CN117290830A

CN117290830A - Real-time micro-kernel multithreading identity authentication method and system based on cryptographic technology

Info

Publication number: CN117290830A
Application number: CN202311219644.5A
Authority: CN
Inventors: 李何松; 彭志航; 张国栋; 贺礼云; 王辰曦; 刘娇健; 刘亮
Original assignee: Beijing Linx Technology Co ltd; State Grid Corp of China SGCC; Beijing Smartchip Microelectronics Technology Co Ltd; Electric Power Research Institute of State Grid Shaanxi Electric Power Co Ltd
Current assignee: Beijing Linx Technology Co ltd; State Grid Corp of China SGCC; Beijing Smartchip Microelectronics Technology Co Ltd; Electric Power Research Institute of State Grid Shaanxi Electric Power Co Ltd
Priority date: 2023-09-20
Filing date: 2023-09-20
Publication date: 2023-12-26

Abstract

The invention discloses a real-time microkernel multithreading identity authentication method and a system based on a cryptographic technology, comprising an identity binding step and an entity authentication step, wherein: the identity binding step comprises the following steps: generating a security identification value of the thread or task; summarizing the security identification value to generate a security identification summary value of the thread or task; requesting a key through a key distribution mechanism based on an asymmetric cryptographic technique, and generating a signature key pair, wherein the key pair comprises a public key and a private key; signing the security identification abstract value through a private key to generate a security identification signature value of the thread or task; storing the secure identification value, the secure identification signature value, and the public key in an operating system image; the entity authentication step comprises the following steps: the kernel of the operating system responds to the authentication request of the thread or the task and verifies the security identification signature value in the thread or the task.

Description

Real-time micro-kernel multithreading identity authentication method and system based on cryptographic technology

Technical Field

The invention relates to the technical fields of cryptographic technology, operating systems and entity authentication, in particular to a real-time micro-kernel multithreading identity authentication method and system based on the cryptographic technology.

Background

Currently, in the application field of a general operating system, an identity authentication technical scheme based on a user password is generally adopted.

The identity authentication technical scheme based on the user password has the following problems:

(1) This approach relies on many other technical implementations of the operating system, such as: relying on user identification mechanisms, autonomous/mandatory access control mechanisms, results in a substantial increase in operating system image size, which may not be applicable in some resource-constrained devices.

(2) In a real-time microkernel multithreading environment, the boundary of critical resources is fuzzy, the authenticity and the integrity of host and object identifications can not be ensured only by the scheme, and other safe and reliable technologies are needed to be utilized for verifying and protecting the critical data resources.

Aiming at the technical problems of poor independence, which are realized by relying on other technologies in the identity authentication technology based on the user password in the related technology, no effective solution is proposed at present.

Disclosure of Invention

The invention aims to overcome the technical defects and provide a real-time micro-kernel multithreading identity authentication method and system based on a password technology, so as to solve the technical problems that in the related technology, the identity authentication technology based on a user password needs to be realized by depending on other technologies and has poor independence.

In order to achieve the technical purpose, the invention adopts the following technical scheme:

according to one aspect of the present invention, there is provided a real-time microkernel multithreading identity authentication method based on cryptographic techniques, comprising: an identity binding step, and an entity authentication step, wherein:

the identity binding step comprises the following steps:

generating a security identification value of the thread or task;

summarizing the security identification value to generate a security identification summary value of the thread or task;

requesting a key through a key distribution mechanism based on an asymmetric cryptographic technique, generating a signed key pair, the key pair comprising a public key and a private key;

signing the security identification abstract value through a private key to generate a security identification signature value of a thread or task;

storing the security identification value, the security identification signature value and the public key in an operating system image;

the entity authentication step includes:

the kernel of the operating system responds to the authentication request of the thread or the task and verifies the security identification signature value in the thread or the task.

Optionally, the method for requesting the key through the key distribution mechanism based on the asymmetric cryptography specifically includes:

the key distribution request end initiates a key distribution request to the key distribution processing end to request for distributing keys;

after receiving the request, the key distribution processing end generates a key for the key distribution request end;

the key distribution processing end checks the key to verify whether the key meets the requirement;

the key distribution processing end encrypts a key by using a public key of the key distribution request end to generate a ciphertext;

the key distribution processing end transmits the ciphertext to the key distribution request end;

after receiving the ciphertext, the key distribution request end decrypts the ciphertext by using the private key to obtain the key.

Optionally, the operating system kernel responds to the authentication request of the thread or the task to verify the security identification signature value in the thread or the task, including:

receiving thread or task information for authentication sent by a thread or task, wherein the thread or task information for authentication comprises a security identification value and a security identification signature value;

receiving an authentication request initiated by a thread or a task;

and the kernel of the operating system responds to the authentication request of the thread task, and verifies the security identification signature value of the thread or task through the security identification value, the security identification signature value and the public key stored in the operating system mirror image in the thread or task information for authentication.

The embodiment of the invention also provides a real-time micro-kernel multithreading identity authentication system based on the cryptographic technology, which comprises the following steps:

an identity binding unit and an entity authentication unit;

the identity binding unit is configured to:

generating a security identification value of the thread or task;

the entity authentication unit is used for:

the kernel of the operating system responds to the authentication request of the thread or the task, and verifies the security identification signature value of the thread or the task through the security identification value, the security identification signature value and the public key stored in the operating system mirror image in the thread or the task information.

Optionally, in the identity binding unit, the requesting the key by a key distribution mechanism based on an asymmetric cryptography specifically includes:

Optionally, in the entity authentication unit, the operating system kernel responds to the authentication request of the thread or the task, and verifies the security identification signature value in the thread or the task, including:

receiving an authentication request initiated by a thread or a task;

According to another aspect of the present invention, there is also provided an electronic apparatus including: a processor and a memory;

the memory has stored thereon a computer readable program executable by the processor;

the processor, when executing the computer readable program, implements the steps of the method as described above.

According to another aspect of the present invention, there is also provided a computer-readable storage medium storing one or more programs executable by one or more processors to implement the steps in the above-described method.

According to the method and the system for identifying the real-time microkernel multithreading identity based on the cryptographic technology, provided by the invention, a host-client identification model is built for each thread task in a mode of adopting asymmetric cryptographic characteristics, and identity-based entity identification is carried out when context scheduling is carried out. The method solves the problems of how to finish the definition of the host-guest model and the authenticity and integrity protection of the host-guest identification under the definition under the condition of boundary ambiguity of critical resources in a real-time micro-kernel multithreading environment. The technical blank of an entity authentication security model based on identity in a real-time microkernel environment is filled up by a mode of defining a boundary through a password. Compared with the prior art, the invention has the following beneficial effects: the method is realized without too much dependence on other technologies of the operating system, can effectively reduce the size occupation of the mirror image of the operating system and save the occupation of hardware resources. The authenticity and the integrity of the host and object identifiers can be verified and protected in the application scene of the real-time micro-kernel operating system, and the safety of the operating system is improved.

Drawings

Fig. 1 is a schematic diagram of a key distribution flow based on an asymmetric cryptographic technique in a cryptographic technique-based real-time microkernel multithreading identity authentication method according to an embodiment of the present invention;

FIG. 2 is a flowchart of a service identity binding process based on threads in a method for authenticating a real-time microkernel multithreading identity based on cryptographic technique according to an embodiment of the present invention;

fig. 3 is a flowchart of entity authentication between threads (tasks) in a method for authenticating a real-time microkernel multithreading identity based on cryptographic techniques according to an embodiment of the present invention.

Fig. 4 is a block diagram of a terminal for implementing a cryptographic technique-based real-time microkernel multithreading identity authentication method in accordance with an embodiment of the present invention.

Detailed Description

In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.

In the related art, the identity authentication technical scheme based on the user password cannot independently realize safe and reliable identity authentication.

The inventors have found through research that the main causes of these problems include: the user password based authentication mechanism is implemented based on many other technologies of the operating system, rather than a relatively independent set of authentication models.

Based on the problems, the invention provides a real-time micro-kernel multithreading identity authentication method and a system based on a password technology, which are used for solving the technical problems that in the related technology, the identity authentication technology based on a user password needs to be realized by depending on other technologies, and the independence is poor. The following is a detailed description.

Example 1

According to the embodiment of the invention, a real-time micro-kernel multithreading identity authentication method based on a cryptographic technology is provided, and the method comprises an identity binding step S2 and an entity authentication step S3, wherein:

the identity binding step S2 includes:

s201, generating a security identification value of a thread or task;

s203, abstracting the security identification value to generate a security identification abstract value of the thread or task;

s205, requesting a key through a key distribution mechanism based on an asymmetric cryptography, and generating a signature key pair, wherein the key pair comprises a public key and a private key;

s207, signing the security identification abstract value through a private key to generate a security identification signature value of a thread or task;

s209, storing the security identification value, the security identification signature value and the public key in an operating system image.

The entity authentication step includes:

In step S205, the key request by the key distribution mechanism based on the asymmetric cryptography specifically includes:

s101, a key distribution request end initiates a key distribution request to a key distribution processing end, and requests to distribute keys;

s103, after receiving the request, the key distribution processing end generates a key for the key distribution request end;

s105, the key distribution processing end checks the key to verify whether the key meets the requirement;

s107, the key distribution processing end encrypts a key by using a public key of the key distribution request end to generate a ciphertext;

s109, the key distribution processing end transmits the ciphertext to the key distribution request end;

s111, after receiving the ciphertext, the key distribution request end decrypts the ciphertext by using the private key to obtain the key.

In the above steps S101-S111, defining a as a requester of key distribution and B as a processor of key distribution, in connection with fig. 1, the key may be distributed specifically as follows:

(1.1) request. A initiates a key distribution request to B, and the request B distributes a key, wherein the key is used for a 'service identity binding with threads as a main body' flow of the step S1 and an 'entity authentication between thread task interactions' flow of the step S2.

(1.2) generating. B generates a key for A after receiving the request of A.

(1.3) inspection. And B, after the key is generated for the A, checking the key to verify whether the key meets the requirement.

(1.4) encryption. B uses the public key of A to encrypt the key, and generates ciphertext. Ensuring confidentiality of the key during transmission.

(1.5) transmission. B transmits ciphertext to a.

(1.6) decrypting. And A decrypts the ciphertext by using the private key after receiving the ciphertext data sent by B, so as to obtain the secret key.

In steps S101-S109, in connection with fig. 2, identity binding may be implemented in particular by:

(2.1) generating a security identification value. The application owner generates a thread (task) security identification value.

(2.2) generating a secure identification digest value. The application owner abstracts the generated thread (task) security identification value to generate a thread (task) security identification abstract value.

(2.3) generating a signing key pair. The application owner requests the key using a "key distribution based on asymmetric cryptography" mechanism, generating a key pair (public key, private key).

(2.4) generating a secure identification signature value. The application owner signs the generated thread (task) security identification digest value through a private key to generate a thread (task) security identification signature value.

(2.5) storing the security identification value. The application owner stores the generated thread (task) security identification value in the operating system image.

(2.6) storing the secure identification signature information. The application owner stores the generated secure identification signature value and the signature value verification public key in the operating system image.

In step S3, the operating system kernel, in response to the authentication request of the thread or the task, verifies the security identifier signature value in the thread or the task, including:

s301, receiving thread or task information for authentication sent by a thread or task, wherein the thread or task information for authentication comprises a security identification value and a security identification signature value;

s303, receiving an authentication request initiated by a thread or a task;

s305, the kernel of the operating system responds to the authentication request of the thread task, and verifies the security identification signature value of the thread or task through the security identification value, the security identification signature value and the public key stored in the operating system mirror image in the thread or task information for authentication.

The above steps S301 to S305, in conjunction with fig. 3, may be specifically implemented as follows:

(3.1) transmitting. The thread task of the identity authentication requester sends authenticated thread (task) information (security identification value, security identification signature value).

(3.2) request. The thread task request authenticates the secure identification digest value of the thread (task).

(3.3) response. The kernel of the operating system responds to the authentication request of the thread task, calls an identity authentication module, and verifies the thread (task) security identification signature value through the transmitted thread (task) information (security identification value, security identification signature value) and a public key stored in an operating system mirror image.

From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present application.

Example two

According to an embodiment of the present invention, there is provided a real-time microkernel multithreading identity authentication system based on cryptographic technology, the system including:

an identity binding unit and an entity authentication unit;

the identity binding unit is configured to:

generating a security identification value of the thread or task;

the entity authentication unit is used for:

Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.

It should be noted that the above modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above embodiments. It should be noted that, the above modules may be implemented in a corresponding hardware environment as part of the apparatus, and may be implemented in software, or may be implemented in hardware, where the hardware environment includes a network environment.

Fig. 4 is a block diagram of a terminal according to an embodiment of the present application, and as shown in fig. 4, the terminal may include: one or more (only one is shown) processors 101, memory 103, and transmission means 105, as shown in fig. 4, the terminal may further comprise input output devices 107.

The memory 103 may be used to store software programs and modules, such as program instructions/modules corresponding to the methods and apparatuses in the embodiments of the present application, and the processor 101 executes the software programs and modules stored in the memory 103, thereby performing various functional applications and data processing, that is, implementing the methods described above. Memory 103 may include high-speed random access memory, but may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 103 may further include memory remotely located with respect to processor 101, which may be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 105 is used for receiving or transmitting data via a network, and can also be used for data transmission between the processor and the memory. Specific examples of the network described above may include wired networks and wireless networks. In one example, the transmission device 105 includes a network adapter (Network Interface Controller, NIC) that may be connected to other network devices and routers via a network cable to communicate with the internet or a local area network. In one example, the transmission device 105 is a Radio Frequency (RF) module for communicating with the internet wirelessly.

Wherein in particular the memory 103 is used for storing application programs.

The processor 101 may call an application stored in the memory 103 via the transmission means 105 to perform the following steps: comprising the following steps: an identity binding step, and an entity authentication step, wherein:

the identity binding step comprises the following steps:

generating a security identification value of the thread or task;

the entity authentication step includes:

It will be appreciated by those skilled in the art that the above-mentioned structure of the terminal is merely illustrative, and the terminal may be a smart phone (such as an Android mobile phone, an iOS mobile phone, etc.), a tablet computer, a palm computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, etc. Fig. 4 is not limited to the structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 4, or have a different configuration than shown in fig. 4.

Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.

Embodiments of the present application also provide a storage medium. Alternatively, in the present embodiment, the above-described storage medium may be used for executing the program code of the above-described method.

Alternatively, in this embodiment, the storage medium may be located on at least one network device of the plurality of network devices in the network shown in the above embodiment.

Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: comprising the following steps: an identity binding step, and an entity authentication step, wherein:

the identity binding step comprises the following steps:

generating a security identification value of the thread or task;

the entity authentication step includes:

Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a usb disk, a Read Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.

The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the methods described in the various embodiments of the present application.

In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.

In the several embodiments provided in this application, the described embodiments of the apparatus are merely illustrative, such as the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, such as multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.

Claims

1. The real-time microkernel multithreading identity authentication method based on the cryptographic technology is characterized by comprising the following steps of: an identity binding step, and an entity authentication step, wherein:

the identity binding step comprises the following steps:

generating a security identification value of the thread or task;

the entity authentication step includes:

2. The cryptographic technique-based real-time microkernel multi-threaded identity authentication method of claim 1, wherein the requesting the key by the asymmetric cryptographic technique-based key distribution mechanism specifically comprises:

3. The cryptographic technique-based real-time microkernel multithreading identity authentication method of claim 1, wherein the operating system kernel, in response to an authentication request of a thread or task, verifies a security identification signature value in the thread or task, comprising:

receiving an authentication request initiated by a thread or a task;

4. A cryptographic technology based real-time microkernel multithreading identity authentication system, the system comprising:

an identity binding unit and an entity authentication unit;

the identity binding unit is configured to:

generating a security identification value of the thread or task;

the entity authentication unit is used for:

5. The cryptographic technique-based real-time microkernel multithreaded authentication system of claim 4, wherein the requesting of the key by the asymmetric cryptographic technique-based key distribution mechanism comprises:

6. The cryptographic based real-time microkernel multithreading identity authentication system of claim 4, wherein the operating system kernel verifies a secure identification signature in a thread or task in response to an authentication request of the thread or task, comprising:

receiving an authentication request initiated by a thread or a task;

7. An electronic device, comprising: a processor and a memory;

the processor, when executing the computer readable program, implements the steps of the method of any of claims 1-3.

8. A computer readable storage medium storing one or more programs executable by one or more processors to implement the steps in the method of any of claims 1-3.