Disclosure of Invention
Aiming at the problem that the visitor identity is easy to forge and the access is unsafe when the inter-intranet data access is performed in the prior art, the invention provides the information security authentication method and the system based on the 5G network, the authentication is performed by using an authentication clue through isolating the hierarchical control data transmission condition of a container and a virtual network, and the network characteristic and the data transmission characteristic are integrated in the authentication process, so that the external visitor cannot forge and has higher security.
The following is a technical scheme of the invention.
An information security authentication method based on a 5G network is used for authentication among different nodes under the 5G network, and comprises the following steps:
s1: initializing configuration: configuring a virtual isolation container for each node, creating a virtual network, wherein a plurality of isolation containers are connected in each virtual network, and the isolation containers are configured to completely receive data and output the data with a preset packet loss rate;
s2: authentication clue transfer: each node periodically sends an authentication clue to the virtual network through the isolation container, and other isolation containers receive the authentication clue from the virtual network and output the authentication clue to the node, wherein the intermediate node uses two isolation containers to carry out cross-network transmission of the authentication clue between different virtual networks;
s3: authentication is carried out according to the request: after any node generates an access request, an authentication clue from a target node is sent to the target node by using a 5G network, the target node calculates the integrity rate according to the authentication clue, and if the result obtained by calculation according to the hierarchical relation between the preset packet loss rate and the virtual network where the initiating node is located is the same as the integrity rate, the integrity rate is authenticated.
The invention isolates the node and the virtual network through the isolation container, controls the loss of the authentication clue after each transmission through the preset packet loss rate, and the target node can compare the received authentication clue with the original complete authentication clue after the initiating node sends the received authentication clue to the target node. Under the authentication measures of the application, the external visitor wants to impersonate the identity, needs to know the complete authentication clue, the packet loss rate and the transmission times (packet loss times), but the information is not transmitted in the network and is difficult to acquire, and the authentication cannot be passed by any short message, so that the impersonation possibility is basically stopped, and the security is extremely high.
Preferably, in the step S1, a virtual isolation container is configured for each node, and a virtual network is created, and a plurality of isolation containers are connected in each virtual network, including:
and (3) isolating part of the storage space for each node, configuring a virtual isolation container, adhering to a transmission protocol between the node body and the isolation container, and isolating the node body from the virtual network through the isolation container and the transmission protocol.
Preferably, in the step S1, the isolation container is configured to completely receive data and output the data at a preset packet loss rate, and includes:
when the isolation container receives data, the received data is completely stored;
when the isolation container outputs data, the stored data is output according to a preset packet loss rate;
and updating the preset packet loss rate according to the requirement.
Preferably, in S2, each node periodically sends an authentication thread to the virtual network through the isolation container, and the other isolation containers receive the authentication thread from the virtual network and output the authentication thread to the node, where the steps include:
the node inputs authentication clues to the own isolation container according to a preset time period;
the isolation container completely stores the received authentication clues, and sends the authentication clues to other isolation containers in the virtual network according to a preset packet loss rate;
and after receiving the authentication clue from the virtual network, the isolation container outputs the authentication clue to the node according to the preset packet loss rate.
Preferably, in the step S2, the intermediate node uses two isolation containers to perform cross-network delivery of authentication threads between different virtual networks, and the method includes:
the intermediate node is configured with two isolation containers respectively connected with different virtual networks, and forwards the authentication clue output by any one isolation container to the other isolation container so as to realize cross-network transmission of the authentication clue among different virtual networks.
In the invention, the intermediate node can download the authentication clue from the two isolation containers and forward the authentication clue to the other isolation container, so that the cross-network transmission of the authentication clue among different virtual networks can be realized, and in the transmission process, the superposition of new one-time packet loss rate is generated.
Preferably, in the step S3, after the arbitrary node generates the access request, the method sends an authentication hint from the target node to the target node by using the 5G network, including:
and any node generates an access request, determines a target node according to the access target, and packages and sends the authentication clues received in the time period to the target node.
Preferably, in the step S3, the target node calculates the integrity rate according to the authentication clue, and if the result obtained by calculating according to the hierarchical relationship between the preset packet loss rate and the virtual network where the initiating node is located is the same as the integrity rate, the method includes the steps of:
after receiving the packed authentication clues, the target node performs clue matching and extracts the authentication clues corresponding to the target node;
calculating to obtain the integrity rate according to the received corresponding authentication clue and the self-saved integrity authentication clue;
and calculating the passing number of times of the complete authentication clue according to the level difference of the virtual network where the initiating node is located and the virtual network where the target node is located, and calculating the remaining ratio according to the preset packet loss rate and the passing number of times, if the complete rate is the same as the remaining ratio, passing authentication.
The invention also provides an information security authentication system based on the 5G network, which comprises a 5G base station and a plurality of nodes, and the information security authentication method based on the 5G network is executed.
The invention also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the information security authentication method based on the 5G network when calling the computer program in the memory.
The invention also provides a storage medium, wherein the storage medium stores computer executable instructions, and when the computer executable instructions are loaded and executed by a processor, the steps of the information security authentication method based on the 5G network are realized.
The essential effects of the invention include: after the virtual network and the virtual container are configured, the complete authentication clue is subjected to asymmetric transmission through the virtual container, the complete authentication clue is lost layer by layer in the virtual network, when the authentication clue is used for authentication, a producer of the authentication clue only needs to confirm whether the loss degree is matched with the virtual network where the opposite node is located, and the loss degree is required to be imitated, the original authentication clue, the preset packet loss rate and the transmission times (packet loss times) are required to be accurately acquired, and because the data are not transmitted in the network but are acquired according to actual conditions, the external visitor is almost impossible to imitate before mastering the network frame of the whole system. The authentication scheme of the invention is particularly suitable for a multi-node multi-network isolated system and has higher security.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solution will be clearly and completely described in the following in conjunction with the embodiments, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that, in various embodiments of the present invention, the sequence number of each process does not mean that the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
It should be understood that in the present invention, "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements that are expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in the present invention, "plurality" means two or more. "and/or" is merely an association relationship describing an association object, and means that three relationships may exist, for example, and/or B may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. "comprising A, B and C", "comprising A, B, C" means that all three of A, B, C comprise, "comprising A, B or C" means that one of the three comprises A, B, C, and "comprising A, B and/or C" means that any 1 or any 2 or 3 of the three comprises A, B, C.
The technical scheme of the invention is described in detail below by specific examples. Embodiments may be combined with each other and the same or similar concepts or processes may not be described in detail in some embodiments.
Examples
An information security authentication method based on a 5G network, as shown in figure 1, is used for authentication between different nodes under the 5G network, and comprises the following steps:
s1: initializing configuration: and configuring a virtual isolation container for each node, and creating a virtual network, wherein a plurality of isolation containers are connected in each virtual network, and the isolation containers are configured to completely receive data and output the data at a preset packet loss rate.
The S1 of this embodiment specifically includes:
and (3) isolating part of the storage space for each node, configuring a virtual isolation container, adhering to a transmission protocol between the node body and the isolation container, and isolating the node body from the virtual network through the isolation container and the transmission protocol.
When the isolation container receives data, the received data is completely stored;
when the isolation container outputs data, the stored data is output according to a preset packet loss rate;
and updating the preset packet loss rate according to the requirement.
In this embodiment, the node may be any device with a 5G module within the power system, typically some device that collects parameters or executes control instructions. The isolation configuration of the virtual container may be performed by any desired function, for example, by using a technique such as Kubernetes, openShift.
The input and output of the virtual container of the present embodiment is configured such that the data is reserved in full disk when data is written to the virtual container, and the virtual container is output at a preset packet loss rate when data is requested from the virtual container. If the packet loss rate is 20%, 80% of each data is output, four valid bytes can be regularly output every five bytes, or characters can be randomly output, so that only 80% of the data is ensured to be output. The updating mode of the preset packet loss rate can be offline setting or network setting.
S2: authentication clue transfer: each node periodically sends an authentication clue to the virtual network through the isolation container, and other isolation containers receive the authentication clue from the virtual network and output the authentication clue to the node, wherein the intermediate node utilizes two isolation containers to carry out cross-network transmission of the authentication clue among different virtual networks.
Comprising the following steps:
the node inputs authentication clues to the own isolation container according to a preset time period;
the isolation container completely stores the received authentication clues, and sends the authentication clues to other isolation containers in the virtual network according to a preset packet loss rate;
and after receiving the authentication clue from the virtual network, the isolation container outputs the authentication clue to the node according to the preset packet loss rate.
For example, every 10 minutes, the node a inputs a new authentication thread to its own isolation container a, the isolation container a transmits the authentication thread to the isolation containers of other nodes in the same virtual network at a preset packet loss rate, if the packet loss rate is 20%, the isolation container B of the node B in the same virtual network receives 80% of the authentication thread, and so on, the retrieval integrity degree received by the same virtual network is the same.
The intermediate node is configured with two isolation containers respectively connected with different virtual networks, and forwards the authentication clue output by any one isolation container to the other isolation container so as to realize cross-network transmission of the authentication clue among different virtual networks.
In this embodiment, the intermediate node may download the authentication thread from its two isolation containers and forward the authentication thread to another isolation container, so as to implement cross-network transmission of the authentication thread between different virtual networks, and in the transmission process, a new superposition of the first packet loss rate is generated.
For example, the intermediate node C is configured with two isolation containers C1 and C2 respectively connected to different virtual networks, wherein the isolation container C1 receives 80% of the authentication threads sent from the isolation container a, and then the intermediate node C downloads 64% (80% of the authentication threads with 20% of the packet loss rate superimposed on the basis of the authentication threads) from the isolation container C1, forwards the authentication threads to the isolation container C2, and forwards 51.2% (64% of the authentication threads with 20% of the packet loss rate superimposed on the basis of the authentication threads) to another virtual network by the isolation container C2, and so on.
S3: authentication is carried out according to the request: after any node generates an access request, an authentication clue from a target node is sent to the target node by using a 5G network, the target node calculates the integrity rate according to the authentication clue, and if the result obtained by calculation according to the hierarchical relation between the preset packet loss rate and the virtual network where the initiating node is located is the same as the integrity rate, the integrity rate is authenticated.
Comprising the following steps:
and any node generates an access request, determines a target node according to the access target, and packages and sends the authentication clues received in the time period to the target node.
After receiving the packed authentication clues, the target node performs clue matching and extracts the authentication clues corresponding to the target node;
calculating to obtain the integrity rate according to the received corresponding authentication clue and the self-saved integrity authentication clue;
and calculating the passing number of times of the complete authentication clue according to the level difference of the virtual network where the initiating node is located and the virtual network where the target node is located, and calculating the remaining ratio according to the preset packet loss rate and the passing number of times, if the complete rate is the same as the remaining ratio, passing authentication.
For example, after receiving the packaged authentication clues, the target node performs clue matching to find incomplete authentication clues matched with the complete clues, and after comparing, the complete rate is found to be 51.2%, then the incomplete authentication clues are known according to 20% of the packet loss rate, and the incomplete authentication clues are overlapped by three times of packet loss rates. And according to the layer level difference of the virtual network where the initiating node is located and the virtual network where the target node is located, three times of transmission are needed, the result obtained by combining the packet loss rate calculation is 51.2%, the two values are the same, obviously the information is matched, and authentication is passed.
If the survival ratio calculated by combining the number of delivery times and the packet loss rate is different from the integrity rate, it is obvious that the identity of the initiating node is false, and the initiating node is not from the virtual network claimed by the initiating node. The hierarchy, packet loss rate and complete authentication clues between virtual networks are not available to outsiders and are thus hardly imitated.
In the embodiment, the node and the virtual network are isolated through the isolation container, the loss of the authentication clue after each transmission is controlled through the preset packet loss rate, the initiating node sends the received authentication clue to the target node, the target node can compare according to the original complete authentication clue, and the virtual network where the initiating node is located is determined, so that whether the complete rate of the authentication clue accords with the real transmission condition can be judged, and if so, the authentication is passed. Under the authentication measures of the application, the external visitor wants to impersonate the identity, needs to know the complete authentication clue, the packet loss rate and the transmission times (packet loss times), but the information is not transmitted in the network and is difficult to acquire, and the authentication cannot be passed by any short message, so that the impersonation possibility is basically stopped, and the security is extremely high.
The embodiment also provides an information security authentication system based on the 5G network, which comprises a 5G base station and a plurality of nodes, and the information security authentication method based on the 5G network is executed.
The embodiment also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the information security authentication method based on the 5G network when calling the computer program in the memory.
The present embodiment also provides a storage medium, where computer executable instructions are stored, where the computer executable instructions implement the steps of the above-mentioned 5G network-based information security authentication method when loaded and executed by a processor.
The essential effects of the present embodiment include: after the virtual network and the virtual container are configured, the complete authentication clue is subjected to asymmetric transmission through the virtual container, and is lost layer by layer in the virtual network, when authentication is performed by using the authentication clue, a generator of the authentication clue only needs to confirm whether the loss degree is matched with the virtual network where the opposite node is located, and the degree of loss is required to be imitated, the original authentication clue, the preset packet loss rate and the transmission times (packet loss times) are required to be accurately obtained, and the data are not transmitted in the network and are not in the recent communication information at least, so that the data are almost impossible to imitate. Therefore, the authentication scheme of the embodiment is particularly suitable for a multi-node multi-network isolation system and has higher security.
From the foregoing description of the embodiments, it will be appreciated by those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of a specific apparatus is divided into different functional modules to implement all or part of the functions described above.
In the embodiments provided in this application, it should be understood that the disclosed structures and methods may be implemented in other ways. For example, the embodiments described above with respect to structures are merely illustrative, e.g., the division of modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another structure, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via interfaces, structures or units, which may be in electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and the parts shown as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.