CN116192387B - Dynamic construction and key generation method of service identity - Google Patents
Dynamic construction and key generation method of service identity Download PDFInfo
- Publication number
- CN116192387B CN116192387B CN202310456685.XA CN202310456685A CN116192387B CN 116192387 B CN116192387 B CN 116192387B CN 202310456685 A CN202310456685 A CN 202310456685A CN 116192387 B CN116192387 B CN 116192387B
- Authority
- CN
- China
- Prior art keywords
- service
- key
- identity
- service identity
- chain node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000010276 construction Methods 0.000 title claims abstract description 11
- 238000004364 calculation method Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 7
- 230000008859 change Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a dynamic construction and key generation method of a service identity, belonging to the technical field of information security. The method comprises the steps of obtaining a first trust chain node of a service context based on hardware environment fingerprint information of running service and virtual environment fingerprint information of the service; obtaining a second trust chain node of a service context based on the first trust chain node and the fingerprint information of the running environment of the service; obtaining a third trust chain node based on the second trust chain node and service association fingerprint information of the service; generating a service identity based on the third trust chain node and the identification information of the service; and generating a service identity key based on the service identity. The unique, non-counterfeit and light-weight identity mark of the whole application service system is provided, a basis is provided for fine-granularity access control of application service resources, and counterfeit identity marks and tamper attacks of the identity marks can be effectively prevented.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a dynamic construction and key generation method of a service identity.
Background
With the rapid development of internet technology, the business of internet enterprises is also developing at a rapid speed, and the architecture of the system is also changing continuously. The system architecture generally experiences: single application architecture— vertical application architecture — distributed architecture — service architecture-oriented evolution of micro-service architecture. The micro-service architecture has many advantages of easy development and maintenance, quick start-up, easy deployment of local modification, unlimited technical stack, on-demand expansion and contraction, and the like, and is becoming a mainstream system architecture of today because of these advantages. However, with the development of the micro-service architecture, the security risk is more prominent than that of the traditional system architecture, and the security risk faced by the micro-service architecture mainly includes: (1) In contrast to monolithic applications with few entry points, microservice-based applications have many entry points, all of which must be protected; (2) Continuous communication is needed between services, and each service in the communication must be protected; (3) Requests for service deployment may enter the system through one service and span multiple services before exiting the system, making request tracking difficult; (4) Trust needs to be established between two services, and the establishment of trust is subject to more security attack points, so that an architected security architecture needs to be established.
With the development of information security technology, the identity authentication technology for people or equipment is mature, but the non-entity identity authentication technology for services is still in an exploration period, and part of enterprises directly transplant the traditional authentication technology and method to the authentication of the services, so that the ideal effect is not achieved, and the influence of the context environment of the services cannot be reflected.
The traditional identity authentication only realizes the identity authentication of users, equipment and the like, but does not give reliable identity to resources such as application service and the like, and cannot realize the problem of fine-grained access control, and the service identifier only has the information of service software, so that an attacker can provide counterfeit service to attack a micro-service architecture, and the purpose of attack can be achieved by tampering with the original service, which cannot be solved by the traditional service authentication architecture. At present, identity authentication of a service only focuses on the factors of the service, but ignores the environmental factors of the context in which the service operates, and it is difficult to construct a trusted identity of the service and provide fine-granularity access control.
Disclosure of Invention
In view of the above analysis, the present invention aims to provide a method for dynamically constructing service identity identifiers and generating keys, which specifically includes the following steps:
obtaining a first trust chain node of a service context based on hardware environment fingerprint information of running service and virtual environment fingerprint information of the service;
obtaining a second trust chain node of a service context based on the first trust chain node and the fingerprint information of the running environment of the service;
obtaining a third trust chain node based on the second trust chain node and the service associated fingerprint information;
generating a service identity based on the third trust chain node and the identification information of the service;
and generating a service identity key based on the service identity.
Further, the hardware environment fingerprint information, the virtual environment fingerprint information, the operation environment fingerprint information and the service association fingerprint information are respectively obtained through calculation through a Hash algorithm based on the acquired hardware environment information, the virtual environment information, the operation environment information and the service association information operated by the service.
Further, the first trust chain node, the second trust chain node and the third trust chain node are respectively obtained through calculation by an HMAC algorithm.
Further, the generating a service identity based on the third trust chain node and the service identity information includes:
dividing the data of the third trust chain node into two groups;
exclusive or is carried out on the data of the two groups to obtain service context fingerprint data;
and encoding the service context fingerprint data, and then splicing the service context fingerprint data with the service identifier to obtain the service identity.
Further, the division into two packets adopts 16 byte packets; the encoding adopts a Base64 encoding algorithm.
Further, the hardware environment fingerprint data and the virtual environment fingerprint data are respectively used as a key and data of an HMAC algorithm, and a first HMAC value is obtained through the HMAC algorithm and used as a service context longitudinal first trust chain node;
the first trust chain node and the operation environment fingerprint data are respectively used as a key and data of an HMAC algorithm, and a second HMAC value is obtained through the HMAC algorithm and used as a second trust chain node of the service context;
and taking the fingerprint data associated with the second trust chain node and the service as the key and the data of an HMAC algorithm, and obtaining a third HMAC value as a third trust chain node of the service context through the HMAC algorithm.
Further, the service identity key comprises a service private key; the generating a service identity key based on the service identity comprises:
the service submits an identification key application and the service identity to an identification key distribution center;
the identification key distribution center generates a random public key associated with the service identity and a service private key corresponding to the service identity based on the service identity, and transmits the service private key back to the service.
Further, the identification key distribution center generates a random public key associated with the service identity and a service private key corresponding to the service identity based on the service identity, and the identification key distribution center comprises:
the identification key distribution center randomly generates a key pair, comprising a random public key and a random private key which are associated with the service identity;
calculating to obtain an association coefficient based on the random public key and the service identity;
and generating a service private key corresponding to the service identity based on the association coefficient.
Further, the calculating the association coefficient based on the random public key and the service identity comprises calculating an HMAC value as the association coefficient by using the random public key and the service identity as a key and data of an HMAC algorithm, respectively.
Further, the generating the service private key corresponding to the service identity based on the association coefficient includes generating the service private key corresponding to the service identity based on the master private key and the random private key of the key center.
The invention can realize at least one of the following beneficial effects:
the method comprises the steps of constructing service identity information context and cloud platform management system linkage from the aspects of hardware environment safety, virtual environment safety, running environment safety, service association, calling safety and the like, performing risk assessment on an application service identity, dynamically constructing a service identity by adopting a cryptographic technology and generating a key of the service identity based on an identification cryptographic algorithm protocol, and finally realizing unique, non-counterfeit and light-weight identity which is endowed to an application service whole system, providing a basis for fine-grained access control of application service resources and effectively preventing falsification attacks of counterfeit identity and identity.
By using the cryptography algorithm to generate the hardware environment fingerprint, the virtual environment fingerprint, the running environment fingerprint and the service association fingerprint from the service context information, any tiny change in the service context can be rapidly and sharply discovered, and if the service context information is slightly changed due to attack or modification, the tiny change can be timely discovered.
The service identity is generated based on a longitudinal trust chain formed by the fingerprint data related to the service context, so that the service identity has whole system uniqueness and impersonation, service changes or context environment changes can influence the service identity, the service uniqueness can be truly reflected by dynamically constructing the service identity, and fine-grained access control of service resources can be realized.
The binding relation between the service identity key and the service identity identifier is realized by adopting the identification cipher algorithm protocol, namely the service identity identifier is the service identity key, and the distribution and management of the key are greatly simplified.
By adopting a public key system without certificate to the service identity identification key, the end-to-end direct authentication can be directly realized without depending on a third party authentication mechanism, and the service authentication performance is far higher than that of the traditional PKI CA certificate system.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, like reference numerals being used to designate like parts throughout the drawings;
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a dynamic construction flow of the service identity of the present invention;
FIG. 3 is a flow chart illustrating the generation of a service private key according to the present invention;
fig. 4 is a flow chart of the generation of the public key of the service identity according to the present invention.
Detailed Description
Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form a part hereof, and together with the description serve to explain the principles of the invention, and are not intended to limit the scope of the invention.
Examples
The invention discloses a method for dynamically constructing service identity identifiers and generating keys, which comprises the following steps:
and S01, acquiring hardware environment information, virtual environment information, operation environment information and service association information of the operation service, and calculating to obtain hardware environment fingerprint information, virtual environment fingerprint information, operation environment fingerprint information and service association fingerprint information through a Hash algorithm.
The service may be a service in a micro-service application that provides business functions.
Specifically, the hardware of the running service includes a hardware server, a hardware security device and a hardware network device of the running service. The corresponding hardware environment information comprises hardware server information, hardware security equipment information and hardware network equipment information; the hardware server information comprises CPU information, disk information, memory information, operating system information and the like of the server; the hardware security device information comprises cipher machine or cipher module information, firewall information, other security device information and the like; the network device information includes device information of switches, routers, gateways, etc. that service operates.
Specifically, the collected hardware environment information is spliced into character strings in turn, and the digital abstract of the hardware environment information is calculated as the hardware environment fingerprint data, namely
Wherein Hash is a digital digest algorithm, optionally using SM3 algorithm or SHA256 algorithm;
fingerprint information of the hardware environment; "|" is a data connection symbol; "…" represents other information related to the hardware environment;
a character string spliced for the hardware environment information; the character string selection of the hardware server information comprises a CPU serial number, a disk serial number, a memory model parameter and an operating system version number, the hardware security device information comprises a company product model number or a version number of a cryptographic module of a cryptographic machine, a firewall product model number and a firewall lot number and product lot numbers of other security devices, and the network device information comprises a service running switch, a router and a gateway model number and a product lot number of each device.
In particular, most application services today are deployed in cloud environments, and virtualized environments are also closely related in the context of service operation. Virtual environment information refers to information related to the virtualized environment in which the service is deployed, including virtualized software information (e.g., openStack, KVM, ovirt or Kubernetes, for example) and virtual host information (e.g., operating system information, CPU resource information, allocated virtual memory information, virtual disk information, network setup information, etc., for example), and the like.
Specifically, the collected virtual environment information is spliced into character strings in sequence to serve as data, virtual environment fingerprint data are obtained through a Hash algorithm, and a calculation formula is as follows:
wherein,,
fingerprint data for the virtual environment; />
A character string spliced for the virtual environment information; the virtual memory and the virtual disk use the size splice strings respectively, and the network setting information uses the IP number and the MAC address splice strings.
In particular, the running environment information refers to basic software environment information on which the service runs, and illustratively includes JRE environment information, database information (such as MySQL), data caching middleware (such as Redis), service registration middleware (such as Nacos), load balancing (such as Ngnix), and the like.
Specifically, the acquired operation environment information is spliced into character strings in sequence to serve as source data, operation environment fingerprint data are obtained through calculation of a Hash algorithm, and a calculation formula is as follows:
wherein,,
fingerprint data for the operating environment; />
Splicing character strings for service operation environment information; exemplary, the runtime environment information uses the name and version number of each softwareAnd splicing the character strings.
Specifically, service association refers to the situation that one service function needs to call one or more services and the mutual call among the services in a micro-service architecture; the service association information includes identification information of the service and a call relationship between the services.
Specifically, the collected service association information is spliced into character strings in sequence to serve as source data, service association fingerprint data is obtained through calculation of a Hash algorithm, and a calculation formula is as follows:
wherein,,
associating fingerprint data for a service; />
Is a character string spliced by service association information; exemplary services having an inter-calling relationship with the running service a are b, c, wherein a calls b, c calls a, and the character strings are expressed as a->b and c->a。
And step S02, generating a service identity mark based on the hardware environment fingerprint information, the virtual environment fingerprint information, the operation environment fingerprint information and the service association fingerprint information. Specifically, the method comprises the following steps:
s02-1, obtaining a first trust chain node of the service context based on the hardware environment fingerprint information of the running service and the virtual environment fingerprint information of the service.
Specifically, the hardware environment fingerprint data is used as a key of the HMAC algorithm, the virtual environment fingerprint data is used as data of the HMAC algorithm, the HMAC value is calculated and used as a first trust chain node of the service context, and the first trust chain node is expressed as:
wherein, the HMAC is a digital digest algorithm based on a key;
representing a first trust chain node.
S02-2, obtaining a second trust chain node of the service context based on the first trust chain node and the fingerprint information of the running environment.
Specifically, the first trust chain node is used as a key of the HMAC algorithm, the running environment fingerprint information is used as data of the HMAC algorithm, the HMAC value is calculated, and the running environment fingerprint information is used as a service context longitudinal second trust chain node and expressed as:
wherein,,
representing a second trust chain node.
S02-3, obtaining a third trust chain node based on the second trust chain link point and service association fingerprint information.
Specifically, the second trust chain node is used as a key of the HMAC algorithm, the running environment fingerprint information is used as data of the HMAC algorithm, the HMAC value is calculated, and the running environment fingerprint information is used as a service context longitudinal second trust chain node and expressed as:
wherein,,
representing a third trust chain node.
S02-4, generating a service identity based on the third trust chain link point and the identification information of the service.
Specifically, the data of the third trust chain node is divided into two packets by adopting 16-byte packets
And->
The method comprises the steps of carrying out a first treatment on the surface of the Two pairs ofExclusive-or of the data of the individual packets to obtain service context fingerprint data +.>
The method comprises the steps of carrying out a first treatment on the surface of the Splicing the service identification after Base64 coding to obtain a service identification, which is expressed as:
wherein the Base64 encoding algorithm encodes binary data into displayable strings, "_" is a connection separator between the service identification and the service context, "≡is an exclusive-or operator.
Figure 2 shows the dynamic construction flow of the service identity of the present invention.
And step S03, generating a service identity key based on the service identity. The method specifically comprises the following steps:
s03-1, the service submits an identification key application and a service identity to an identification key distribution center.
Specifically, after the dynamic construction of the service identity is completed, the service identity needs to be submitted to the identification key distribution center to apply for a service private key corresponding to the service identity, and the service is trusted and authenticated through the service private key, so that the authenticity and the integrity of the service are ensured.
S03-2, the identification key distribution center generates a random public key associated with the service identity and a service private key corresponding to the service identity based on the service identity, and transmits the service private key back to the applied service. The method specifically comprises the following steps:
s03-21, the identification key distribution center randomly generates a key pair comprising a random public key and a random private key which are associated with the service identity.
Specifically, after the identification key distribution center receives the application of the identification key of the service, an elliptic curve key pair is randomly generated in the security password equipment by adopting an elliptic curve parameter preset by the identification key distribution center
Wherein rsk is a random private key, and is cached in a secure cryptographic device identifying a key distribution center; the RPK is a random public key and is output to an identification key distribution center.
S03-22, the identification key distribution center calculates and obtains the association coefficient based on the random public key and the service identity.
Specifically, the identification key distribution center is based on the public key RPK and the received service identity
Respectively used as a secret key and data of the HMAC algorithm, and the service identity and the random public key are obtained through calculationRPKIs of the correlation coefficient of (a)aThe calculation formula is as follows: />
。
S03-23, the identification key distribution center generates a service private key corresponding to the service identity based on the association coefficient and transmits the service private key back to the applied service.
Specifically, the identification key distribution center sends the association coefficient a to the security password equipment of the identification key center, and calculates and generates a service private key corresponding to the service identity in the security password equipmentsskExpressed as:
the msk is a main private key of the identification key center, namely a private key in a random key pair (msk, MPK) generated when the identification key center is initialized, and the msk is a root private key of the identification key center;
rskrandom key pair generated for identifying key center as service identityrsk,RPK) For protecting private keys ofmskReverse attack is prevented;
"X" is the modular multiplication of large numbers;
n is an elliptic curve parameter and is the order of the elliptic curve base point G.
The identification key distribution center transmits the service private key back to the applied service through the security protocol channel for subsequent security authentication of the service.
Fig. 3 shows a flow of generation of a service private key.
Specifically, during implementation, the service uses the service identity private key to digitally sign the authentication challenge to generate authentication data, and the verifier needs to calculate the identity public key of the generated signature service when verifying the authentication dataSPKThe generation method comprises the following steps:
wherein,,MPKa master public key that identifies a key center;RPKa random public key associated with the service identity; "
"double point operation for elliptic curve; "+" is an addition of two points on the elliptic curve. Fig. 4 shows a flow of generation of a service identity public key.
According to the dynamic construction and key generation method of the service identity, disclosed by the embodiment, the service identity information context is constructed from the aspects of hardware environment safety, virtual environment safety, operation environment safety, service association, call safety and the like and linked with the cloud platform management system, the service identity is dynamically constructed by adopting a cryptographic technology, and the key of the service identity is generated based on an identification cryptographic algorithm protocol, so that the unique, non-counterfeit and light-weight identity which is endowed to the whole application service system is realized, a foundation is provided for fine-grained access control of application service resources, and counterfeit identity and tampering attack of the identity can be effectively prevented.
By using the cryptography algorithm to generate the hardware environment fingerprint, the virtual environment fingerprint, the running environment fingerprint and the service association fingerprint from the service context information, any tiny change in the service context can be rapidly and sharply discovered, and if the service context information is slightly changed due to attack or modification, the tiny change can be timely discovered.
The service identity is generated based on a longitudinal trust chain formed by the fingerprint data related to the service context, so that the service identity has whole system uniqueness and impersonation, service changes or context environment changes can influence the service identity, the service uniqueness can be truly reflected by dynamically constructing the service identity, and fine-grained access control of service resources can be realized.
The binding relation between the service identity key and the service identity identifier is realized by adopting the identification cipher algorithm protocol, namely the service identity identifier is the service identity key, and the distribution and management of the key are greatly simplified.
By adopting a public key system without certificate to the service identity identification key, the end-to-end direct authentication can be directly realized without depending on a third party authentication mechanism, and the service authentication performance is far higher than that of the traditional PKI CA certificate system.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.
Claims (10)
1. The dynamic construction and key generation method of the service identity is characterized by comprising the following steps:
obtaining a first trust chain node of a service context based on hardware environment fingerprint information of running service and virtual environment fingerprint information of the service;
obtaining a second trust chain node of a service context based on the first trust chain node and the fingerprint information of the running environment of the service;
obtaining a third trust chain node based on the second trust chain node and service association fingerprint information of the service;
generating a service identity based on the third trust chain node and the identification information of the service;
and generating a service identity key based on the service identity.
2. The method for dynamically constructing and generating a key for a service identity according to claim 1, wherein the hardware environment fingerprint information, the virtual environment fingerprint information, the operation environment fingerprint information and the service association fingerprint information are calculated by a Hash algorithm based on the acquired hardware environment information, virtual environment information, operation environment information and service association information, respectively, on which the service is operated.
3. The method for dynamically constructing and generating a key for a service identity according to claim 1, wherein the first trust chain node, the second trust chain node and the third trust chain node are respectively calculated by HMAC algorithm.
4. The method for dynamically constructing and generating a key for a service identity according to claim 1 or 2, wherein the generating a service identity based on the third trust chain node and the service identity information comprises:
dividing the data of the third trust chain node into two groups;
exclusive or is carried out on the data of the two groups to obtain service context fingerprint data;
and encoding the service context fingerprint data, and then splicing the service context fingerprint data with the service identifier to obtain the service identity.
5. The method for dynamically constructing and generating a key for a service identity according to claim 4, wherein the division into two packets uses 16 byte packets; the encoding adopts a Base64 encoding algorithm.
6. The method for dynamic construction and key generation of service identity according to claim 3, wherein,
the hardware environment fingerprint data and the virtual environment fingerprint data are respectively used as a key and data of an HMAC algorithm, and a first HMAC value is obtained through the HMAC algorithm and used as a longitudinal first trust chain node of the service context;
the first trust chain node and the operation environment fingerprint data are respectively used as a key and data of an HMAC algorithm, and a second HMAC value is obtained through the HMAC algorithm and used as a second trust chain node of the service context;
and taking the fingerprint data of the second trust chain link point and the service association as the key and the data of an HMAC algorithm, and obtaining a third HMAC value as a third trust chain node of the service context through the HMAC algorithm.
7. The method for dynamic construction and key generation of service identities according to any one of claims 1-3, 5, 6, wherein the service identity key comprises a service private key; the generating a service identity key based on the service identity comprises:
the service submits an identification key application and the service identity to an identification key distribution center;
the identification key distribution center generates a random public key associated with the service identity and a service private key corresponding to the service identity based on the service identity, and transmits the service private key back to the service.
8. The method for dynamically constructing and generating a key for a service identity according to claim 7, wherein the generating, by the identification key distribution center, a random public key associated with the service identity and a service private key corresponding to the service identity based on the service identity comprises:
the identification key distribution center randomly generates a key pair, comprising a random public key and a random private key which are associated with the service identity;
calculating to obtain an association coefficient based on the random public key and the service identity;
and generating a service private key corresponding to the service identity based on the association coefficient.
9. The method for dynamically constructing and generating a key for a service identity according to claim 8, wherein the calculating an association coefficient based on the random public key and the service identity comprises calculating an HMAC value as an association coefficient by using the random public key and the service identity as a key and data of an HMAC algorithm, respectively.
10. The method for dynamically constructing and generating a key for a service identity according to claim 8, wherein the generating a service private key corresponding to the service identity based on the association coefficient comprises generating a service private key corresponding to the service identity based on a master private key of a key center and the random private key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310456685.XA CN116192387B (en) | 2023-04-26 | 2023-04-26 | Dynamic construction and key generation method of service identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310456685.XA CN116192387B (en) | 2023-04-26 | 2023-04-26 | Dynamic construction and key generation method of service identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116192387A CN116192387A (en) | 2023-05-30 |
| CN116192387B true CN116192387B (en) | 2023-06-27 |
Family
ID=86444618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310456685.XA Active CN116192387B (en) | 2023-04-26 | 2023-04-26 | Dynamic construction and key generation method of service identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116192387B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109800842A (en) * | 2018-12-06 | 2019-05-24 | 珠海西山居移动游戏科技有限公司 | A kind of assets unique identification code generating method and system |
| CN111818514A (en) * | 2020-08-28 | 2020-10-23 | 北京智慧易科技有限公司 | Privacy security equipment identifier generation method, device and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8375437B2 (en) * | 2010-03-30 | 2013-02-12 | Microsoft Corporation | Hardware supported virtualized cryptographic service |
| WO2014128732A1 (en) * | 2013-02-25 | 2014-08-28 | P Ashok Anand | Correlation identity generation method for cloud environment |
-
2023
- 2023-04-26 CN CN202310456685.XA patent/CN116192387B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109800842A (en) * | 2018-12-06 | 2019-05-24 | 珠海西山居移动游戏科技有限公司 | A kind of assets unique identification code generating method and system |
| CN111818514A (en) * | 2020-08-28 | 2020-10-23 | 北京智慧易科技有限公司 | Privacy security equipment identifier generation method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116192387A (en) | 2023-05-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020133655A1 (en) | Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scenario | |
| CN109963282B (en) | Privacy protection access control method in IP-supported wireless sensor network | |
| CN112039872A (en) | Cross-domain anonymous authentication method and system based on block chain | |
| Jia et al. | A Blockchain-Assisted Privacy-Aware Authentication scheme for internet of medical things | |
| Khashan et al. | Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous IoT systems | |
| CN113301022B (en) | Internet of things equipment identity security authentication method based on block chain and fog calculation | |
| US10742426B2 (en) | Public key infrastructure and method of distribution | |
| CN109889497A (en) | A kind of data integrity verification method for going to trust | |
| CN106341232A (en) | Anonymous entity identification method based on password | |
| CN117278330B (en) | Lightweight networking and secure communication method for electric power Internet of things equipment network | |
| Hwang et al. | Round-reduced modular construction of asymmetric password-authenticated key exchange | |
| CN113873508A (en) | Edge computing bidirectional authentication method and system based on user double public and private keys | |
| CN112242993A (en) | Bidirectional authentication method and system | |
| Liu et al. | A novel authentication management RFID protocol based on elliptic curve cryptography | |
| CN116599659B (en) | Certificate-free identity authentication and key negotiation method and system | |
| CN116192387B (en) | Dynamic construction and key generation method of service identity | |
| CN114339743B (en) | Internet of things client privacy protection authentication method based on edge calculation | |
| Songshen et al. | Hash-Based Signature for Flexibility Authentication of IoT Devices | |
| Asare et al. | A nodal authentication iot data model for heterogeneous connected sensor nodes within a blockchain network | |
| Ao et al. | A secure certificateless identity authentication scheme based on blockchain | |
| Ding et al. | Equipping smart devices with public key signatures | |
| CN116170238B (en) | Authentication method based on service identity key | |
| Li et al. | A secure access scheme for Internet of Things devices based on blockchain | |
| David et al. | A framework for secure single sign-on | |
| Basic et al. | Establishing Dynamic Secure Sessions for ECQV Implicit Certificates in Embedded Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |