CN117081734A - Cross-domain authentication method for trusted access of industrial Internet equipment - Google Patents
Cross-domain authentication method for trusted access of industrial Internet equipment Download PDFInfo
- Publication number
- CN117081734A CN117081734A CN202310992070.9A CN202310992070A CN117081734A CN 117081734 A CN117081734 A CN 117081734A CN 202310992070 A CN202310992070 A CN 202310992070A CN 117081734 A CN117081734 A CN 117081734A
- Authority
- CN
- China
- Prior art keywords
- domain
- identity
- authentication
- server
- service server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000005259 measurement Methods 0.000 claims abstract description 41
- 238000012795 verification Methods 0.000 claims abstract description 37
- 230000008447 perception Effects 0.000 claims abstract description 27
- 230000000737 periodic effect Effects 0.000 claims abstract description 5
- 230000008569 process Effects 0.000 claims description 16
- 150000003839 salts Chemical class 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000003860 storage Methods 0.000 claims description 5
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000001172 regenerating effect Effects 0.000 claims description 3
- 230000006854 communication Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 230000003993 interaction Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 4
- 238000009826 distribution Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012938 design process Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 238000009938 salting Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Abstract
The invention discloses a cross-domain authentication method for trusted access of industrial Internet equipment, which comprises the following steps of S1, registration stage: the user U registers at the local authentication server AS, issues a key pair for the user U, and calculates and generates an initial identity credential BCid; s2, identity authentication and industrial perception phase: the identity authentication information in the step S1 is registered and then stored in a blockchain BC, an authentication server AS verifies whether an identity certificate exists in the blockchain BC, and if so, the validity and the validity period of the identity certificate are verified; and then, carrying out integrity measurement and verification on the state of the hardware equipment through periodic industrial safety perception, and updating the identity certificate. By adopting the cross-domain authentication method for the trusted access of the industrial Internet equipment, the invention ensures the trusted access of the equipment and improves the safety and the credibility of an industrial Internet system by periodically sensing the environment where the equipment is and the safety of the equipment.
Description
Technical Field
The invention relates to the technical field of industrial Internet security, in particular to a cross-domain authentication method for trusted access of industrial Internet equipment.
Background
The rapid development of the industrial Internet is accompanied by the continuous growth of intelligent equipment and industrial scale, the communication interaction phenomenon of cross-region, cross-platform and cross-equipment is increased, great complexity is brought to the infrastructure, and the problem of identity authentication deficiency of the industrial Internet equipment is also increasingly highlighted.
Most of the existing identity authentication schemes construct different domain trust through block chains, so that the related management work of a third party platform is weakened, the vulnerability problem caused by centralized storage is avoided, an executable technical scheme is provided for the safe realization of identity authentication, and the true integrity of data and the credibility of the identity are protected. The credibility and the safety of cross-domain authentication are improved by using the blockchain technology, so that the safety, the trust and the traceability of users and equipment in an industrial Internet scene are ensured.
The existing industrial Internet identity authentication scheme is developed based on a blockchain technology, but the problem of lack of authentication on equipment of two communication parties still exists, the complex and changeable actual situation of the existing industrial Internet intelligent equipment is not fully considered, and the trusted access of the equipment cannot be ensured.
Disclosure of Invention
The invention aims to provide a cross-domain authentication method for trusted access of industrial Internet equipment, which comprehensively ensures the safety of data resources, the safety of platform identity and the healthy state of integrity of terminal and server interaction by carrying out identity authentication, integrity measurement, verification and the like on two communication parties, effectively solves the problem of equipment cross-domain authentication credibility in an industrial environment, and realizes the double identity credibility of users and hardware equipment; compared with the existing identity authentication scheme, the method has the advantages of guaranteeing the safety of data resources, resisting attack and the like, and improving the safety of the system.
In order to achieve the above purpose, the present invention provides a cross-domain authentication method for trusted access of industrial internet equipment, which comprises a user terminal U, an authentication server AS, a service server BS and a blockchain BC, and is characterized by comprising the following steps:
s1, a registration stage:
the user U registers at the local authentication server AS, issues a key pair for the user U, and calculates and generates an initial identity credential BCid;
s2, identity authentication and industrial perception phase:
the identity authentication information in the step S1 is registered and then stored in a blockchain BC, an authentication server AS verifies whether an identity certificate exists in the blockchain BC, and if so, the validity and the validity period of the identity certificate are verified; and then, carrying out integrity measurement and verification on the state of the hardware equipment through periodic industrial safety perception, and updating the identity certificate.
Preferably, in step S1, first, a TPM chip is configured on both an entity user terminal device and a server device, and an EK certificate and an AIK certificate of a corresponding device are generated based on the TPM chip, and specific steps of the registration stage are as follows:
s11, user U in digital workshop A A To the home domain service server BS A Sending a registration request, inputting a random character string, obtaining an identity ID through an SHA-256 algorithm, and passing through the integrity of a TPMThe method comprises the steps that the PCR value and the measurement log SML of equipment are obtained, and a registration request comprises identity information such as a self-identity identifier ID, the PCR value, a random number N, the measurement log SML, an AIK public key and the like;
s12, signing the identity information and the random number N and then sending the signature to the local domain service server BS A ;
S13, local domain service server BS A Initially confirming the security and calling the local authentication server AS A User U is provided with A The identity information is forwarded to a local authentication server AS A Performing verification and registration storage;
s14, local domain authentication server AS A After receiving the message, verifying the validity of the random number N using its public key, and the user U A Whether the identity information exists already, if so, terminating the registration; otherwise, the operation of S15 is carried out, and the information is stored and uplink;
s15, inquiring whether the equipment information exists in the block chain BC, and if so, terminating registration; otherwise, register and store the device information and return the final result to the local authentication server AS A ;
S16, local domain authentication server AS A After receiving the registration success message returned by the block chain BC, generating an initial identity certificate BCid and a validity period ValidityT, and returning the result to the local domain service server BS A ;
S17, local domain service server BS A Returning a message of successful registration to the user U A User U A The public key is used to check the signature and obtain the identity credential BCid.
Preferably, in step S16, the initial identity credential BCid generation and update algorithm is as follows:
s161, firstly inputting an identity ID, a timestamp and a random number N, and transmitting a message signature to a home domain authentication server AS A ;
S162, local authentication server AS A Verifying freshness of the random number N and the timestamp, and splicing the ID, the timestamp and the random number N after verification is passed to obtain character string data;
s163, generating a random salt value salt, carrying out hash salification processing on data by using a PBKDF2 algorithm, and generating a hash value hashaldData after iteration;
s164, merging the salt value salt and the hash value hashaldData, and then obtaining an identity credential of a byte type;
s165, obtaining an identity certificate of a character string type by using base64 coding;
s166, when the identity certificate needs to be updated, the identity certificate is regenerated, and the existing identity certificate is invalid.
Preferably, in step S2, the authentication is divided into a home domain identity authentication and a cross-domain identity authentication, and the steps of the home domain identity authentication protocol are as follows:
s21, user U in digital workshop A A First carrying BCid to local domain service server BS A Resource request is sent out, and local domain service server BS A After receiving the request, calling the local authentication server AS A ;
S22, local domain authentication server AS A Checking the validity and timeliness of the user identity certificate BCid, inquiring and returning a corresponding result if the verification is passed, otherwise, carrying out integrity measurement on the equipment again according to the industrial safety perception of the local domain and updating the identity certificate;
s23, local domain authentication server AS A The verification result is returned to the local domain service server BS A Local area service server BS A Making an analysis decision and deciding whether to issue the resource.
Preferably, in step S22, the specific process of local domain industrial security perception is as follows:
sa1: user U in digital workshop A A To the home domain service server BS A Transmitting request information, wherein the request information comprises equipment information, random numbers, signed equipment information and existing identity certificates;
sa2, local domain service server BS A Confirm the equipment information and existing identity credentials, authenticate server AS to home domain A Forwarding the message;
sa3, home authentication server AS A Query and verify U A Existing identity credentials, and for U A Checking the result after the integrity measurement;
after Sa4, the authentication is passed, the identity certificate and the validity period are regenerated, and the authentication server AS of the local domain is sent A Device information and random number N, signature update and then send to local domain service server BS A ;
Sa5, local domain service server BS A Forwarding the message to the user terminal;
sa6, user U A For AS A And checking the result after the integrity measurement, and obtaining the updated identity certificate through posterior signature.
Preferably, the steps of the cross-domain identity authentication protocol are as follows:
s31, the first cross-domain authentication triggers the cross-domain industrial security perception to confirm the integrity of the equipment and verify the existing identity credentials, and then the equipment integrity measurement and verification are carried out to update and generate the identity credentials with validity periods;
s32, user U in digital workshop A A Carry the acquired identity certificate BCid and the timestamp to the B domain service server BS of the digital workshop B Sending request, B-domain service server BS B Received U A After the request of (a), forwarding the request and authenticating the server AS to the B domain B Initiating call, B-domain authentication server AS B Verifying the validity and validity of the BCid;
s33, B domain authentication server AS B The uplink inquiry request verifies whether the identity information exists or not and returns a corresponding result to the B-domain service server BS B If the identity information does not exist, carrying out integrity measurement on the equipment again according to the cross-domain industrial safety perception and updating the identity credentials;
s34, B domain authentication server AS B The verification result is returned to the B-domain service server BS B Service server BS B Making an analysis decision and deciding whether to issue the resource.
Preferably, in step S31, the specific flow of the cross-domain industrial security sensing is as follows:
sb1, digital workshop A domain user U A Transmitting requestInformation is obtained for a B domain service server BS of a digital workshop B The request information comprises equipment information, a random number N, signed equipment information and an existing identity credential BCid;
sb2, B domain service server BS of digital workshop B Confirming and forwarding the message;
sb3, B domain authentication server AS B Inquiring and verifying identity certificate BCid, and comparing U with A Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
sb4, after passing the verification, sending the B domain authentication server AS B Device information and random number N are signed and sent to B domain service server BS B ;
Sb5, B domain service server BS B Forwarding the above-mentioned message to a-domain service server BS A ;
Sb 6A domain service server BS A Preliminary acknowledgement and forwarding of the message to the a-domain authentication server AS A ;
Sb7 and A domain authentication server AS A Authentication server AS for B domain B Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
sb8, after passing the verification, sending an A domain authentication server AS A Device information and random number are signed and sent to a domain service server BS A ;
Sb9 for forwarding the message to the B-domain authentication server AS B ;
Sb10, B domain authentication service AS B Authentication server AS for A domain A Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
sb11, B domain authentication server AS B Regenerating identity certificate BCid and validity period, encrypting the identity certificate BCid by using a private key and then transmitting the encrypted identity certificate BCid and validity period to a B-domain service server BS B ;
Sb12, B domain service server BS B Forwarding the message to user U A, U A The public key is used for decryption to obtain the latest identity credential and the validity period.
Therefore, the cross-domain authentication method for the trusted access of the industrial Internet equipment has the following beneficial effects:
(1) The authentication process of the invention firstly verifies the identity of the terminal user and the hardware equipment, and then verifies the server side, thereby realizing the interactive double-sided reliable and effective cross-domain authentication.
(2) The method and the device carry out integrity measurement and verification on the equipment based on the PCR value which cannot be changed in the TPM, ensure that the identity of the users is legal and the state of the hardware equipment is healthy, and effectively resist the security threat brought by the hardware equipment.
(3) In the authentication process, random numbers are used for ensuring the freshness of the message when any party sends the message, and even if the message is intercepted by an adversary from the middle, the authentication failure can be caused by the unreliability of the message, thereby effectively preventing replay attack.
(4) The temporary identity is used in authentication, so that the temporary identity has certain anonymity, and after the validity period of the temporary identity is passed, the identity information is not available any more, and then the temporary identity is updated, so that the malicious tracking of the identity is avoided, and the identity security is effectively improved.
(5) Compared with other schemes, the method has obvious advantages in the cross-domain authentication calculation overhead, and the traffic is reduced. The communication process comprises identity certificates, and the IDs, the random numbers and the like are subjected to hash salting for a plurality of times, so that identity counterfeiting can be effectively guaranteed, and the safety is improved.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
FIG. 1 is a cross-domain authentication scheme diagram of a cross-domain authentication method embodiment for trusted access of industrial Internet equipment;
FIG. 2 is a process diagram of an identity registration protocol of an embodiment of a cross-domain authentication method for trusted access of industrial Internet devices according to the present invention;
FIG. 3 is a process diagram of a local domain identity authentication protocol of an embodiment of a cross-domain authentication method for trusted access of industrial Internet equipment according to the present invention;
fig. 4 is a process diagram of a cross-domain authentication protocol of an embodiment of a cross-domain authentication method for trusted access of industrial internet equipment according to the present invention.
Detailed Description
The technical scheme of the invention is further described below through the attached drawings and the embodiments.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this invention belongs.
The cross-domain authentication method for the trusted access of the industrial Internet equipment uses the distributed storage based on the blockchain technology, and improves the reliability and the safety of the cross-domain authentication by using the blockchain technology, thereby ensuring the safety, the trust and the traceability of cross-domain users and equipment based on alliance blockchains in the industrial Internet scene.
The invention takes the blockchain as a bottom technology for providing data storage service and the basis of identity authentication of two domains. In order to clarify the responsibility of the authentication server and reduce the workload, a service server is independently arranged to schedule resources, and authentication is completed and resource distribution is performed by calling the authentication server. An authentication server is introduced to take charge of key generation and management, signature generation and authentication operations are completed, and a cross-domain authentication request is completed in cooperation with a service server. Based on an industrial intelligent scene, periodic industrial safety perception is carried out on hardware equipment in an authentication process, corresponding analysis and decision are made, and identity credentials are dynamically updated, so that local domain resources are distributed, and adverse consequences such as resource waste and even intentional acquisition caused by request domain users due to request change or failure and the like are avoided.
Aiming at the problem that the current identity authentication scheme cannot ensure the trusted access of equipment, the scheme provides a novel cross-domain identity authentication scheme for the trusted access of industrial Internet equipment, and a model diagram is shown in figure 1:
it is assumed that an industrial digital plant is made up of several independent digital workshops, with the entities in each digital workshop together participating in maintaining the digital plant's safety and proper operation, including user terminals, servers, service resources, etc. The cross-domain authentication process is described in detail below. When a domain a user wants to access a domain B resource, the detailed description is as follows:
a user in the digital workshop A firstly initiates a resource request message to a service server in the digital workshop B, and the service server responds and calls the domain authentication server to authenticate the identity of the user; meanwhile, the user, the server and other devices in the two digital workshops judge whether the user identity and the communication equipment are damaged or not through bidirectional identity authentication, bidirectional integrity measurement and verification and related calculation and analysis decision, so that the trusted access of the equipment is ensured. If the judging result shows that the identity of the opposite party is not credible or the integrity is destroyed, immediately terminating the data interaction process of the two communication parties; otherwise, the digital workshop B authentication server makes an analysis decision on the request data, and makes a trusted access to the authorization equipment to complete the resource request and distribution process.
The user requesting the resource in the scene belongs to a digital workshop A, the user needs to register in an authentication server AS of the local domain in advance, and the local domain AS issues a key pair for the user. When the A-domain user accesses the resource in the digital workshop A, the A-domain user can directly request the local domain authentication server, and the resource access is performed after verification; when the A-domain user accesses the resources in the digital workshop B, the authentication server in the digital workshop B needs to authenticate the user and equipment thereof by combining with the block chain, so that the safety of the identity and the authenticity of the equipment are ensured, and meanwhile, the B-domain related server equipment also needs to perform identity validity verification and equipment integrity measurement, so that the equipment of the two parties is trusted and authentic.
The terminal equipment, the server and other entities are configured with TPM chips, and the alliance blockchain BC consists of an authentication server in each security domain for storing user information and authority. Based on the above, the digital workshop A and the digital workshop B establish a alliance relationship to form a trust channel, and the two devices complete communication interaction and resource access through trusted access.
The following table 1 outlines some important symbols used in the design process of the present method:
s1, a registration stage:
industrial internet production lines are typically multiple devices that are responsible for a particular production task or tasks, including large amounts of production data and product data. Thus, each device must send a request to the home domain authentication server before joining the production line to generate an initial identity credential for a subsequent authentication procedure.
The user U registers at the local authentication server AS, and issues a key pair for the user U, calculates and generates an initial identity credential BCid, and when the user A is used AS an example for first registration, the participant in the registration process mainly comprises the user terminal U A Authentication server AS A And a service server BS A Block chain BC.
The specific flow is as follows:
firstly, configuring TPM chips on entity user terminal equipment and server equipment, generating EK certificates and AIK certificates of corresponding equipment based on the TPM chips, and specifically, the registration stage comprises the following steps:
s11, user U in digital workshop A A To the home domain service server BS A Sending a registration request, inputting a random character string, obtaining an identity ID through an SHA-256 algorithm, obtaining a PCR value and a measurement log SML of the equipment through the integrity measurement of a TPM, wherein the registration request comprises identity information such as the self ID, the PCR value, a random number N, the measurement log SML, an AIK public key and the like;
s12, signing the identity information and the random number N and then sending the signature to the local domain service server BS A ;
S13, local domain service server BS A Initially confirming the security and calling the local authentication server AS A User U is provided with A The identity information is forwarded to a local authentication server AS A Performing verification and registration storage;
s14, local domain authentication server AS A After receiving the message, verifying the validity of the random number N using its public key, and the user U A Whether the identity information exists already, if so, terminating the registration; otherwise, the operation of S15 is carried out, and the information is stored and uplink;
s15, inquiring whether the equipment information exists in the block chain BC, and if so, terminating registration; otherwise, register and store the device information and return the final result to the local authentication server AS A ;
S16, local domain authentication server AS A After receiving the registration success message returned by the block chain BC, generating an initial identity certificate BCid and a validity period ValidityT, and returning the result to the local domain service server BS A 。
The initial identity credential BCid generation and update algorithm is as follows:
s161, firstly inputting an identity ID, a timestamp and a random number N, and transmitting a message signature to a home domain authentication server AS A ;
S162, local authentication server AS A Verifying freshness of the random number N and the timestamp, and splicing the ID, the timestamp and the random number N after verification is passed to obtain character string data;
s163, generating a random salt value salt, carrying out hash salification processing on data by using a PBKDF2 algorithm, and generating a hash value hashaldData after iteration;
s164, merging the salt value salt and the hash value hashaldData, and then obtaining an identity credential of a byte type;
s165, obtaining an identity certificate of a character string type by using base64 coding;
s166, when the identity certificate needs to be updated, the identity certificate is regenerated, and the existing identity certificate is invalid.
S17, local domain service server BS A Returning a message of successful registration to the user U A User U A Signature verification using public keyAnd acquiring an identity credential BCid, wherein the user initial identity credential is established based on the completion of registration.
S2, identity authentication and industrial perception phase:
before the identity authentication process is carried out, all service nodes in the domain are registered locally, the identity authentication information in the step S1 is registered and then stored in the blockchain BC, when the identity authentication process is requested, an authentication server AS verifies whether an identity credential exists in the blockchain BC, and if the identity credential exists, the validity and the validity period of the identity credential are verified; in terms of resource deployment, a blockchain exists after all identity authentication information is registered, and the blockchain also supports non-tamperable records, data sharing and the like; in the authentication process, the periodic industrial safety perception is carried out to measure and verify the integrity of the state of the hardware equipment, so that the follow-up operation of the two-party domain communication equipment in a safe and reliable environment is ensured, the identity credentials are updated, and the validity of the identity and the instantaneity of the information are ensured.
The authentication is divided into local domain identity authentication and cross-domain identity authentication, and the steps of the local domain identity authentication protocol are as follows:
s21, user U in digital workshop A A First carrying BCid to local domain service server BS A Resource request is sent out, and local domain service server BS A After receiving the request, calling the local authentication server AS A ;
S22, local domain authentication server AS A Checking the validity and timeliness of the user identity certificate BCid, inquiring and returning a corresponding result if the verification is passed, otherwise, carrying out integrity measurement on the equipment again according to the industrial safety perception of the local domain and updating the identity certificate;
the industrial safety perception specific flow in the field is as follows:
sa1: user U in digital workshop A A To the home domain service server BS A Transmitting request information, wherein the request information comprises equipment information, random numbers, signed equipment information and existing identity certificates;
sa2, local domain service server BS A Confirm the equipment information and existing identity credentials, authenticate server AS to home domain A Forwarding the message;
sa3, home authentication server AS A Query and verify U A Existing identity credentials, and for U A Checking the result after the integrity measurement;
after Sa4, the authentication is passed, the identity certificate and the validity period are regenerated, and the authentication server AS of the local domain is sent A Device information and random number N, signature update and then send to local domain service server BS A ;
Sa5, local domain service server BS A Forwarding the message to the user terminal.
Sa6, user U A For AS A And checking the result after the integrity measurement, and obtaining the updated identity certificate through posterior signature.
Through industrial safety perception, the health state of the environment where the hardware equipment is located is ensured, the identity certificate is updated, and the safety of the user and the accuracy of information are ensured.
S23, local domain authentication server AS A The verification result is returned to the local domain service server BS A Local area service server BS A Making an analysis decision and deciding whether to issue the resource.
Based on this, the local domain trust is established, and resource access and interaction operations can be performed in a certain period.
The steps of the cross-domain identity authentication protocol are as follows:
when a user requests an information service of a non-local domain, namely the user in the request domain and the requested resource belong to different trust domains, the cross-domain authentication process carries out cross-domain trust transfer by means of a blockchain, cross-domain trust is established, and a participant comprises a business server BS and an authentication server AS of the two domains. Taking the access of the A domain user to the B domain resource as an example, the primary cross-domain authentication steps are as follows:
s31, when a user UA in a digital workshop A domain accesses a domain resource of a digital workshop B for the first time, firstly triggering a cross-domain industrial safety perception confirmation device to complete and verify an identity certificate, performing key negotiation by two parties before industrial perception to obtain a Session key Session_key, and when industrial safety perception transmission information is encrypted by using the session_key to perform device integrity measurement and verification, confirming the validity of an identity and the integrity of the device, and then generating the identity certificate with a valid period for the cross-domain communication.
The specific flow of the cross-domain industrial safety perception is as follows:
sb1, digital workshop A domain user U A Sending request information to digital workshop B-domain service server BS B The request information comprises equipment information, a random number N, signed equipment information and an existing identity credential BCid;
sb2, B domain service server BS of digital workshop B Confirming and forwarding the message;
sb3, B domain authentication server AS B Inquiring and verifying identity certificate BCid, and comparing U with A Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
sb4, after passing the verification, sending the B domain authentication server AS B Device information and random number N are signed and sent to B domain service server BS B ;
Sb5, B domain service server BS B Forwarding the above-mentioned message to a-domain service server BS A ;
Sb 6A domain service server BS A Preliminary acknowledgement and forwarding of the message to the a-domain authentication server AS A ;
Sb7 and A domain authentication server AS A Authentication server AS for B domain B Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
sb8, after passing the verification, sending an A domain authentication server AS A Device information and random number are signed and sent to a domain service server BS A ;
Sb9 for forwarding the message to the B-domain authentication server AS B ;
Sb10, B domain authentication service AS B Authentication server AS for A domain A Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
sb11, B domain authentication server AS B Regenerating identity credential BCid and validity period, adding it with private keyAfter being encrypted, is sent to a B-domain service server BS B ;
Sb12, B domain service server BS B Forwarding the message to user U A ,U A And decrypting by using the public key to obtain the latest identity certificate and the validity period, and ensuring the health state of the environment where the hardware equipment is located and ensuring the safety of the user and the accuracy of the information through cross-domain industrial safety perception.
S32, user U in digital workshop A A Carry the acquired identity certificate BCid and the timestamp to the B domain service server BS of the digital workshop B Sending request, B-domain service server BS B Received U A After the request of (a), forwarding the request and authenticating the server AS to the B domain B Initiating call, B-domain authentication server AS B And verifying the validity and validity of the BCid.
S33, B domain authentication server AS B The uplink inquiry request verifies whether the identity information exists or not and returns a corresponding result to the B-domain service server BS B And if the identity information does not exist, carrying out integrity measurement on the equipment again according to the cross-domain industrial safety perception and updating the identity credentials.
S34, B domain authentication server AS B The verification result is returned to the B-domain service server BS B Service server BS B Making an analysis decision and deciding whether to issue the resource. After the two-way authentication, the two domains establish cross-domain trust by means of block chain, and the service server BS in the B domain of the digital workshop B Resource available digital workshop A domain user U A Access and interaction are carried out, user U A This may be done over a period of time.
Cross-domain reauthentication phase: after the cross-domain primary authentication is finished, if the user accesses the same resource in a certain period, namely, the cross-domain communication is performed again, re-authentication is not needed. Taking the above-mentioned cross-domain authenticated A-domain user as an example, user U in the digital workshop A-domain A Only the currently held Bcid, validityT and the random number N are sent to the B domain service server BS of the digital workshop B By B-domain service server BS B Authentication server AS for B domain B Calling, inquiring identity validity and its existenceJudging the validity period, checking whether the corresponding random number N is fresh or not, and returning a result if the verification is passed, so as to carry out resource distribution; if the verification fails, the state of the hardware equipment and the identity credential needs to be searched through industrial perception, and after the integrity measurement of the hardware equipment passes the verification, the identity credential is updated, so that the cross-domain authentication flow is executed.
Therefore, the invention designs the cross-domain authentication method for the trusted access of the industrial Internet equipment by adopting the cross-domain authentication method for the trusted access of the industrial Internet equipment, provides industrial safety perception, periodically senses the environment where the equipment is located and the safety of the equipment, completes the integrity measurement and verification of the equipment, effectively resists the safety attack of equipment authentication, prevents the occurrence of safety risks such as counterfeit identity, resource information stealing, unreliable equipment and the like, ensures the trusted access of the equipment, and improves the safety and the reliability of an industrial Internet system.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention and not for limiting it, and although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that: the technical scheme of the invention can be modified or replaced by the same, and the modified technical scheme cannot deviate from the spirit and scope of the technical scheme of the invention.
Claims (7)
1. The cross-domain authentication method for the trusted access of the industrial Internet equipment comprises a user terminal U, an authentication server AS, a service server BS and a blockchain BC, and is characterized by comprising the following steps:
s1, a registration stage:
the user U registers at the local authentication server AS, issues a key pair for the user U, and calculates and generates an initial identity credential BCid;
s2, identity authentication and industrial perception phase:
the identity authentication information in the step S1 is registered and then stored in a blockchain BC, an authentication server AS verifies whether an identity certificate exists in the blockchain BC, and if so, the validity and the validity period of the identity certificate are verified; and then, carrying out integrity measurement and verification on the state of the hardware equipment through periodic industrial safety perception, and updating the identity certificate.
2. The cross-domain authentication method for trusted access of industrial internet equipment according to claim 1, wherein in step S1, firstly, a TPM chip is configured on both an entity user terminal device and a server device, an EK certificate and an AIK certificate of a corresponding device are generated based on the TPM chip, and the specific steps of the registration stage are as follows:
s11, user U in digital workshop A A To the home domain service server BS A Sending a registration request, inputting a random character string, obtaining an identity ID through an SHA-256 algorithm, and obtaining a PCR value and a measurement log SML of the equipment through the integrity measurement of a TPM, wherein the registration request comprises identity information such as an identity identifier ID, the PCR value, a random number N, the measurement log SML, an AIK public key and the like;
s12, signing the identity information and the random number N and then sending the signature to the local domain service server BS A ;
S13, local domain service server BS A Initially confirming the security and calling the local authentication server AS A User U is provided with A The identity information is forwarded to a local authentication server AS A Performing verification and registration storage;
s14, local domain authentication server AS A After receiving the message, verifying the validity of the random number N using its public key, and the user U A Whether the identity information exists already, if so, terminating the registration; otherwise, the operation of S15 is carried out, and the information is stored and uplink;
s15, inquiring whether the equipment information exists in the block chain BC, and if so, terminating registration; otherwise, register and store the device information and return the final result to the local authentication server AS A ;
S16, local domain authentication server AS A After receiving the registration success message returned by the block chain BC, generating an initial identity credential BCid andvalidity period validity T, and returns the result to local domain service server BS A ;
S17, local domain service server BS A Returning a message of successful registration to the user U A User U A The public key is used to check the signature and obtain the identity credential BCid.
3. The cross-domain authentication method for trusted access of industrial internet equipment according to claim 2, wherein in step S16, the initial identity credential BCid generation and update algorithm is as follows:
s161, firstly inputting an identity ID, a timestamp and a random number N, and transmitting a message signature to a home domain authentication server AS A ;
S162, local authentication server AS A Verifying freshness of the random number N and the timestamp, and splicing the ID, the timestamp and the random number N after verification is passed to obtain character string data;
s163, generating a random salt value salt, carrying out hash salification processing on data by using a PBKDF2 algorithm, and generating a hash value hashaldData after iteration;
s164, merging the salt value salt and the hash value hashaldData, and then obtaining an identity credential of a byte type;
s165, obtaining an identity certificate of a character string type by using base64 coding;
s166, when the identity certificate needs to be updated, the identity certificate is regenerated, and the existing identity certificate is invalid.
4. The method for cross-domain authentication for trusted access of industrial internet equipment according to claim 1, wherein in step S2, the authentication is divided into local domain authentication and cross-domain authentication, and the steps of the local domain authentication protocol are as follows:
s21, user U in digital workshop A A First carrying BCid to local domain service server BS A Resource request is sent out, and local domain service server BS A After receiving the request, calling the local authentication server AS A ;
S22, home domainAuthentication server AS A Checking the validity and timeliness of the user identity certificate BCid, inquiring and returning a corresponding result if the verification is passed, otherwise, carrying out integrity measurement on the equipment again according to the industrial safety perception of the local domain and updating the identity certificate;
s23, local domain authentication server AS A The verification result is returned to the local domain service server BS A Local area service server BS A Making an analysis decision and deciding whether to issue the resource.
5. The cross-domain authentication method for trusted access of industrial internet equipment according to claim 4, wherein in step S22, the specific process of local domain industrial security awareness is as follows:
sa1: user U in digital workshop A A To the home domain service server BS A Transmitting request information, wherein the request information comprises equipment information, random numbers, signed equipment information and existing identity certificates;
sa2, local domain service server BS A Confirm the equipment information and existing identity credentials, authenticate server AS to home domain A Forwarding the message;
sa3, home authentication server AS A Query and verify U A Existing identity credentials, and for U A Checking the result after the integrity measurement;
after Sa4, the authentication is passed, the identity certificate and the validity period are regenerated, and the authentication server AS of the local domain is sent A Device information and random number N, signature update and then send to local domain service server BS A ;
Sa5, local domain service server BS A Forwarding the message to the user terminal;
sa6, user U A For AS A And checking the result after the integrity measurement, and obtaining the updated identity certificate through posterior signature.
6. The cross-domain authentication method for trusted access of industrial internet equipment according to claim 4, wherein the step of the cross-domain identity authentication protocol is as follows:
s31, the first cross-domain authentication triggers the cross-domain industrial security perception to confirm the integrity of the equipment and verify the existing identity credentials, and then the equipment integrity measurement and verification are carried out to update and generate the identity credentials with validity periods;
s32, user U in digital workshop A A Carry the acquired identity certificate BCid and the timestamp to the B domain service server BS of the digital workshop B Sending request, B-domain service server BS B Received U A After the request of (a), forwarding the request and authenticating the server AS to the B domain B Initiating call, B-domain authentication server AS B Verifying the validity and validity of the BCid;
s33, B domain authentication server AS B The uplink inquiry request verifies whether the identity information exists or not and returns a corresponding result to the B-domain service server BS B If the identity information does not exist, carrying out integrity measurement on the equipment again according to the cross-domain industrial safety perception and updating the identity credentials;
s34, B domain authentication server AS B The verification result is returned to the B-domain service server BS B Service server BS B Making an analysis decision and deciding whether to issue the resource.
7. The cross-domain authentication method for trusted access of industrial internet equipment according to claim 6, wherein in step S31, the specific flow of the cross-domain industrial security awareness is as follows:
sb1, digital workshop A domain user U A Sending request information to digital workshop B-domain service server BS B The request information comprises equipment information, a random number N, signed equipment information and an existing identity credential BCid;
sb2, B domain service server BS of digital workshop B Confirming and forwarding the message;
sb3, B domain authentication server AS B Inquiring and verifying identity certificate BCid, and comparing U with A Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
Sb4after passing the verification, sending the B-domain authentication server AS B Device information and random number N are signed and sent to B domain service server BS B ;
Sb5, B domain service server BS B Forwarding the above-mentioned message to a-domain service server BS A ;
Sb 6A domain service server BS A Preliminary acknowledgement and forwarding of the message to the a-domain authentication server AS A ;
Sb7 and A domain authentication server AS A Authentication server AS for B domain B Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
sb8, after passing the verification, sending an A domain authentication server AS A Device information and random number are signed and sent to a domain service server BS A ;
Sb9 for forwarding the message to the B-domain authentication server AS B ;
Sb10, B domain authentication service AS B Authentication server AS for A domain A Verifying the integrity of the equipment and the safety of the identity by verifying the result after the integrity measurement;
sb11, B domain authentication server AS B Regenerating identity certificate BCid and validity period, encrypting the identity certificate BCid by using a private key and then transmitting the encrypted identity certificate BCid and validity period to a B-domain service server BS B ;
Sb12, B domain service server BS B Forwarding the message to user U A, U A The public key is used for decryption to obtain the latest identity credential and the validity period.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310992070.9A CN117081734A (en) | 2023-08-08 | 2023-08-08 | Cross-domain authentication method for trusted access of industrial Internet equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310992070.9A CN117081734A (en) | 2023-08-08 | 2023-08-08 | Cross-domain authentication method for trusted access of industrial Internet equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117081734A true CN117081734A (en) | 2023-11-17 |
Family
ID=88716282
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310992070.9A Pending CN117081734A (en) | 2023-08-08 | 2023-08-08 | Cross-domain authentication method for trusted access of industrial Internet equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117081734A (en) |
-
2023
- 2023-08-08 CN CN202310992070.9A patent/CN117081734A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mohammadali et al. | A novel identity-based key establishment method for advanced metering infrastructure in smart grid | |
| CN109922077B (en) | Identity authentication method and system based on block chain | |
| US10581615B2 (en) | Blockchain-based identity authentication method, device, node and system | |
| CN109618326B (en) | User dynamic identifier generation method, service registration method and login verification method | |
| US8515066B2 (en) | Method, apparatus and program for establishing encrypted communication channel between apparatuses | |
| CN1905436B (en) | Method for ensuring data exchange safety | |
| CN109728909A (en) | Identity identifying method and system based on USBKey | |
| US20190356496A1 (en) | Public Key Infrastructure & Method of Distribution | |
| US9398024B2 (en) | System and method for reliably authenticating an appliance | |
| US8085937B1 (en) | System and method for securing calls between endpoints | |
| CN114710275B (en) | Cross-domain authentication and key negotiation method based on blockchain in Internet of things environment | |
| JP4783340B2 (en) | Protecting data traffic in a mobile network environment | |
| JP2007181123A (en) | Digital certificate exchange method, terminal device, and program | |
| CN114091009A (en) | Method for establishing secure link by using distributed identity | |
| CN117376026A (en) | Internet of things equipment identity authentication method and system | |
| WO2023116027A1 (en) | Cross-domain identity verification method in secure multi-party computation, and server | |
| Bilal et al. | Time‐assisted authentication protocol | |
| Palomar et al. | Secure content access and replication in pure p2p networks | |
| CN116015970A (en) | Cross-domain identity authentication method based on SGX | |
| JP4025734B2 (en) | Session management apparatus, method, and program for establishing encrypted communication channel between terminals | |
| CN117081734A (en) | Cross-domain authentication method for trusted access of industrial Internet equipment | |
| Diaz et al. | On securing online registration protocols: Formal verification of a new proposal | |
| CN115361147A (en) | Device registration method and device, computer device and storage medium | |
| KR101962349B1 (en) | Consolidated Authentication Method based on Certificate | |
| Boonkrong et al. | Authentication and key establishment protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |