CN117411718A - Anonymous access control method based on digital oil-gas field system platform - Google Patents

Abstract

The invention discloses an anonymous access control method based on a digital oil and gas field system platform, which relates to the technical field of digital oil and gas field system platform information safety communication. In the method, the mobile engineering server generates a new time stamp and a random number each time when sending a request, and generates different temporary anonymous identities, thereby effectively preventing replay attack and realizing unlinkability; when the mobile engineering server communicates with the system platform, the mobile engineering server uses anonymous identities, and only a trusted center can decrypt the anonymous identities by using a system main private key to recover real identities, so that conditional access control on the malicious mobile engineering server is realized; by adopting a safe and efficient authentication mechanism, identity authentication among entities in the system platform is realized, the safe access of the system platform is ensured, and the authorized access of communication information is ensured.

Description

Anonymous access control method based on digital oil-gas field system platform

Technical Field

The invention relates to the technical field of digital oil and gas field system platform information safety communication, in particular to an anonymous access control method based on a digital oil and gas field system platform.

Background

In industrial production and economic development, oil and natural gas play an extremely important role, and through development and exploration in recent decades, the oil and gas industry in China gradually goes to maturity in technical and management measures and the like, and unprecedented results are obtained. Along with the development of technology, the traditional oil gas exploitation and monitoring system is not attractive, and the digital and intelligent transformation is required to be realized, so that the maximization of oil gas yield, the minimization of investment and the production safety are expected to be achieved.

The digital oil and gas field industrial control system is mainly responsible for the acquisition and transmission processing of oil and gas production business data. The system uses various real-time sensing equipment, industrial control and transmission protocols and control equipment special for enterprises to transmit real-time data of oil and gas exploration and development production sites to a control console so as to realize automatic monitoring of the states of environment and internet of things equipment and automatically control the production process. The system can provide important guarantee for the safe and stable operation of the oil field through the analysis and the processing of the sensor information and the corresponding control strategy. It plays an indispensable role in networked and intelligent control and management of oil and gas production.

In oil and gas field industrial control systems, availability is regarded as a critical factor, while measures for security are somewhat inadequate. Because of the openness and vulnerability of the network, and the characteristics of multiple points, long lines and wide range of oilfield production, the terminal equipment of the internet of things matched with oil and gas production monitoring is dispersed in various production environments, data in the system is transmitted in a plaintext form, and an open standard protocol is used, and a corresponding authentication and encryption mechanism is lacking, therefore, the problems that some terminal equipment is easy to be maliciously controlled, illegally accessed is at risk, and meanwhile, the data is easy to be deleted, modified, intercepted, replayed and the like are solved. Therefore, a safe and efficient authentication mechanism is needed to realize identity authentication among entities in the system and ensure safe access of a system platform, and ensure authorized access of communication information. Therefore, in order to solve the problems, the research designs an anonymous access control method based on a digital oil and gas field system platform, and the anonymous access control method has very important application prospect.

Disclosure of Invention

The invention aims to overcome the defects of the prior art, and provides an anonymous access control method based on a digital oil and gas field system platform, which provides a safe and efficient authentication mechanism for the digital oil and gas field system platform to realize the anonymous access control of the platform.

The aim of the invention is realized by the following technical scheme:

the anonymous access control method based on the digital oil-gas field system platform comprises the following steps:

system initialization phase: the trusted center selects a main private key and stores the main private key in a secret way, and the trusted center sets public parameters, including setting an addition circulation group based on a nonsingular elliptic curve, a generating element, an anti-collision hash function and a main public key of the trusted center;

registration: the trusted center registers a mobile engineering service end, a data manager and a digital oil and gas field system platform in the digital oil and gas field system; specifically, the mobile engineering server sends the registration certificate of the mobile engineering server to a trusted center for registration, the trusted center generates a signature private key for the mobile engineering server after confirming the identity of the mobile engineering server, and the mobile engineering server takes the signature private key and a secret value generated by the mobile engineering server as a complete private key after receiving the signature private key; the data manager inputs the true identity, the login password and the biological characteristic information of the data manager to the digital oil-gas field system platform, the digital oil-gas field system platform calculates a pseudo password for the data manager, and the data manager sends registration request information to a trusted center through a secure channel; the trusted center issues public and private key pairs for the verified digital oil and gas field system platform, and based on the biological characteristic information of the data manager, the trusted center generates an authentication value by using a fuzzy extraction algorithm and a hash function and sends the authentication value to the digital oil and gas field system platform;

a login stage: the data manager inputs correct identity information to the digital oil-gas field system platform, and the login password and the current biological characteristic information are legally logged in; the digital oil-gas field system platform performs verification of login information by using a recovery algorithm based on a fuzzy extractor based on the current biological characteristic information; if the verification is correct, the login is successful, otherwise, the login is refused;

anonymous access information generation phase: the mobile engineering server generates a temporary accessed anonymous identity, generates a blinding value and a digital signature aiming at sensitive information, and sends verifiable anonymous access information to the digital oil-gas field system platform;

access control phase: after receiving the verifiable anonymous access information, the digital oil-gas field system platform firstly judges the validity of the current message by using a timestamp, then restores the original sensitive information to the blinded value in the effective time, and verifies the validity of the digital signature; if so, allowing the legal access of the mobile engineering server; if not, submitting the verifiable anonymous access information to a trusted center, recovering the true identity, and rejecting the mobile engineering server to access;

password updating stage: the data manager inputs correct identity information to the digital oil-gas field system platform, and the original login password and the current biological characteristic information are legally logged in; if the login is successful, the data manager can change the login password of the data manager, and the digital oil-gas field system platform recalculates the pseudo password and the new authentication value for the data manager and updates the related parameters.

Further, the system initialization stage includes the following steps:

(1) Trusted center TA in finite field Z _p A non-singular elliptic curve is selected and defined as y ² ＝x ³ +ax+b (modp), where the coefficients a, b ε Z _p Satisfy 4a ³ +27b ² (modp) noteq0, the trusted center TA selects q-order addition cyclic group G on the nonsingular elliptic curve, and the generation element is P;

(2) Trusted center TA in finite field Z _q Selecting a non-zero random number s as a main private key, and calculating a main public key P _pub ＝s·P；

(3) The trusted center TA sets 5 hash functions for collision resistance: andHere l ₁ Is a hash function H ₂ Output length of l ₂ Is a hash function H ₄ Output length of>Is a q-1 factorial cyclic group;

(4) Trusted center TA publishes public parameters params= { G, q, P _pub ,H ₁ ,H ₂ ,H ₃ ,H ₄ ,H ₅ And holds the master private key s in secret.

Further, the mobile engineering server sends the registration certificate to the trusted center for registration, the trusted center generates a signature private key for the mobile engineering server after verifying the identity of the mobile engineering server, and the mobile engineering server takes the signature private key and the secret value generated by the mobile engineering server as a complete private key after receiving the signature private key:

(1) Mobile engineering service end E _i In the finite field Z _q In selecting secret parameter r _i Simultaneously calculating registration credentials R _i ＝r _i P, sending registration request information { EIDi, ri } over a secure channel to a trusted center TA, wherein EID _i Is a mobile engineering service end E _i Is moved simultaneously with the true identity of (a)Dynamic engineering service end E _i Secure preservation of secret parameter r _i ；

(2) After receiving the registration request information, the trusted center TA first determines the mobile engineering server E _i Whether the registration is successful or not, if so, rejecting the request; otherwise, the trusted center TA is in the finite field Z _q In selecting a non-zero random number omega _i Calculate the first group element W _i ＝ω _i P, calculating mobile engineering server E _i Is a signature private key of (a)And to the mobile engineering service end E through the secure channel _i Send->

(3) Mobile engineering service end E _i After receiving, verify the equationWhether or not it is true, if so, receive the message +.>Mobile engineering service end E _i To->As a complete private key, in { W ] _i ,R _i As a complete public key while preserving the access credential parameter epsilon _i ＝H ₁ (W _i ||R _i ||EID _i )。

Further, the data manager inputs the true identity, the login password and the biological characteristic information of the data manager to the digital oil-gas field system platform, and the digital oil-gas field system platform calculates a pseudo password for the data manager and sends registration request information to the trusted center through a secure channel; the trusted center issues public and private key pairs for the verified digital oil and gas field system platform, and based on the biological characteristic information of the data manager, the trusted center generates an authentication value by using a fuzzy extraction algorithm and a hash function and sends the authentication value to the digital oil and gas field system platform, and the specific steps are as follows:

(1) The data manager inputs the real identity DM to the digital oil and gas field system platform _j Password and passwordBiometric information χ _j The digital oil-gas field system platform calculates a first pseudo password for a data manager>And transmits the registration request information +/to the trusted center TA via the secure channel>Wherein CP _j The true identity of the digital oil and gas field system platform;

(2) The trusted center TA receives the registration request informationFirstly judging whether the corresponding entity is successfully registered, and rejecting the request if the corresponding entity is registered; otherwise, the trusted center TA is the digital oil and gas field system platform CP _j In the finite field Z _q Is selected from non-zero random numbers +.>As the private key of the digital oil and gas field system platform, calculating the public key of the digital oil and gas field system platformThe trusted center TA generates a first secret value iota using a fuzzy extractor algorithm Gen based on the biometric information of the data administrator _j And auxiliary parameter omicron _j I.e. (iota) _j ,ο _j )＝Gen(χ _j ) Calculate the first authentication value +.>And transmit the quaternary to the digital oil and gas field system platform through the secure channelGroup information->

Further, the login stage comprises the following steps:

(1) Data manager inputs true identity to digital oil and gas field system platformLogin password->And the current biometric information +.>Logging in;

(2) Calculating a second pseudo password by the digital oil-gas field system platformCalculating a second secret value using a fuzzy extractor based recovery algorithm Rep>And according to the true identity of the data manager +.>Calculate the second authentication value +.>Then the second authentication value +.>With first authentication information alpha pre-stored in a digital oil and gas field system platform _j And comparing, if the two values are equal, the login is successful, otherwise, the login is refused.

Further, the anonymous access information generation stage includes the following steps:

(1) Mobile workerProgram server E _i Selecting a current timestamp T ₁ Calculating temporary anonymous identities

(2) For sensitive access information m to be transmitted _i Mobile engineering service end E _i In the finite field Z _q In selecting a non-zero random number b _i Calculate the second group element B _i ＝b _i P, compute sensitive access information m _i Is a blinding value of (2)Generating a digital signature->Mobile engineering service end E _i Sending verifiable anonymous access information A to digital oil-gas field system platform _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ }。

Further, the access control stage includes the following steps:

(1) The digital oil-gas field system platform receives verifiable anonymous access information A _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ After } the current timestamp T is obtained ₁ ' through |T ₁ -T ₁ ' delta T is smaller than delta T, wherein delta T is the upper limit of the minimum time difference, the validity of the current message is judged, if invalid, the message is discarded, if yes, the next step is carried out;

(2) Restoring original sensitive access information by digital oil-gas field system platformValidation equation sigma _i ·P＝(W _i +P _pub ε _i +R _i )H ₅ (T ₁ ||PID _i ||m _i )+B _i Whether or not it is true, if so, receiving a message m _i Digital oil and gas field system platform allows for mobile engineering suitService end E _i Legal data access is carried out; if not, the digital oil and gas field system platform accesses information A from verifiable anonymity _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ Extracting anonymous identity PID from } _i And submitted to a trusted center TA, which recovers the unauthorized access mobile engineering server E _i Is->

Further, the password updating stage comprises the following steps:

(1) If the data manager wants to change the password theta _j The method comprises the steps that firstly, original information of the user is used for logging in a digital platform, and if the logging is successful, a digital oil-gas field system platform allows a data administrator to change a password;

(2) Data administrator inputs true identity and biometric features to digital oil and gas field system platformNew password->Digital oil-gas field system platform for calculating pseudo password +.>Again according to the biological characteristic information χ _j Calculating a first secret value iota by using a recovery algorithm Rep of the fuzzy extractor _j I.e. iota _j ＝Rep(χ _j ,ο _j ) After that, a third authentication value is calculated>And updates its own parameters.

The beneficial effects of the invention are as follows:

1) The data manager sends the pseudo password to the trusted center in the registration stage, and even if the privileged user of the trusted center obtains the pseudo password of the data manager, the true login password cannot be recovered, so that the internal attack of the privileges is prevented.

2) When the mobile engineering server sends a request each time, a new time stamp and a new random number are generated, different temporary anonymous identities are generated, replay attack is effectively prevented, and unlinkability is realized. The mobile engineering server uses the private signature key and the secret parameter as the complete private key, and in the message transmission process, the adversary can forge the digital signature of the message only by knowing the corresponding private key, thereby effectively resisting man-in-the-middle attack.

3) The complete private key of the mobile engineering server consists of two parts, wherein one part is a secret value generated by the mobile engineering server and the other part is a signature private key calculated by a trusted center, so that the problem of key escrow is effectively avoided. Thus, even if the trusted center and the malicious mobile engineering server are colluded, the digital signature in the access control cannot be forged, and the malicious mobile engineering server cannot effectively access.

4) When the mobile engineering server communicates with the system platform, the mobile engineering server uses the anonymous identity, and only the trusted center can decrypt the anonymous identity by using the system master private key to recover the real identity, thereby realizing conditional access control on the malicious mobile engineering server.

Detailed Description

The technical solutions of the present invention will be clearly and completely described below with reference to the embodiments, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by a person skilled in the art without any inventive effort, are intended to be within the scope of the present invention, based on the embodiments of the present invention.

The invention provides a technical scheme that:

the anonymous access control method based on the digital oil-gas field system platform comprises the following steps:

system initialization phase: the trusted center selects a main private key and stores the main private key in a secret way, and the trusted center sets public parameters, including setting an addition circulation group based on a nonsingular elliptic curve, a generating element, an anti-collision hash function and a main public key of the trusted center;

in this embodiment, the system initialization stage includes the following steps:

(1) Trusted center TA in finite field Z _p A non-singular elliptic curve is selected and defined as y ² ＝x ³ +ax+b (modp), where the coefficients a, b ε Z _p Satisfy 4a ³ +27b ² (modp) noteq0, the trusted center TA selects q-order addition cyclic group G on the nonsingular elliptic curve, and the generation element is P;

(2) Trusted center TA in finite field Z _q Selecting a non-zero random number s as a main private key, and calculating a main public key P _pub ＝s·P；

(3) The trusted center TA sets 5 hash functions for collision resistance: andHere l ₁ Is a hash function H ₂ Output length of l ₂ Is a hash function H ₄ Output length of>Is a q-1 factorial cyclic group;

(4) Trusted center TA publishes public parameters params= { G, q, P _pub ,H ₁ ,H ₂ ,H ₃ ,H ₄ ,H ₅ And holds the master private key s in secret.

Registration: the trusted center registers a mobile engineering service end, a data manager and a digital oil and gas field system platform in the digital oil and gas field system; specifically, the mobile engineering server sends the registration certificate of the mobile engineering server to a trusted center for registration, the trusted center generates a signature private key for the mobile engineering server after confirming the identity of the mobile engineering server, and the mobile engineering server takes the signature private key and a secret value generated by the mobile engineering server as a complete private key after receiving the signature private key; the data manager inputs the true identity, the login password and the biological characteristic information of the data manager to the digital oil-gas field system platform, the digital oil-gas field system platform calculates a pseudo password for the data manager, and the data manager sends registration request information to a trusted center through a secure channel; the trusted center issues public and private key pairs for the verified digital oil and gas field system platform, and based on the biological characteristic information of the data manager, the trusted center generates an authentication value by using a fuzzy extraction algorithm and a hash function and sends the authentication value to the digital oil and gas field system platform;

in this embodiment, the mobile engineering server sends the registration credential to the trusted center for registration, and after the trusted center verifies the identity of the mobile engineering server, a signature private key is generated for the mobile engineering server, and after the mobile engineering server receives the signature private key, the specific steps of using the signature private key and the secret value generated by the mobile engineering server as a complete private key are as follows:

(1) Mobile engineering service end E _i In the finite field Z _q In selecting secret parameter r _i Simultaneously calculating registration credentials R _i ＝r _i P, sending registration request information { EIDi, ri } over a secure channel to a trusted center TA, wherein EID _i Is a mobile engineering service end E _i While moving the engineering server E _i Secure preservation of secret parameter r _i ；

(2) After receiving the registration request information, the trusted center TA first determines the mobile engineering server E _i Whether the registration is successful or not, if so, rejecting the request; otherwise, the trusted center TA is in the finite field Z _q In selecting a non-zero random number omega _i Calculate the first group element W _i ＝ω _i P, calculating mobile engineering server E _i Is a signature private key of (a)And to the mobile engineering service end E through the secure channel _i Send->

(3) Mobile engineering service end E _i After receiving, verify the equationWhether or not it is true, if so, receive the message +.>Mobile engineering service end E _i To->As a complete private key, in { W ] _i ,R _i As a complete public key while preserving the access credential parameter epsilon _i ＝H ₁ (W _i ||R _i ||EID _i )。

Wherein, verify the equationThe correctness of (2) is deduced as follows:

the complete private key of the mobile engineering server consists of two parts, wherein one part is a secret value generated by the mobile engineering server and the other part is a signature private key calculated by a trusted center, so that the problem of key escrow is effectively avoided. Thus, even if the trusted center and the malicious mobile engineering server are colluded, the digital signature in the access control cannot be forged, and the malicious mobile engineering server cannot effectively access.

In this embodiment, the data administrator inputs the true identity, the login password and the biological characteristic information of the data administrator to the digital oil and gas field system platform, and the digital oil and gas field system platform calculates a pseudo password for the data administrator and sends registration request information to the trusted center through a secure channel; the trusted center issues public and private key pairs for the verified digital oil and gas field system platform, and based on the biological characteristic information of the data manager, the trusted center generates an authentication value by using a fuzzy extraction algorithm and a hash function and sends the authentication value to the digital oil and gas field system platform, and the specific steps are as follows:

(1) The data manager inputs the real identity DM to the digital oil and gas field system platform _j Password theta _j Biometric information χ _j The digital oil-gas field system platform calculates a first pseudo-password for a data managerAnd transmits the registration request information +/to the trusted center TA via the secure channel>Wherein CP _j The true identity of the digital oil and gas field system platform;

(2) The trusted center TA receives the registration request informationFirstly judging whether the corresponding entity is successfully registered, and rejecting the request if the corresponding entity is registered; otherwise, the trusted center TA is the digital oil and gas field system platform CP _j In the finite field Z _q Is selected from non-zero random numbers +.>As the private key of the digital oil and gas field system platform, calculating the public key of the digital oil and gas field system platformThe trusted center TA generates a first secret value iota using a fuzzy extractor algorithm Gen based on the biometric information of the data administrator _j And auxiliary parameter omicron _j I.e. (iota) _j ,ο _j )＝Gen(χ _j ) Calculate the first authentication value +.>And transmitting four-tuple information to the digital oil and gas field system platform through the secure channel>

The data manager sends the pseudo password to the trusted center TA in the registration stage, and even if the privileged user of the trusted center obtains the pseudo password of the data manager, the true login password cannot be recovered, so that the internal attack of the privileges is prevented.

A login stage: the data manager inputs correct identity information to the digital oil-gas field system platform, and the login password and the current biological characteristic information are legally logged in; the digital oil-gas field system platform performs verification of login information by using a recovery algorithm based on a fuzzy extractor based on the current biological characteristic information; if the verification is correct, the login is successful, otherwise, the login is refused;

in this embodiment, the login stage includes the following steps:

(1) Data manager inputs true identity to digital oil and gas field system platformLogin password->And the current biometric information +.>Logging in;

(2) Calculating a second pseudo password by the digital oil-gas field system platformCalculating a second secret value using a fuzzy extractor based recovery algorithm Rep>And according to the true identity of the data manager +.>Calculate the second authentication value +.>Then the second authentication value +.>With first authentication information alpha pre-stored in a digital oil and gas field system platform _j And comparing, if the two values are equal, the login is successful, otherwise, the login is refused.

Anonymous access information generation phase: the mobile engineering server generates a temporary accessed anonymous identity, generates a blinding value and a digital signature aiming at sensitive information, and sends verifiable anonymous access information to the digital oil-gas field system platform;

in this embodiment, the anonymous access information generation stage includes the following steps:

(1) Mobile engineering service end E _i Selecting a current timestamp T ₁ Calculating temporary anonymous identities

(2) For sensitive access information m to be transmitted _i Mobile engineering service end E _i In the finite field Z _q In selecting a non-zero random number b _i Calculate the second group element B _i ＝b _i P, compute sensitive access information m _i Is a blinding value of (2)Generating a digital signature->Mobile engineering service end E _i Sending verifiable anonymous access information A to digital oil-gas field system platform _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ }。

When the mobile engineering server sends a request each time, a new time stamp and a new random number are generated, different temporary anonymous identities are generated, replay attack is effectively prevented, and unlinkability is realized. And the sensitive access information is subjected to blinding processing by using the newly generated time stamp and the random number, so that the privacy data is effectively protected. The mobile engineering server uses the private signature key and the secret parameter as the complete private key, and in the message transmission process, the adversary can forge the digital signature of the message only by knowing the corresponding private key, thereby effectively resisting man-in-the-middle attack.

Access control phase: after receiving the verifiable anonymous access information, the digital oil-gas field system platform firstly judges the validity of the current message by using a timestamp, then restores the original sensitive information to the blinded value in the effective time, and verifies the validity of the digital signature; if so, allowing the legal access of the mobile engineering server; if not, submitting the verifiable anonymous access information to a trusted center, recovering the true identity, and rejecting the mobile engineering server to access;

in this embodiment, the access control stage includes the following steps:

(1) The digital oil-gas field system platform receives verifiable anonymous access information A _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ After } the current timestamp T is obtained ₁ ' through |T ₁ -T ₁ ' delta T is smaller than delta T, wherein delta T is the upper limit of the minimum time difference, the validity of the current message is judged, if invalid, the message is discarded, if yes, the next step is carried out;

(2) Restoring original sensitive access information by digital oil-gas field system platformValidation equation sigma _i ·P＝(W _i +P _pub ε _i +R _i )H ₅ (T ₁ ||PID _i ||m _i )+B _i Whether or not it is true, if so, receiving a message m _i Digital oil and gas field system platform allows mobile engineering service end E _i Legal data access is carried out; if not, the digital oil and gas field system platform accesses information A from verifiable anonymity _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ Extracting anonymous identity PID from } _i And submitted to a trusted center TA, which recovers the unauthorized access mobile engineering server E _i Is true of the identity of (2)

Wherein, when receiving verifiable anonymous access information A sent by a mobile engineering server _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ After } the digital oil and gas field system platform can realize the verification of the validity of the digital oil and gas field system platform, and the correctness of the verification equation is deduced as follows:

when the mobile engineering server communicates with the system platform, the mobile engineering server uses the anonymous identity, and only the trusted center can decrypt the anonymous identity by using the system master private key to recover the real identity, thereby realizing conditional access control on the malicious mobile engineering server.

Password updating stage: the data manager inputs correct identity information to the digital oil-gas field system platform, and the original login password and the current biological characteristic information are legally logged in; if the login is successful, the data manager can change the login password of the data manager, and the digital oil-gas field system platform recalculates the pseudo password and the new authentication value for the data manager and updates the related parameters.

In this embodiment, the password updating stage includes the following steps:

(1) If the data manager wants to change the password theta _j The method comprises the steps that firstly, original information of the user is used for logging in a digital platform, and if the logging is successful, a digital oil-gas field system platform allows a data administrator to change a password;

(2) The data manager inputs the true identity and the biological characteristics { DM ] to the digital oil and gas field system platform _j ,χ _j -and new passwordDigital oil-gas field system platform for calculating pseudo password +.>Again according to the biological characteristic information χ _j Calculating a first secret value iota by using a recovery algorithm Rep of the fuzzy extractor _j I.e. iota _j ＝Rep(χ _j ,ο _j ) After that, a third authentication value is calculated>And updates its own parameters.

According to the anonymous access control method based on the digital oil-gas field system platform, identity authentication among entities in the digital oil-gas field system platform is achieved through a safe and efficient authentication mechanism, safe access of the system platform is guaranteed, and authorized access of communication information is guaranteed.

The foregoing is merely a preferred embodiment of the invention, and it is to be understood that the invention is not limited to the form disclosed herein but is not to be construed as excluding other embodiments, but is capable of numerous other combinations, modifications and environments and is capable of modifications within the scope of the inventive concept, either as taught or as a matter of routine skill or knowledge in the relevant art. And that modifications and variations which do not depart from the spirit and scope of the invention are intended to be within the scope of the appended claims.

Claims (8)

1. The anonymous access control method based on the digital oil-gas field system platform is characterized by comprising the following steps of: comprising the following stages:

system initialization phase: the trusted center selects a main private key and stores the main private key in a secret way, and the trusted center sets public parameters, including setting an addition circulation group based on a nonsingular elliptic curve, a generating element, an anti-collision hash function and a main public key of the trusted center;

registration: the trusted center registers a mobile engineering service end, a data manager and a digital oil and gas field system platform in the digital oil and gas field system; specifically, the mobile engineering server sends the registration certificate of the mobile engineering server to a trusted center for registration, the trusted center generates a signature private key for the mobile engineering server after confirming the identity of the mobile engineering server, and the mobile engineering server takes the signature private key and a secret value generated by the mobile engineering server as a complete private key after receiving the signature private key; the data manager inputs the true identity, the login password and the biological characteristic information of the data manager to the digital oil-gas field system platform, the digital oil-gas field system platform calculates a pseudo password for the data manager, and the data manager sends registration request information to a trusted center through a secure channel; the trusted center issues public and private key pairs for the verified digital oil and gas field system platform, and based on the biological characteristic information of the data manager, the trusted center generates an authentication value by using a fuzzy extraction algorithm and a hash function and sends the authentication value to the digital oil and gas field system platform;

a login stage: the data manager inputs correct identity information to the digital oil-gas field system platform, and the login password and the current biological characteristic information are legally logged in; the digital oil-gas field system platform performs verification of login information by using a recovery algorithm based on a fuzzy extractor based on the current biological characteristic information; if the verification is correct, the login is successful, otherwise, the login is refused;

anonymous access information generation phase: the mobile engineering server generates a temporary accessed anonymous identity, generates a blinding value and a digital signature aiming at sensitive information, and sends verifiable anonymous access information to the digital oil-gas field system platform;

access control phase: after receiving the verifiable anonymous access information, the digital oil-gas field system platform firstly judges the validity of the current message by using a timestamp, then restores the original sensitive information to the blinded value in the effective time, and verifies the validity of the digital signature; if so, allowing the legal access of the mobile engineering server; if not, submitting the verifiable anonymous access information to a trusted center, recovering the true identity, and rejecting the mobile engineering server to access;

password updating stage: the data manager inputs correct identity information to the digital oil-gas field system platform, and the original login password and the current biological characteristic information are legally logged in; if the login is successful, the data manager can change the login password of the data manager, and the digital oil-gas field system platform recalculates the pseudo password and the new authentication value for the data manager and updates the related parameters.

2. The anonymous access control method based on the digital oil and gas field system platform as set forth in claim 1, wherein: the system initialization stage comprises the following steps:

(1) Trusted center TA in finite field Z _p A non-singular elliptic curve is selected and defined as y ² ＝x ³ +ax+b (mod p), where the coefficients a, b ε Z _p Satisfy 4a ³ +27b ² (mod P) noteq0, the trusted center TA selects a q-order addition cyclic group G on the nonsingular elliptic curve, and the generation element is P;

(2) Trusted center TA in finite field Z _q Selecting a non-zero random number s as a main private key, and calculating a main public key P _pub ＝s·P；

(3) The trusted center TA sets 5 hash functions for collision resistance: andHere l ₁ Is a hash function H ₂ Output length of l ₂ Is a hash function H ₄ Output length of>Is a q-1 factorial cyclic group;

(4) Trusted center TA publishes public parameters params= { G, q, P _pub ,H ₁ ,H ₂ ,H ₃ ,H ₄ ,H ₅ And secret to preserve the master privateAnd a key s.

3. The anonymous access control method based on the digital oil and gas field system platform as set forth in claim 2, wherein: the mobile engineering server sends the registration certificate to the trusted center for registration, the trusted center generates a signature private key for the mobile engineering server after confirming the identity of the mobile engineering server, and the mobile engineering server receives the signature private key and takes the signature private key and a secret value generated by the mobile engineering server as a complete private key, and the specific steps are as follows:

(1) Mobile engineering service end E _i In the finite field Z _q In selecting secret parameter r _i Simultaneously calculating registration credentials R _i ＝r _i P sending registration request information { EID over secure channel to trusted center TA _i ,R _i }, wherein EID _i Is a mobile engineering service end E _i While moving the engineering server E _i Secure preservation of secret parameter r _i ；

(2) After receiving the registration request information, the trusted center TA first determines the mobile engineering server E _i Whether the registration is successful or not, if so, rejecting the request; otherwise, the trusted center TA is in the finite field Z _q In selecting a non-zero random number omega _i Calculate the first group element W _i ＝ω _i P, calculating mobile engineering server E _i Is a signature private key of (a)And to the mobile engineering service end E through the secure channel _i Send->

(3) Mobile engineering service end E _i After receiving, verify the equationWhether or not it is true, if so, receive the message +.>Mobile engineering service end E _i To->As a complete private key, in { W ] _i ,R _i As a complete public key while preserving the access credential parameter epsilon _i ＝H ₁ (W _i ||R _i ||EID _i )。

4. The anonymous access control method based on the digital oil and gas field system platform as set forth in claim 3, wherein: the data manager inputs the true identity, the login password and the biological characteristic information of the data manager to the digital oil-gas field system platform, the digital oil-gas field system platform calculates a pseudo password for the data manager, and the data manager sends registration request information to the trusted center through a secure channel; the trusted center issues public and private key pairs for the verified digital oil and gas field system platform, and based on the biological characteristic information of the data manager, the trusted center generates an authentication value by using a fuzzy extraction algorithm and a hash function and sends the authentication value to the digital oil and gas field system platform, and the specific steps are as follows:

(1) The data manager inputs the real identity DM to the digital oil and gas field system platform _j Password theta _j Biometric information χ _j The digital oil-gas field system platform calculates a first pseudo-password for a data managerAnd transmits the registration request information +/to the trusted center TA via the secure channel>Wherein CP _j The true identity of the digital oil and gas field system platform;

(2) The trusted center TA receives the registration request informationFirstly judging whether the corresponding entity is successfully registered, and rejecting the request if the corresponding entity is registered; otherwise, the trusted center TA is the digital oil and gas field system platform CP _j In the finite field Z _q Is selected from non-zero random numbers +.>As the private key of the digital oil and gas field system platform, calculating the public key of the digital oil and gas field system platformThe trusted center TA generates a first secret value iota using a fuzzy extractor algorithm Gen based on the biometric information of the data administrator _j And auxiliary parameter omicron _j I.e. (iota) _j ,ο _j )＝Gen(χ _j ) Calculate the first authentication value +.>And transmitting four-tuple information to the digital oil and gas field system platform through the secure channel>

5. The anonymous access control method based on the digital oil and gas field system platform as set forth in claim 4, wherein: the login stage comprises the following steps:

(1) Data manager inputs true identity to digital oil and gas field system platformLogin password->And the current biometric information +.>Logging in;

(2) Calculating a second pseudo password by the digital oil-gas field system platformCalculating a second secret value using a fuzzy extractor based recovery algorithm Rep>And according to the true identity of the data manager +.>Calculate the second authentication value +.>Then the second authentication value +.>With first authentication information alpha pre-stored in a digital oil and gas field system platform _j And comparing, if the two values are equal, the login is successful, otherwise, the login is refused.

6. The anonymous access control method based on the digital oil and gas field system platform as set forth in claim 5, wherein: the anonymous access information generation stage comprises the following steps:

(1) Mobile engineering service end E _i Selecting a current timestamp T ₁ Calculating temporary anonymous identities

(2) For sensitive access information m to be transmitted _i Mobile engineering service end E _i In the finite field Z _q In selecting a non-zero random number b _i Calculate the second group element B _i ＝b _i P, compute sensitive access information m _i Is a blinding value of (2)Generating a digital signature->Mobile engineering service end E _i Sending verifiable anonymous access information A to digital oil-gas field system platform _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ }。

7. The anonymous access control method based on the digital oil and gas field system platform as set forth in claim 6, wherein: the access control stage comprises the following steps:

(1) The digital oil-gas field system platform receives verifiable anonymous access information A _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ After } the current timestamp T is obtained ₁ ' through |T ₁ -T ₁ ' delta T is smaller than delta T, wherein delta T is the upper limit of the minimum time difference, the validity of the current message is judged, if invalid, the message is discarded, if yes, the next step is carried out;

(2) Restoring original sensitive access information by digital oil-gas field system platformValidation equation sigma _i ·P＝(W _i +P _pub ε _i +R _i )H ₅ (T ₁ ||PID _i ||m _i )+B _i Whether or not it is true, if so, receiving a message m _i Digital oil and gas field system platform allows mobile engineering service end E _i Legal data access is carried out; if not, the digital oil and gas field system platform accesses information A from verifiable anonymity _i ＝{PID _i ,σ _i ,η _i ,ε _i ,B _i ,T ₁ Extracting anonymous identity PID from } _i And submitted to a trusted center TA, which recovers the unauthorized access mobile engineering server E _i Is->

8. The anonymous access control method based on the digital oil and gas field system platform as set forth in claim 7, wherein: the password updating stage comprises the following steps:

(1) If the data manager wants to change the password theta _j The method comprises the steps that firstly, original information of the user is used for logging in a digital platform, and if the logging is successful, a digital oil-gas field system platform allows a data administrator to change a password;

(2) The data manager inputs the true identity and the biological characteristics { DM ] to the digital oil and gas field system platform _j ,χ _j -and new passwordDigital oil-gas field system platform for calculating pseudo password +.>Again according to the biological characteristic information χ _j Calculating a first secret value iota by using a recovery algorithm Rep of the fuzzy extractor _j I.e. iota _j ＝Rep(χ _j ,ο _j ) After that, a third authentication value is calculated>And updates its own parameters.