CN116319070B - Industrial Internet identification analysis system, method, electronic equipment and storage medium - Google Patents

Industrial Internet identification analysis system, method, electronic equipment and storage medium Download PDF

Info

Publication number
CN116319070B
CN116319070B CN202310525010.6A CN202310525010A CN116319070B CN 116319070 B CN116319070 B CN 116319070B CN 202310525010 A CN202310525010 A CN 202310525010A CN 116319070 B CN116319070 B CN 116319070B
Authority
CN
China
Prior art keywords
node
analysis
request message
identity
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310525010.6A
Other languages
Chinese (zh)
Other versions
CN116319070A (en
Inventor
肖念浩
王龙
范晶
宋宁宁
刘笑凯
周文辉
贾旭光
樊雪君
赵城
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
6th Research Institute of China Electronics Corp
Original Assignee
6th Research Institute of China Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 6th Research Institute of China Electronics Corp filed Critical 6th Research Institute of China Electronics Corp
Priority to CN202310525010.6A priority Critical patent/CN116319070B/en
Publication of CN116319070A publication Critical patent/CN116319070A/en
Application granted granted Critical
Publication of CN116319070B publication Critical patent/CN116319070B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Abstract

The application provides an industrial Internet identification analysis system, an industrial Internet identification analysis method, electronic equipment and a storage medium, wherein the industrial Internet identification analysis system comprises a recursion analysis node, a target identification analysis request message and a target identification analysis request message, wherein the recursion analysis node is used for sending a bidirectional identity authentication request to other nodes when providing analysis service for the target identification analysis request message; any node is used for splicing the target identification analysis request message with the corresponding identity information of the node and the corresponding identity authentication certificate, and determining the target identification analysis request message carrying the signature information corresponding to the node; and the verification module is used for verifying the target identification analysis request message carrying the signature information of the node by the public identity information in the identity information of the node, and if the verification is passed, the node analyzes the identification field managed by the node in the target identification analysis request to determine an identification analysis result. By using the public identity information to replace the public key certificate, the security of the industrial Internet identity analysis system is improved.

Description

Industrial Internet identification analysis system, method, electronic equipment and storage medium
Technical Field
The application relates to the technical field of industrial Internet identification analysis, in particular to an industrial Internet identification analysis system, an industrial Internet identification analysis method, electronic equipment and a storage medium.
Background
The existing industrial Internet identification analysis system relies on digital certificate technology to carry out security protection such as identity verification, so that the industrial Internet identification analysis system is protected. However, the digital certificates are uniformly managed by the CA, and the huge resource load is brought to the CA by the ultra-large-scale entity number of the industrial Internet, so that the problem of huge entity number is avoided to a certain extent. Even so, with the continuous development of the industrial internet, the number of nodes is continuously increased, and the problem of resource occupation of the CA by certificate management is increasingly obvious. Meanwhile, the CA also faces the security threat of an attacker, and once the CA is attacked, the normal operation of the whole industrial Internet is directly affected. Therefore, how to improve the security of the industrial internet identification analysis system becomes a technical problem.
Disclosure of Invention
Accordingly, the present application is directed to an industrial internet identification analysis system, method, electronic device, and storage medium, which can realize certificate-free signature by using public identity information instead of public key certificates, reduce corresponding management cost, and improve security of the industrial internet identification analysis system.
The embodiment of the application provides an industrial Internet identification analysis system, which comprises a plurality of nodes and a verification module, wherein the nodes comprise recursion analysis nodes, enterprise nodes, secondary nodes and national top-level nodes; the recursion analysis node is in communication connection with the enterprise node, the secondary node and the national top node, the verification module is in communication connection with a plurality of nodes, the enterprise node is in communication connection with the secondary node, and the secondary node is in communication connection with the national top node; wherein, the liquid crystal display device comprises a liquid crystal display device,
the recursion analysis node is used for sending a bidirectional identity authentication request to the enterprise node, the secondary node and the national top node when providing analysis service for the target identification analysis request message after receiving the target identification analysis request message sent by the user terminal;
any node is used for splicing the target identification analysis request message with the identification information corresponding to the node and the corresponding identification certification certificate after receiving the bidirectional identification certification request, and determining the target identification analysis request message carrying the signature information corresponding to the node;
The verification module is used for verifying the target identification analysis request message carrying the signature information of the node based on public identity information in the identity information of any node, if the verification is passed, the node analyzes the identification field managed by the node in the target identification analysis request, and an identification analysis result is determined.
In one possible implementation manner, the industrial internet identification analysis system further comprises an identification analysis access authentication module, wherein the identification analysis access authentication module is in communication connection with a plurality of nodes; wherein, the liquid crystal display device comprises a liquid crystal display device,
the identification analysis access authentication module is used for determining the identity authentication credentials corresponding to the nodes based on the identity identification information provided by the key generation center and the nodes after the recursion analysis node, the enterprise node, the secondary node and the national top node send requests for applying the identity authentication credentials; wherein the identity information comprises public identity information and limited identity information.
In a possible implementation manner, the identification resolution access authentication module is specifically configured to, when determining, based on the key generation center and the identity information provided by each node, an identity authentication credential corresponding to each node:
The key generation center issues corresponding private keys to the nodes corresponding to the public identity information;
each private key signs the corresponding identity information, and the identity authentication credentials corresponding to each node are determined.
In one possible implementation manner, for the recursive resolution node, after receiving a bidirectional identity authentication request, any one of the nodes is configured to splice a target identifier resolution request message with identity information corresponding to the node and corresponding identity authentication credentials, and determine a target identifier resolution request message corresponding to the node and carrying signature information, where the target identifier resolution request message includes:
the recursion analysis node splices the target identification analysis request message, the identity information of the recursion analysis node and the identity authentication credential of the recursion analysis node, and determines the spliced target identification analysis request message of the recursion analysis node;
processing the spliced target identifier analysis request message of the recursion analysis node based on a summary algorithm, and determining a summary result message of the recursion analysis node;
And signing the corresponding abstract result message based on the private key of the recursion analysis node, and determining a target identification analysis request message carrying signature information corresponding to the recursion analysis node.
In one possible implementation manner, the verification module is configured to, for any one of the nodes, verify the target identifier resolution request message carrying signature information of the node based on public identifier information among the identifier information of the node, and if the verification is passed, make the node resolve an identifier field managed by its own node in the target identifier resolution request, and determine an identifier resolution result, where the verification module is specifically configured to:
detecting whether signature verification of the public identity information on the target identity analysis request message carrying signature information is effective or not;
if the signature verification is effective, verifying the identity authentication credential in the spliced target identifier analysis request message based on a public key provided by a key generation center;
if the verification is passed, the identity information of the node is valid, so that the node analyzes the identity field managed by the node in the target identity analysis request, and an identity analysis result is determined.
In one possible implementation, the verification module is further configured to:
determining limited identity information based on the identity information;
detecting whether the corresponding identity authentication credentials are overdue based on identity validity periods among the limited identity information;
if yes, a request for regenerating the identity authentication credentials is sent to the node.
In one possible implementation manner, the identifier resolution access authentication module obtains the identity information provided by each node through the following steps:
and the nodes of each level respectively transmit corresponding identity information to the upper level nodes, and finally the national top level nodes transmit the identity information of each level of nodes to the identity analysis node access authentication module in a summarized manner.
The embodiment of the application also provides an industrial Internet identification analysis method, which comprises the following steps:
after receiving a target identification analysis request message sent by a user side, a recursion analysis node sends a bidirectional identity authentication request to an enterprise node, a secondary node and a national top node when providing analysis service for the target identification analysis request message;
After receiving a bidirectional identity authentication request, the recursion analysis node, the enterprise node, the secondary node and the national top node splice the target identification analysis request message with the identity information corresponding to each node and the corresponding identity authentication credentials to determine the target identification analysis request message carrying signature information corresponding to each node;
and verifying the target identification analysis request message carrying the signature information of the node based on the public identity information in the identity information of the node aiming at any node, and if the verification is passed, analyzing the identification field managed by the node of the target identification analysis request, and determining an identification analysis result.
The embodiment of the application also provides electronic equipment, which comprises: the system comprises a processor, a memory and a bus, wherein the memory stores machine-readable instructions executable by the processor, the processor and the memory are communicated through the bus when the electronic device runs, and the machine-readable instructions are executed by the processor to execute the steps of the industrial Internet identification analysis method.
The embodiment of the application also provides a computer readable storage medium, and the computer readable storage medium stores a computer program, and the computer program is executed by a processor to execute the steps of the industrial internet identification analysis method.
The industrial Internet identification analysis system comprises a plurality of nodes and a verification module, wherein the nodes comprise recursion analysis nodes, enterprise nodes, secondary nodes and national top nodes; the recursion analysis node is in communication connection with the enterprise node, the secondary node and the national top node, the verification module is in communication connection with a plurality of nodes, the enterprise node is in communication connection with the secondary node, and the secondary node is in communication connection with the national top node; the recursion analysis node is used for sending a bidirectional identity authentication request to the enterprise node, the secondary node and the national top node when providing analysis service for the target identification analysis request message after receiving the target identification analysis request message sent by the user terminal; any node is used for splicing the target identification analysis request message with the identification information corresponding to the node and the corresponding identification certification certificate after receiving the bidirectional identification certification request, and determining the target identification analysis request message carrying the signature information corresponding to the node; the verification module is used for verifying the target identification analysis request message carrying the signature information of the node based on public identity information in the identity information of any node, if the verification is passed, the node analyzes the identification field managed by the node in the target identification analysis request, and an identification analysis result is determined. By using public identity information to replace public key certificates, certificate-free signature can be realized, corresponding management cost is reduced, and the safety of an industrial Internet identity analysis system is improved.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an industrial Internet identifier analysis system according to an embodiment of the present application;
FIG. 2 is a second schematic diagram of an industrial Internet identifier analysis system according to an embodiment of the present application;
FIG. 3 is a flowchart of an industrial Internet identifier resolution method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Icon: 100-an industrial Internet identification analysis system; 110-recursively resolving the nodes; 120-enterprise nodes; 130-secondary nodes; 140-national top level node; 150-a verification module; 160-an identification analysis access authentication module; 400-an electronic device; 410-a processor; 420-memory; 430-bus.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the drawings in the present application are for the purpose of illustration and description only and are not intended to limit the scope of the present application. In addition, it should be understood that the schematic drawings are not drawn to scale. A flowchart, as used in this disclosure, illustrates operations implemented according to some embodiments of the present application. It should be appreciated that the operations of the flow diagrams may be implemented out of order and that steps without logical context may be performed in reverse order or concurrently. Moreover, one or more other operations may be added to or removed from the flow diagrams by those skilled in the art under the direction of the present disclosure.
In addition, the described embodiments are only some, but not all, embodiments of the application. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art based on embodiments of the application without making any inventive effort, fall within the scope of the application.
In order to enable those skilled in the art to make use of the present disclosure, the following embodiments are provided in connection with a particular application scenario "parsing industrial internet identification", and it will be apparent to those skilled in the art that the general principles defined herein may be applied to other embodiments and application scenarios without departing from the spirit and scope of the present disclosure.
First, an application scenario to which the present application is applicable will be described. The method and the device can be applied to the technical field of industrial Internet identification analysis.
According to research, the existing industrial Internet identification analysis system relies on digital certificate technology to conduct safety protection such as identity verification, so that the safety of the industrial Internet identification analysis system is protected. However, the digital certificates are uniformly managed by the CA, and the huge resource load is brought to the CA by the ultra-large-scale entity number of the industrial Internet, so that the problem of huge entity number is avoided to a certain extent. Even so, with the continuous development of the industrial internet, the number of nodes is continuously increased, and the problem of resource occupation of the CA by certificate management is increasingly obvious. Meanwhile, the CA also faces the security threat of an attacker, and once the CA is attacked, the normal operation of the whole industrial Internet is directly affected. Therefore, how to improve the security of the industrial internet identification analysis system becomes a technical problem.
Based on the above, the embodiment of the application provides an industrial Internet identification analysis system, which can realize certificate-free signature by using public identity information to replace public key certificates, reduces corresponding management cost and improves the safety of the industrial Internet identification analysis system.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an industrial internet identifier analysis system according to an embodiment of the application. As shown in fig. 1, the industrial internet identification resolution system 100 provided by the embodiment of the application comprises a plurality of nodes and a verification module 150, wherein the nodes comprise a recursion resolution node 110, an enterprise node 120, a secondary node 130 and a national top level node 140; the recursive analysis node 110 is in communication connection with the enterprise node 120, the secondary node 130 and the national top node 140, the verification module 150 is in communication connection with a plurality of the nodes, the enterprise node 120 is in communication connection with the secondary node 130, and the secondary node 130 is in communication connection with the national top node 140.
Specifically, the recursive resolving node 110 is configured to send a bidirectional identity authentication request to the enterprise node 120, the secondary node 130 and the national top node 140 when providing a resolving service for the target identifier resolving request message after receiving the target identifier resolving request message sent by the user terminal; any node is used for splicing the target identification analysis request message with the identification information corresponding to the node and the corresponding identification certification certificate after receiving the bidirectional identification certification request, and determining the target identification analysis request message carrying the signature information corresponding to the node; the verification module 150 is configured to verify, for any one of the nodes, the target identifier analysis request message carrying signature information of the node based on public identifier information in the identifier information of the node, and if the verification is passed, enable the node to analyze an identifier field managed by its own node in the target identifier analysis request, so as to determine an identifier analysis result.
Here, after receiving the target identifier resolution request message sent by the user side, the recursive resolution node 110 sends a bidirectional identity authentication request to the enterprise node 120, the secondary node 130 and the national top node 140, where each node needs to send a target identifier resolution request message carrying signature information to the verification module 150 for bidirectional identity authentication.
Wherein, the identity information of each nodeIDIncluding public identity informationidLimited identity informationpidWherein, the method comprises the steps of, wherein,idrepresenting the unique identity code of the node,pidother identity information representing the node, including name, identity credential expiration date, and other information.
The identifier resolution result is a result obtained by resolving an identifier field managed by a node of the node in the target identifier resolution request, for example, the identifier resolution result may be an internet domain name resolution result, and the server address storing the product information may be queried through the product identifier, or the product information and related services may be queried directly.
After the verification is passed, the verification module 150 sends a request capable of being parsed to the node after the verification is passed, and the node parses the identifier field managed by its own node in the target identifier parsing request to determine the identifier parsing result.
Here, the total identifier resolution result corresponding to the target identifier resolution request may be determined according to the identifier resolution results of the plurality of nodes.
In the scheme, the public identity is used for replacing the public key certificate, so that no certificate signature can be realized, a trusted third party is not required to provide public key certificate management service, and the corresponding management cost is reduced.
In a possible implementation manner, for the recursive resolution node 110, after receiving a bidirectional identity authentication request, the node is configured to splice a target identifier resolution request message with identity information corresponding to the node and corresponding identity authentication credentials, to determine a target identifier resolution request message corresponding to the node and carrying signature information, where the determining includes:
a: the recursion resolution node 110 concatenates the target identifier resolution request message, the identity information of the recursion resolution node 110, and the identity authentication credential of the recursion resolution node 110, and determines the concatenated target identifier resolution request message of the recursion resolution node 110.
Here, the recursion resolution node 110 splices the target identifier resolution request message with the corresponding identity information and the corresponding identity authentication credential, and determines the spliced target identifier resolution request message of the recursion resolution node 110.
Wherein, when generating signature, the recursion analysis node 110 analyzes the target identifier to request message #M) Identity information of the recursion analysis node 110 itselfID) Identity authentication credentials of recursion resolution node 110AT) Splicing to obtainWherein->And analyzing the request message for the spliced target mark of the analysis node.
B: and processing the spliced target identifier analysis request message of the recursion analysis node 110 based on a summary algorithm, and determining a summary result message of the recursion analysis node 110.
Here, the spliced target identifier resolution request message of the recursion resolution node 110 is processed according to the summarization algorithm, and a summary result message of the recursion resolution node 110 is determined.
C: and signing the corresponding abstract result message based on the private key of the recursion analysis node 110, and determining a target identification analysis request message carrying signature information corresponding to the recursion analysis node 110.
Here, the digest result message of the recursion resolution node 110 is signed according to the private key of the recursion resolution node 110, so as to determine the target identifier resolution request message carrying the signature information corresponding to the recursion resolution node 110.
Wherein, the abstracting algorithm is used for the spliced target identification analysis request message to obtain an abstracted result messageThen using private key [ ]PK) For summary result message->Signing to obtain target identification analysis request message carrying signature information>. Here, the processing procedure of the other nodes about the corresponding target identifier resolution request message carrying the signature information is consistent with the processing procedure of the recursive resolution node 110, and this part will not be described in detail.
In one possible implementation manner, the verification module 150 is configured to, for any one of the nodes, verify the target identifier resolution request message carrying signature information of the node based on public identifier information among the identifier information of the node, and if the verification is passed, make the node resolve an identifier field managed by its own node in the target identifier resolution request, and determine an identifier resolution result, where the verification module 150 is specifically configured to:
(1): and detecting whether signature verification of the public identity information on the target identity analysis request message carrying signature information is effective or not.
The verification module 150 detects whether signature verification of the target identifier resolution request message carrying signature information by using the public identity information of the node is valid.
(2): if the signature verification is effective, verifying the identity authentication credential in the spliced target identifier analysis request message based on a public key provided by a key generation center; if the verification is passed, the identity information of the node is valid, so that the node analyzes the identity field managed by the node in the target identity analysis request, and an identity analysis result is determined.
If the signature verification is valid, verifying the identity authentication credential in the spliced target identity analysis request message according to the public key provided by the key generation center, and if the signature verification is passed, considering the identity information of the node to be valid, so that the node analyzes the identity field managed by the node in the target identity analysis request, and determining the identity analysis result.
Wherein, after receiving the target identifier resolution request message carrying the signature information, the verification module 150 verifies the integrity of the target identifier resolution request message carrying the signature information first, and uses the unique identity code id of the node to analyze the target identifier resolution request message carrying the signature informationAnd (5) performing verification. If the target identification resolution request message carrying the signature information is valid, the public key pair provided by the key generation center is further used for +. >Is->Performing verification and determining->Is effective in the following.
In one possible implementation, the verification module 150 is further configured to:
determining limited identity information based on the identity information; detecting whether the corresponding identity authentication credentials are overdue based on identity validity periods among the limited identity information; if yes, a request for regenerating the identity authentication credentials is sent to the node.
Here, the identity information is determinedID) Determining limited identity informationpid) And detecting whether the corresponding identity authentication credential is overdue according to the identity validity period in the limited identity information, and if so, sending a request for regenerating the identity authentication credential corresponding to the node.
Further, referring to fig. 2, fig. 2 is a second schematic structural diagram of an industrial internet identification analysis system 100 according to an embodiment of the application. As shown in fig. 2, the industrial internet identification resolution system 100 further includes an identification resolution access authentication module 160, where the identification resolution access authentication module 160 is communicatively connected to a plurality of the nodes.
Specifically, the identifier resolution access authentication module 160 is configured to determine, after the recursive resolution node 110, the enterprise node 120, the secondary node 130, and the national top node 140 send a request for applying for an identity authentication credential, an identity authentication credential corresponding to each node based on the key generation center and identity information provided by each node; wherein the identity information comprises public identity information and limited identity information.
Here, the id resolution access authentication module 160 determines the id authentication credentials corresponding to each node according to the id information provided by the key generation center and each node after receiving the request for applying the id authentication credentials sent by the recursive resolution node 110, the enterprise node 120, the secondary node 130, and the national top node 140.
In one possible implementation manner, the identity resolution access authentication module 160 is specifically configured to, when determining, based on the key generation center and the identity information provided by each of the nodes, an identity authentication credential corresponding to each of the nodes, where the identity resolution access authentication module 160 is configured to:
i: and the key generation center issues corresponding private keys to the nodes corresponding to the public identity information.
Here, the key generation center issues a corresponding private key to each node to which the public identity information corresponds.
Wherein the private keys corresponding to different public identity information are different.
II: each private key signs the corresponding identity information, and the identity authentication credentials corresponding to each node are determined.
Here, each private key signs the corresponding identity information, and determines the identity certification credential corresponding to each node.
In the scheme, the certificate-free signature method based on the identification password can reduce the resource occupation and construction cost brought by digital certificate management, break through the original resource limitation and design bottleneck, and better ensure the safety of an industrial Internet identification analysis system.
In a specific embodiment, the identity-resolving access authentication module 160 uses the identity password to issue a private key to the access node based on the identity information provided by the access node. The key generating center (private key generator, PKG) corresponds to the public identity informationid) Generating private key of corresponding nodePK) To ensure identification information in an issuing keyIDThe PKG uses its own private key to identify node identity informationIDSigning to generate identity authentication credentialsAT. Wherein, the liquid crystal display device comprises a liquid crystal display device,PKGthe keys issued to each node are. Wherein the method comprises the steps ofCKRepresentation ofPKGA full key issued for each node.PKRepresenting the private key used by the node to actually sign.ATAnd the identity certificate obtained after the PKG signs the node identity information is represented.
In one possible implementation manner, the identifier resolution access authentication module 160 obtains the identity information provided by each node through the following steps:
and the nodes of each level respectively transmit corresponding identity information to the upper level nodes, and finally the national top level node 140 collects and submits the identity information of each level of nodes to the identity analysis node access authentication module.
Here, each level of nodes respectively transmit corresponding identity information to the upper level node, and finally, the country top level node 140 submits the identity information of each level of nodes to the identity analysis node access authentication module in a summarized manner.
The embodiment of the application provides an industrial Internet identification analysis system, which comprises a plurality of nodes and a verification module, wherein the nodes comprise recursion analysis nodes, enterprise nodes, secondary nodes and national top-level nodes; the recursion analysis node is in communication connection with the enterprise node, the secondary node and the national top node, the verification module is in communication connection with a plurality of nodes, the enterprise node is in communication connection with the secondary node, and the secondary node is in communication connection with the national top node; the recursion analysis node is used for sending a bidirectional identity authentication request to the enterprise node, the secondary node and the national top node when providing analysis service for the target identification analysis request message after receiving the target identification analysis request message sent by the user terminal; any node is used for splicing the target identification analysis request message with the identification information corresponding to the node and the corresponding identification certification certificate after receiving the bidirectional identification certification request, and determining the target identification analysis request message carrying the signature information corresponding to the node; the verification module is used for verifying the target identification analysis request message carrying the signature information of the node based on public identity information in the identity information of any node, if the verification is passed, the node analyzes the identification field managed by the node in the target identification analysis request, and an identification analysis result is determined. By using public identity information to replace public key certificates, certificate-free signature can be realized, corresponding management cost is reduced, and the safety of an industrial Internet identity analysis system is improved.
Referring to fig. 3, fig. 3 is a flowchart of an industrial internet identifier parsing method according to an embodiment of the present application. As shown in fig. 3, the industrial internet identification analysis method includes:
s301: after receiving a target identification analysis request message sent by a user terminal, the recursion analysis node sends a bidirectional identity authentication request to enterprise nodes, secondary nodes and national top nodes when providing analysis service for the target identification analysis request message.
In the step, after receiving a target identification analysis request message sent by a user terminal, a recursion analysis node sends a bidirectional identity authentication request to an enterprise node, a secondary node and a national top node when providing analysis service for the target identification analysis request message.
S302: after receiving the bidirectional identity authentication request, the recursion analysis node, the enterprise node, the secondary node and the national top node splice the target identification analysis request message with the identity information corresponding to each node and the corresponding identity authentication credentials, and determine the target identification analysis request message carrying signature information corresponding to each node.
In the step, after receiving a bidirectional identity authentication request, a recursion analysis node, an enterprise node, a secondary node and a national top node splice the target identification analysis request message with the identity information corresponding to each node and the corresponding identity authentication credentials to determine the target identification analysis request message carrying signature information corresponding to each node.
S303: and verifying the target identification analysis request message carrying the signature information of the node based on the public identity information in the identity information of the node aiming at any node, and if the verification is passed, analyzing the identification field managed by the node of the target identification analysis request, and determining an identification analysis result.
In the step, for any node, a verification module verifies the target identification analysis request message carrying signature information of the node according to public identity information in the identity information of the node, if the verification is passed, the node analyzes an identification field managed by the node in the target identification analysis request, and an identification analysis result is determined.
The identification analysis result can be an internet domain name analysis result, and can be used for inquiring a server address for storing product information through the product identification or directly inquiring the product information and related services.
In one possible implementation manner, the industrial internet identification resolution method further comprises:
after the recursion analysis node, the enterprise node, the secondary node and the national top node send a request for applying for identity authentication credentials, determining the identity authentication credentials corresponding to the nodes based on the key generation center and the identity identification information provided by the nodes; wherein the identity information comprises public identity information and limited identity information.
In one possible implementation manner, the determining, based on the key generating center and the identity information provided by each node, the identity authentication credential corresponding to each node includes:
the key generation center issues corresponding private keys to the nodes corresponding to the public identity information;
each private key signs the corresponding identity information, and the identity authentication credentials corresponding to each node are determined.
In one possible implementation manner, after receiving the bidirectional identity authentication request, the any one of the nodes is configured to splice the target identifier resolution request message with the identity information corresponding to the node and the corresponding identity authentication credential, and determine a target identifier resolution request message corresponding to the node and carrying signature information, where the method includes:
the recursion analysis node splices the target identification analysis request message, the identity information of the recursion analysis node and the identity authentication credential of the recursion analysis node, and determines the spliced target identification analysis request message of the recursion analysis node;
processing the spliced target identifier analysis request message of the recursion analysis node based on a summary algorithm, and determining a summary result message of the recursion analysis node;
and signing the corresponding abstract result message based on the private key of the recursion analysis node, and determining a target identification analysis request message carrying signature information corresponding to the recursion analysis node.
In one possible implementation manner, the verifying the target identifier analysis request message carrying signature information of the node based on public identifier information in the identifier information of the node, if the verification is passed, so that the node analyzes an identifier field managed by its own node in the target identifier analysis request, and determines an identifier analysis result, including:
Detecting whether signature verification of the public identity information on the target identity analysis request message carrying signature information is effective or not;
if the signature verification is effective, verifying the identity authentication credential in the spliced target identifier analysis request message based on a public key provided by a key generation center;
if the verification is passed, the identity information of the node is valid, so that the node analyzes the identity field managed by the node in the target identity analysis request, and an identity analysis result is determined.
In one possible implementation manner, the industrial internet identification resolution method further comprises:
determining limited identity information based on the identity information;
detecting whether the corresponding identity authentication credentials are overdue based on identity validity periods among the limited identity information;
if yes, a request for regenerating the identity authentication credentials is sent to the node.
In one possible implementation manner, the module obtains the identification information provided by each node by the following steps:
and the nodes of each level respectively transmit corresponding identity information to the upper level nodes, and finally the national top level nodes transmit the identity information of each level of nodes to the identity analysis node access authentication module in a summarized manner.
The embodiment of the application provides an industrial Internet identification analysis method, which comprises the following steps: after receiving a target identification analysis request message sent by a user side, a recursion analysis node sends a bidirectional identity authentication request to an enterprise node, a secondary node and a national top node when providing analysis service for the target identification analysis request message; after receiving a bidirectional identity authentication request, the recursion analysis node, the enterprise node, the secondary node and the national top node splice the target identification analysis request message with the identity information corresponding to each node and the corresponding identity authentication credentials to determine the target identification analysis request message carrying signature information corresponding to each node; and verifying the target identification analysis request message carrying the signature information of the node based on the public identity information in the identity information of the node aiming at any node, and if the verification is passed, analyzing the identification field managed by the node of the target identification analysis request, and determining an identification analysis result. By using public identity information to replace public key certificates, certificate-free signature can be realized, corresponding management cost is reduced, and the safety of an industrial Internet identity analysis system is improved.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the application. As shown in fig. 4, the electronic device 400 includes a processor 410, a memory 420, and a bus 430.
The memory 420 stores machine-readable instructions executable by the processor 410, when the electronic device 400 is running, the processor 410 communicates with the memory 420 through the bus 430, and when the machine-readable instructions are executed by the processor 410, the steps of the industrial internet identification resolution method in the method embodiment shown in fig. 3 can be executed, and the specific implementation is referred to the method embodiment and will not be described herein.
The embodiment of the present application further provides a computer readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps of the industrial internet identifier analysis method in the method embodiment shown in fig. 3 may be executed, and the specific implementation manner may refer to the method embodiment and will not be described herein.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the above examples are only specific embodiments of the present application, and are not intended to limit the scope of the present application, but it should be understood by those skilled in the art that the present application is not limited thereto, and that the present application is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims (9)

1. The industrial Internet identification analysis system is characterized by comprising a plurality of nodes and a verification module, wherein the nodes comprise recursion analysis nodes, enterprise nodes, secondary nodes and national top-level nodes; the recursion analysis node is in communication connection with the enterprise node, the secondary node and the national top node, the verification module is in communication connection with a plurality of nodes, the enterprise node is in communication connection with the secondary node, and the secondary node is in communication connection with the national top node; wherein, the liquid crystal display device comprises a liquid crystal display device,
the recursion analysis node is used for sending a bidirectional identity authentication request to the enterprise node, the secondary node and the national top node when providing analysis service for the target identification analysis request message after receiving the target identification analysis request message sent by the user terminal;
any node is used for splicing the target identification analysis request message with the identification information corresponding to the node and the corresponding identification certification certificate after receiving the bidirectional identification certification request, and determining the target identification analysis request message carrying the signature information corresponding to the node;
The verification module is used for verifying the target identification analysis request message carrying signature information of the node based on public identity information in the identity information of any node, if the verification is passed, the node analyzes an identification field managed by the node in the target identification analysis request, and an identification analysis result is determined;
for the recursive analysis node, after receiving a bidirectional identity authentication request, the node is configured to splice a target identifier analysis request message with identity information corresponding to the node and a corresponding identity authentication credential, and determine a target identifier analysis request message corresponding to the node and carrying signature information, where the method includes:
the recursion analysis node splices the target identification analysis request message, the identity information of the recursion analysis node and the identity authentication credential of the recursion analysis node, and determines the spliced target identification analysis request message of the recursion analysis node;
processing the spliced target identifier analysis request message of the recursion analysis node based on a summary algorithm, and determining a summary result message of the recursion analysis node;
And signing the corresponding abstract result message based on the private key of the recursion analysis node, and determining a target identification analysis request message carrying signature information corresponding to the recursion analysis node.
2. The industrial internet identification resolution system of claim 1, further comprising an identification resolution access authentication module, the identification resolution access authentication module in communication with a plurality of the nodes; wherein, the liquid crystal display device comprises a liquid crystal display device,
the identification analysis access authentication module is used for determining the identity authentication credentials corresponding to the nodes based on the identity identification information provided by the key generation center and the nodes after the recursion analysis node, the enterprise node, the secondary node and the national top node send requests for applying the identity authentication credentials; wherein the identity information comprises public identity information and limited identity information.
3. The industrial internet identification resolution system according to claim 2, wherein the identification resolution access authentication module is specifically configured to:
The key generation center issues corresponding private keys to the nodes corresponding to the public identity information;
each private key signs the corresponding identity information, and the identity authentication credentials corresponding to each node are determined.
4. The industrial internet identifier analysis system according to claim 1, wherein the verification module is configured to, when the verification module is configured to verify, for any one of the nodes, the target identifier analysis request message carrying signature information of the node based on public identity information among the identity information of the node, and if the verification is passed, so that the node analyzes an identifier field managed by its own node in the target identifier analysis request, and determine an identifier analysis result, the verification module is specifically configured to:
detecting whether signature verification of the public identity information on the target identity analysis request message carrying signature information is effective or not;
if the signature verification is effective, verifying the identity authentication credential in the spliced target identifier analysis request message based on a public key provided by a key generation center;
If the verification is passed, the identity information of the node is valid, so that the node analyzes the identity field managed by the node in the target identity analysis request, and an identity analysis result is determined.
5. The industrial internet identification resolution system of claim 4, wherein the verification module is further configured to:
determining limited identity information based on the identity information;
detecting whether the corresponding identity authentication credentials are overdue based on identity validity periods among the limited identity information;
if yes, a request for regenerating the identity authentication credentials is sent to the node.
6. The industrial internet identification resolution system according to claim 2, wherein the identification resolution access authentication module obtains the identification information provided by each node by:
and the nodes of each level respectively transmit corresponding identity information to the upper level nodes, and finally the national top level nodes summarize and submit the identity information of each level of nodes to the identity analysis access authentication module.
7. An industrial internet identification analysis method, which is characterized in that the industrial internet identification analysis method is applied to the industrial internet identification analysis system of any one of claims 1 to 6, and the industrial internet identification analysis method comprises the following steps:
After receiving a target identification analysis request message sent by a user side, a recursion analysis node sends a bidirectional identity authentication request to an enterprise node, a secondary node and a national top node when providing analysis service for the target identification analysis request message;
after receiving a bidirectional identity authentication request, the recursion analysis node, the enterprise node, the secondary node and the national top node splice the target identification analysis request message with the identity information corresponding to each node and the corresponding identity authentication credentials to determine the target identification analysis request message carrying signature information corresponding to each node;
for any node, verifying the target identification analysis request message carrying signature information of the node based on public identity information in the identity information of the node, and if the verification is passed, analyzing an identification field managed by the node of the node in the target identification analysis request to determine an identification analysis result;
for the recursive analysis node, after receiving a bidirectional identity authentication request, the node is configured to splice a target identifier analysis request message with identity information corresponding to the node and a corresponding identity authentication credential, and determine a target identifier analysis request message corresponding to the node and carrying signature information, where the method includes:
The recursion analysis node splices the target identification analysis request message, the identity information of the recursion analysis node and the identity authentication credential of the recursion analysis node, and determines the spliced target identification analysis request message of the recursion analysis node;
processing the spliced target identifier analysis request message of the recursion analysis node based on a summary algorithm, and determining a summary result message of the recursion analysis node;
and signing the corresponding abstract result message based on the private key of the recursion analysis node, and determining a target identification analysis request message carrying signature information corresponding to the recursion analysis node.
8. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory in communication via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the steps of the industrial internet identification resolution method of claim 7.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of the industrial internet identification resolution method according to claim 7.
CN202310525010.6A 2023-05-11 2023-05-11 Industrial Internet identification analysis system, method, electronic equipment and storage medium Active CN116319070B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310525010.6A CN116319070B (en) 2023-05-11 2023-05-11 Industrial Internet identification analysis system, method, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310525010.6A CN116319070B (en) 2023-05-11 2023-05-11 Industrial Internet identification analysis system, method, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116319070A CN116319070A (en) 2023-06-23
CN116319070B true CN116319070B (en) 2023-08-11

Family

ID=86781731

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310525010.6A Active CN116319070B (en) 2023-05-11 2023-05-11 Industrial Internet identification analysis system, method, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116319070B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262834A (en) * 2020-01-09 2020-06-09 中国信息通信研究院 Authentication and credibility analysis method, device and system for physical entity
CN112200502A (en) * 2020-11-19 2021-01-08 苏州协同创新智能制造装备有限公司 Industrial internet identification analysis method
CN112491960A (en) * 2020-10-30 2021-03-12 中国科学院计算机网络信息中心 SCM (Single chip microcomputer) -oriented industrial internet identifier registration and analysis method, identifier connection platform and system
CN113591119A (en) * 2021-08-09 2021-11-02 国家工业信息安全发展研究中心 Cross-domain identification analysis node data privacy protection and safety sharing method and system
CN113759846A (en) * 2021-09-08 2021-12-07 武汉亚为电子科技有限公司 On-site active identification analysis method and system
WO2022008940A1 (en) * 2020-07-07 2022-01-13 Vibe Cybersecurity Inc. Method and system for a verifiable identity based encryption (vibe) using certificate-less authentication encryption (clae)
CN113972986A (en) * 2021-09-22 2022-01-25 北京邮电大学 Block chain-based industrial internet identification information analysis method and related device
CN115021913A (en) * 2022-06-14 2022-09-06 中国信息通信研究院 Key generation method, system and storage medium for industrial internet identification analysis system
CN115021989A (en) * 2022-05-25 2022-09-06 国家工业信息安全发展研究中心 Mutual trust and mutual recognition method and system for industrial internet heterogeneous identification analysis system
CN115658742A (en) * 2022-11-16 2023-01-31 武汉亚为电子科技有限公司 Identification analysis method and system for field-level active identification carrier

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8190883B2 (en) * 2007-02-26 2012-05-29 Picup, Llc Network identity management system and method
US9154484B2 (en) * 2013-02-21 2015-10-06 Cisco Technology, Inc. Identity propagation

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262834A (en) * 2020-01-09 2020-06-09 中国信息通信研究院 Authentication and credibility analysis method, device and system for physical entity
WO2022008940A1 (en) * 2020-07-07 2022-01-13 Vibe Cybersecurity Inc. Method and system for a verifiable identity based encryption (vibe) using certificate-less authentication encryption (clae)
CN112491960A (en) * 2020-10-30 2021-03-12 中国科学院计算机网络信息中心 SCM (Single chip microcomputer) -oriented industrial internet identifier registration and analysis method, identifier connection platform and system
CN112200502A (en) * 2020-11-19 2021-01-08 苏州协同创新智能制造装备有限公司 Industrial internet identification analysis method
CN113591119A (en) * 2021-08-09 2021-11-02 国家工业信息安全发展研究中心 Cross-domain identification analysis node data privacy protection and safety sharing method and system
CN113759846A (en) * 2021-09-08 2021-12-07 武汉亚为电子科技有限公司 On-site active identification analysis method and system
CN113972986A (en) * 2021-09-22 2022-01-25 北京邮电大学 Block chain-based industrial internet identification information analysis method and related device
CN115021989A (en) * 2022-05-25 2022-09-06 国家工业信息安全发展研究中心 Mutual trust and mutual recognition method and system for industrial internet heterogeneous identification analysis system
CN115021913A (en) * 2022-06-14 2022-09-06 中国信息通信研究院 Key generation method, system and storage medium for industrial internet identification analysis system
CN115658742A (en) * 2022-11-16 2023-01-31 武汉亚为电子科技有限公司 Identification analysis method and system for field-level active identification carrier

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
认证视角下的工业互联网标识解析安全;余果 等;信息网络安全(第9期);正文第1-2节 *

Also Published As

Publication number Publication date
CN116319070A (en) 2023-06-23

Similar Documents

Publication Publication Date Title
CN110177124B (en) Identity authentication method based on block chain and related equipment
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
CN112651036B (en) Identity authentication method based on collaborative signature and computer readable storage medium
CN101527634B (en) System and method for binding account information with certificates
CN107493291A (en) A kind of identity identifying method and device based on safety element SE
CN110958119A (en) Identity verification method and device
CN116458117A (en) Secure digital signatures
EP2262165B1 (en) User generated content registering method, apparatus and system
CN111917551A (en) Handle access protection method and system based on certificateless public key
CN112887080B (en) SM 2-based key generation method and system
CN115378737B (en) Cross-domain device communication trust method, device, equipment and medium
CN112765626A (en) Authorization signature method, device and system based on escrow key and storage medium
CN111651745B (en) Application authorization signature method based on password equipment
CN114117551B (en) Access verification method and device
CN114301617A (en) Identity authentication method and device for multi-cloud application gateway, computer equipment and medium
CN113824566B (en) Certificate authentication method, code number downloading method, device, server and storage medium
JP2008539482A (en) Method, system, and program product for connecting client to network
CN113129008B (en) Data processing method, device, computer readable medium and electronic equipment
CN116325654B (en) Tenant aware mutual TLS authentication
CN113434882A (en) Communication protection method and device of application program, computer equipment and storage medium
CN113271207A (en) Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium
CN116707758A (en) Authentication method, equipment and server of trusted computing equipment
CN116319070B (en) Industrial Internet identification analysis system, method, electronic equipment and storage medium
CN112865981B (en) Token acquisition and verification method and device
CN115664669A (en) Financial equipment authentication method, cash dispenser, external equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant