
Further, the policy domain and the uplink operation of the policy specifically include:
carrying out HASH operation on the ID of the strategy domain, and carrying out uplink on the calculated HASH value; and carrying out HASH operation on the strategy ID and the strategy version, and carrying out uplink on the calculated HASH value.
On the other hand, the invention also provides a policy security management method based on the blockchain, which is applied to a business service system, and the method comprises the following steps:
S1, configuring a strategy domain and a strategy in the strategy domain, and carrying out uplink on the strategy domain and the strategy;
S2, subscribing a cloud strategy set by the strategy service edge node, and automatically updating the strategy service edge node synchronously according to the operation of the cloud strategy set if the cloud strategy set has updating operation;
s3, when the user accesses the service system by using the terminal equipment, the service server firstly authenticates according to the service logic of the user, and then authenticates by using the related information of the user to the policy service edge node;
S4, after receiving the authentication request, the policy service edge node firstly uses the policy domain ID to carry out HASH calculation, and carries out authentication on the chain according to the calculated HASH value;
s5, the strategy service edge node matches the synchronous strategy according to the request, after matching is completed, a verifiable strategy is obtained, then the strategy ID and the strategy version number are carried out HASH operation together, and finally authentication is carried out on the chain according to the calculated HASH value;
And S6, after the verification of the policy domain and the verification of the policy are passed, the policy authentication request is completed, and the policy service edge node returns a policy verification result to the service system.
Further, in step S1, the configuring the policy domain and the policies in the policy domain specifically includes:
and dividing and configuring a policy domain according to the actual application scene, and creating a policy adapting to the service in the policy domain.
Further, in step S1, the step of uplink the policy domain and the policy specifically includes:
HASH operation is carried out on the strategy domain ID, and the calculation result is uploaded to a block chain;
And (3) obtaining a HASH value from the ID and the corresponding version number of each strategy through a HASH algorithm, and uploading the HASH value to the blockchain.
Further, in step S2, only the policies subscribed by the policy service edge node are synchronized by the cloud.
The beneficial effects of the invention are as follows:
The scheme of the invention is used for carrying out security management on the strategy, so that the complete credibility of the strategy can be ensured; the verification process is performed in combination with the blockchain technique, and the non-falsification of the strategy is ensured. Policy verification is newly added at the upper layer of the service system, so that the service system is safer and more reliable; the policy is issued to the edge policy node, so that the pressure of cloud policy service can be greatly reduced, and the verification process is more efficient.
Drawings
FIG. 1 is a schematic diagram of a policy security management implementation in the present invention;
fig. 2 is a flow chart of cloud policy set and edge node synchronization.
Detailed Description
The invention aims to provide a policy security management device and method based on a blockchain, which can reduce the pressure of a server in a mode of combining cloud policy and edge policy, and combine the blockchain to carry out on-chain authentication, so that the credibility of the policy is ensured, and unnecessary loss caused by policy vulnerability attack can be largely avoided. The core principle is shown in fig. 1, and specifically, all policy information under a policy domain and a corresponding domain is subjected to a uplink operation, so that the reliability of the policy can be ensured. The strategy after being up-linked is completely trustworthy, and a user can use the method to manage the strategy with confidence. Wherein policy domains are one way to identify a set of policies, each policy having to be attributed to one of the policy domains; when the service system verifies, the policy can verify directly at the edge policy node without unified authentication to the cloud domain, so that the pressure of the cloud policy can be reduced, and the authentication is faster.
Examples:
The embodiment firstly provides a policy security management method based on a blockchain, which comprises the following steps:
S1, configuring a strategy domain and a strategy in the strategy domain, and carrying out uplink on the strategy domain and the strategy;
In this step, an administrator configures a new policy domain through a policy configuration interface, and may divide the policy domain according to its application scenario, for example, divide a policy domain for a class of products. After the strategy domain is configured, the service background automatically carries out HASH operation on the strategy domain ID, and the calculation result is uploaded to the block chain;
An administrator establishes a plurality of policies adapting to services in a newly configured policy domain, after setting, the system obtains HASH values from IDs and corresponding version numbers of each policy through a HASH algorithm, and then uploads the HASH values to a blockchain;
The policy domains are completely independent and are not affected by each other, and policies set in one policy domain can only work in the domain and cannot affect other policy domains.
S2, subscribing a cloud strategy set by the strategy service edge node, and automatically updating the strategy service edge node synchronously according to the operation of the cloud strategy set if the cloud strategy set has updating operation;
In this step, the policy service edge node subscribes to the cloud policy set, and after subscribing, if the cloud policy set has operations such as updating, the cloud will synchronize the policy to the policy edge node, as shown in fig. 2. The edge nodes can also be divided according to service scenes, such as household internet of things equipment edge policy nodes, park internet of things edge equipment policy nodes and the like. It should be noted that, the policy domain subscribed by the policy service edge node and the policy are synchronized by the cloud, and the unsubscribed policy cannot be synchronized to the edge node.
S3, when the user accesses the service system by using the terminal equipment, the service server firstly authenticates according to the service logic of the user, and then authenticates by using the related information of the user to the policy service edge node;
In this step, when the user accesses the service system by using the terminal device, for example, when logging in, modifying, etc., the service server authenticates in its own service logic, and then carries the relevant information of the user to the policy service edge node for authentication.
S4, after receiving the authentication request, the policy service edge node firstly uses the policy domain ID to carry out HASH calculation, and carries out authentication on the chain according to the calculated HASH value;
s5, the strategy service edge node matches the synchronous strategy according to the request, after matching is completed, a verifiable strategy is obtained, then the strategy ID and the strategy version number are carried out HASH operation together, and finally authentication is carried out on the chain according to the calculated HASH value;
And S6, after the verification of the policy domain and the verification of the policy are passed, the policy authentication request is completed, and the policy service edge node returns a policy verification result to the service system.
In addition, the embodiment also provides a policy security management device based on the blockchain, which is applied to various business service systems, and the device comprises:
the strategy uplink module is deployed in the cloud strategy security management service and is used for carrying out uplink operation on the data;
Specifically, the module is mainly responsible for strategy domain and strategy uplink operation, and the module carries out HASH operation on the ID of the strategy domain and carries out uplink on the calculated HASH value; and (3) carrying out HASH operation on the strategy ID and the strategy version, and carrying out uplink on the calculated HASH value.
And the policy request module is deployed on the edge policy node and performs policy verification according to the policy verification request deblocking chain. Specifically, the module is a verification function of the policy, and the module performs verification on the deblocking chain mainly according to the calculated HASH value, and the verification process mainly verifies the authenticity of the policy and ensures that the policy is not a counterfeit policy domain or policy ID.
And the policy synchronization module is deployed on the cloud policy set service and at the edge policy nodes at the same time, so that policy synchronization is realized, and the policies of all the edge policy nodes are ensured to be the latest policies. Specifically, the module synchronously modifies the edge nodes subscribing to the policy according to the operation of the cloud policy set. The policy operations include the addition, modification, and deletion operations of policy rules.
And the policy security management module is mainly used for managing all policies, including the formulation, modification and deletion of the policies. The module is a hub module of the whole device, and the module needs to perform data interaction with a strategy uplink module, a strategy request module and a strategy synchronization module, and is closely connected with each other.
Finally, it should be noted that the above examples are only preferred embodiments and are not intended to limit the invention. It should be noted that modifications, equivalents, improvements and others may be made by those skilled in the art without departing from the spirit of the invention and the scope of the claims, and are intended to be included within the scope of the invention.
Claims (2)
1. A policy security management device based on block chain is applied in business service system, characterized in that,
The device comprises: the system comprises a policy uplink module, a policy request module, a policy synchronization module and a policy security management module;
the strategy uplink module is deployed in cloud strategy security management service and is responsible for uplink operation of a pre-configured strategy domain and strategy; the manner in which the policy domain and policies in the policy domain are configured includes: dividing and configuring a policy domain according to an actual application scene, and creating a policy adapting to the service in the policy domain; the policy domain and the uplink operation of the policy specifically comprise: carrying out HASH operation on the ID of the strategy domain, and carrying out uplink on the calculated HASH value; carrying out HASH operation on the strategy ID and the strategy version, and carrying out uplink on the calculated HASH value;
The policy request module is deployed on the policy service edge node and is used for performing policy verification on a policy verification request access blockchain sent to the policy service edge node after the service server authenticates the user identity by using own service logic: after receiving the policy verification request, the policy service edge node firstly uses the policy domain ID to carry out HASH computation, then carries out policy domain authentication on the calculated HASH value in a chain, and the policy service edge node matches the synchronous policy according to the policy verification request, obtains a verifiable policy after the matching is completed, then carries out HASH operation on the policy ID and the policy version number together, and finally carries out authentication on the calculated HASH value in a chain; when the policy domain verification and the policy verification pass, the policy verification request is completed, and the policy service edge node returns a policy verification result to the service system;
The policy synchronization module is deployed on the cloud policy set service and at the edge policy nodes at the same time, and is used for synchronously modifying the edge nodes subscribing related policies according to the operation of the cloud policy set, so that policy synchronization is realized, and only the policies subscribed by the edge nodes of the policy service are synchronized by the cloud;
the policy security management module is deployed at the cloud end, is used for managing all policies, comprises the formulation, modification and deletion of the policies, and performs data interaction with the policy uplink module, the policy request module and the policy synchronization module.
2. A policy security management method based on block chain is applied to business service system, which is characterized in that,
The method comprises the following steps:
s1, configuring a strategy domain and a strategy in the strategy domain, and carrying out uplink on the strategy domain and the strategy; the configuration policy domain and the policy in the policy domain specifically comprise: dividing and configuring a policy domain according to an actual application scene, and creating a policy adapting to the service in the policy domain; and the strategy domain and the strategy are uplink, which concretely comprises the following steps: HASH operation is carried out on the strategy domain ID, and the calculation result is uploaded to a block chain; obtaining a HASH value from the ID and the corresponding version number of each strategy through a HASH algorithm, and uploading the HASH value to a block chain;
S2, subscribing a cloud strategy set by the strategy service edge node, if the cloud strategy set has updating operation, automatically updating the strategy service edge node synchronously according to the operation of the cloud strategy set, and synchronizing only the strategy subscribed by the strategy service edge node by the cloud;
s3, when the user accesses the service system by using the terminal equipment, the service server firstly authenticates according to the service logic of the user, and then authenticates by using the related information of the user to the policy service edge node;
S4, after receiving the authentication request, the policy service edge node firstly uses the policy domain ID to carry out HASH calculation, and carries out authentication on the chain according to the calculated HASH value;
s5, the strategy service edge node matches the synchronous strategy according to the request, after matching is completed, a verifiable strategy is obtained, then the strategy ID and the strategy version number are carried out HASH operation together, and finally authentication is carried out on the chain according to the calculated HASH value;
And S6, after the verification of the policy domain and the verification of the policy are passed, the policy authentication request is completed, and the policy service edge node returns a policy verification result to the service system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211619125.3A CN116055486B (en) | 2022-12-14 | 2022-12-14 | Policy security management device and method based on blockchain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211619125.3A CN116055486B (en) | 2022-12-14 | 2022-12-14 | Policy security management device and method based on blockchain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116055486A CN116055486A (en) | 2023-05-02 |
| CN116055486B true CN116055486B (en) | 2024-05-07 |
Family
ID=86113854
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211619125.3A Active CN116055486B (en) | 2022-12-14 | 2022-12-14 | Policy security management device and method based on blockchain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116055486B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138805A (en) * | 2019-06-02 | 2019-08-16 | 四川虹微技术有限公司 | Equipment authentication method, access method, code key processing method and processing device, block chain |
| CN112069533A (en) * | 2020-07-29 | 2020-12-11 | 无锡市北辰星斗科技有限公司 | Internet of things cloud platform transmission encryption system and encryption method thereof |
| CN113114656A (en) * | 2021-04-07 | 2021-07-13 | 丁志勇 | Infrastructure layout method based on edge cloud computing |
| CN115378934A (en) * | 2022-07-29 | 2022-11-22 | 清华大学 | Collaborative task unloading method based on block chain in cloud edge computing scene |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210342828A1 (en) * | 2017-01-25 | 2021-11-04 | State Farm Mutual Automobile Insurance Company | Systems and methods for anti-money laundering compliance via blockchain |
| US10824740B2 (en) * | 2018-07-30 | 2020-11-03 | EMC IP Holding Company LLC | Decentralized policy publish and query system for multi-cloud computing environment |
-
2022
- 2022-12-14 CN CN202211619125.3A patent/CN116055486B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138805A (en) * | 2019-06-02 | 2019-08-16 | 四川虹微技术有限公司 | Equipment authentication method, access method, code key processing method and processing device, block chain |
| CN112069533A (en) * | 2020-07-29 | 2020-12-11 | 无锡市北辰星斗科技有限公司 | Internet of things cloud platform transmission encryption system and encryption method thereof |
| CN113114656A (en) * | 2021-04-07 | 2021-07-13 | 丁志勇 | Infrastructure layout method based on edge cloud computing |
| CN115378934A (en) * | 2022-07-29 | 2022-11-22 | 清华大学 | Collaborative task unloading method based on block chain in cloud edge computing scene |
Non-Patent Citations (3)
| Title |
|---|
| 《云环境中基于CP-ABE的访问控制方法研究》;潘强;《信息科技》;20210515(第2021年第05期);全文 * |
| Chengyi Peng.《Blockchain Based Data Integrity Verification in P2P Cloud Storage》.《2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS)》.2019,全文. * |
| Dongdong Yue ; Ruixuan Li ; Yan Zhang ; Wenlong Tian Intelligent and Distributed Computing Laboratory, Huazhong University of Science and Technology, Wuhan, China * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116055486A (en) | 2023-05-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2442204B1 (en) | System and method for privilege delegation and control | |
| CN108964885B (en) | Authentication method, device, system and storage medium | |
| US9172541B2 (en) | System and method for pool-based identity generation and use for service access | |
| US20110072502A1 (en) | Method and Apparatus for Identity Verification | |
| CN101931613B (en) | Centralized authenticating method and centralized authenticating system | |
| CN101183940A (en) | Method for multi-application system to perform authentication to user identification | |
| US11849052B2 (en) | Certificate in blockchain network, storage medium, and computer device | |
| US11184336B2 (en) | Public key pinning for private networks | |
| US10148637B2 (en) | Secure authentication to provide mobile access to shared network resources | |
| CN113360862A (en) | Unified identity authentication system, method, electronic device and storage medium | |
| CN101986598B (en) | Authentication method, server and system | |
| CN109388937B (en) | Single sign-on method and sign-on system for multi-factor identity authentication | |
| AU2007248903A1 (en) | Claim transformations for trust relationships | |
| CN113221093B (en) | Single sign-on system, method, equipment and product based on block chain | |
| CN113722722A (en) | Block chain-based high-security-level access control method and system | |
| CN109241712B (en) | Method and device for accessing file system | |
| CN104703183A (en) | Special line APN (Access Point Name) security-enhanced access method and device | |
| CN112039910B (en) | Method, system, equipment and medium for unified management of authentication and authority | |
| CN113992406A (en) | Authority access control method for alliance chain cross-chain | |
| CN116055486B (en) | Policy security management device and method based on blockchain | |
| CN114938278B (en) | Zero-trust access control method and device | |
| US7631344B2 (en) | Distributed authentication framework stack | |
| CN114666341A (en) | Decentralized SDP controller implementation method and computer storage medium | |
| CN114640505A (en) | FTP user authentication method and system and construction method thereof | |
| CN116436926A (en) | Block chain system and method for managing Internet of things equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |