WO2023010608A1 - Cross-domain secure interaction method and system, terminal, and storage medium - Google Patents

Cross-domain secure interaction method and system, terminal, and storage medium Download PDF

Info

Publication number
WO2023010608A1
WO2023010608A1 PCT/CN2021/112257 CN2021112257W WO2023010608A1 WO 2023010608 A1 WO2023010608 A1 WO 2023010608A1 CN 2021112257 W CN2021112257 W CN 2021112257W WO 2023010608 A1 WO2023010608 A1 WO 2023010608A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain
access
certificate
cross
attribute
Prior art date
Application number
PCT/CN2021/112257
Other languages
French (fr)
Chinese (zh)
Inventor
戴思佳
宁立
张涌
Original Assignee
中国科学院深圳先进技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院深圳先进技术研究院 filed Critical 中国科学院深圳先进技术研究院
Publication of WO2023010608A1 publication Critical patent/WO2023010608A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously

Definitions

  • the present application belongs to the technical field of network security, and in particular relates to a cross-domain secure interaction method, system, terminal and storage medium.
  • the user registration database is uniformly established on the provincial government service platform, and user registration is uniformly provided by the provincial government service platform, and the government service pages of various cities and departments no longer provide user registration functions.
  • the user login interface is also uniformly provided by the provincial government service platform, and each city and department only provides corresponding jump links.
  • a heterogeneous system refers to a system structure in which nodes are distributed in different security domains.
  • Cross-domain authentication refers to identity verification for users in different trust domains when conducting cross-domain access and communication.
  • the server In a common network security solution, the server generally verifies the identity of the client through an agreed authentication protocol. Due to the wide variety of devices and application systems in the Internet of Things, this traditional security model has various drawbacks. First of all, if the number of devices is too large, it may lead to difficulties in device identity management, resulting in high performance requirements for system servers and high cost of identity management; secondly, different application systems independently store device identity information and complete identity verification independently.
  • each system will be an isolated island of trust, resources and information between systems cannot be shared and used, resulting in waste of resources; finally, authentication mechanisms between different independent systems may be different, different types of The security of the devices is also different, which also leads to many uncertain factors in the authentication of the identity of the client.
  • the data needs to be encrypted when it is transmitted in the domain.
  • the traditional method is to use symmetric or asymmetric encryption algorithms, but this method is not suitable for complex scenarios of government affairs systems.
  • the present application provides a cross-domain secure interaction method, system, terminal and storage medium, aiming to solve one of the above-mentioned technical problems in the prior art at least to a certain extent.
  • a cross-domain secure interaction method comprising:
  • the third-party proxy authentication center uses the attribute mapping method to generate the attribute certificate of the system requesting access in the source domain, and the system requesting access uses the attribute certificate to send an access request to the system requested to access in the target domain; the access request includes endorsement certificate;
  • the third-party proxy authentication center authenticates the system requesting access according to the access request and the attribute certificate, and if the verification passes, establishes cross-domain security interaction between the system requesting access in the source domain and the system requested access in the target domain.
  • the technical solution adopted in the embodiment of the present application also includes: issuing a digital certificate to a system that supports cross-domain access, and issuing an endorsement certificate to a device under the system is specifically:
  • the technical solution adopted in the embodiment of the present application further includes: the issuing of the endorsement certificate to the device specifically includes:
  • the endorsement certificate includes the unique identity of the device, the identifier of the certificate issuing system, the name of the certificate issuing system, the authentication method of the certificate issuing system, the device authentication result, the valid time and timestamp of the certificate, digital signature, and the target domain expected to be accessed.
  • the system identifier the attribute operations supported by the requested system in the target domain, and the key for encrypted communication with the device.
  • the attribute certificate includes the identity information of the device, key information, the unique serial number of the certificate, the valid period of use of the certificate, attribute information, the domain of use, the issuing unit, and the issuing unit’s Public key information and certificate type;
  • the access request includes the unique identity of the device, the content requested to be accessed, the operation requested to be supported, the validity period and time stamp of the requested access, and the endorsement certificate.
  • the technical solution adopted in the embodiment of the present application also includes: the generation of the attribute certificate of the system requesting access in the source domain through the third-party proxy authentication center using the attribute mapping method specifically includes:
  • the attribute table storage module is used to store the attribute conversion relationship between domains
  • the attribute mapping table is used to record all attributes of the source domain and the target domain, and the mutual mapping relationship between the attributes;
  • a buffer is constructed in the attribute mapping service module, and the attribute mapping table between common domains is stored through the buffer;
  • attribute mapping table Use the attribute mapping table to perform attribute mapping on the attribute certificate. If the corresponding attribute mapping table can be completely mapped, it means that cross-domain access and synchronous modification operations are supported; if the corresponding attribute mapping table cannot be mapped, it means that cross-domain access cannot be performed; if If the attribute mapping table is partially mapped, it means that it can be accessed across domains but cannot be modified.
  • the technical solution adopted in the embodiment of the present application further includes: the identity verification of the system requesting access through the third-party proxy authentication center according to the access request and the attribute certificate further includes:
  • the parsing process includes:
  • Analyzing the access request checking the timestamp and request content of the access request
  • the technical solution adopted in the embodiment of the present application further includes: if the verification is passed, establishing cross-domain security interaction between the system requesting access in the source domain and the system requested access in the target domain specifically includes:
  • the data sharing domain is indicated to the target domain by the third-party proxy authentication center.
  • a cross-domain security interaction system including:
  • Certification center building module used to build a third-party proxy certification center, issue digital certificates to systems supporting cross-domain access through the third-party proxy certification center, and issue endorsement certificates to devices under the system;
  • the request sending module used to generate the attribute certificate of the system requesting access in the source domain by using the attribute mapping method through the third-party proxy authentication center, and the system requesting access uses the attribute certificate to send an access request to the system requested to access in the target domain;
  • the access request includes an endorsement credential;
  • System verification module used to verify the identity of the system requesting access through the third-party proxy authentication center according to the access request and the attribute certificate, and if the verification is passed, establish the system requesting access in the source domain and the system requested access in the target domain Cross-domain security interaction.
  • a terminal includes a processor and a memory coupled to the processor, wherein,
  • the memory stores program instructions for implementing the cross-domain secure interaction method
  • the processor is configured to execute the program instructions stored in the memory to control cross-domain security interaction.
  • a storage medium storing program instructions executable by a processor, and the program instructions are used to execute the cross-domain security interaction method.
  • the beneficial effect produced by the embodiment of the present application lies in that the cross-domain secure interaction method, system, terminal and storage medium of the embodiment of the present application establish a trusted third-party agent authentication center, and through the third-party agent
  • the certification center builds a unified identity for different systems and devices under the system, uses digital certificates to verify the cross-domain identity of different systems in the Internet of Things environment, and realizes one-to-many cross-domain identity verification between heterogeneous systems; and After the identity verification is successful, a data sharing domain that supports read and write operations is divided in the data domain of the requested system to achieve safe interoperability between different domains, while ensuring the security of some data domains that cannot be modified and accessed and avoid wastage of resources.
  • the invention adopts the data transmission mode based on the attribute certificate encryption algorithm in the cross-domain access process, which improves the access efficiency and the security of the cross-domain access control.
  • FIG. 1 is a flowchart of a cross-domain security interaction method according to the first embodiment of the present application
  • FIG. 2 is a flowchart of a cross-domain security interaction method according to a second embodiment of the present application
  • FIG. 3 is a schematic diagram of an attribute certificate in an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of a cross-domain security interaction system according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a terminal according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
  • FIG. 1 is a flowchart of a cross-domain secure interaction method according to the first embodiment of the present application.
  • the cross-domain security interaction method in the first embodiment of the present application includes the following steps:
  • the third-party proxy certification center includes a digital certification center, an attribute mapping center, and a data operation record cache center. It has information about all systems that support cross-domain access, and has a private key generation function to assist the system and devices under the system. Negotiate the key between them.
  • the third-party proxy authentication center Through the third-party proxy authentication center, a unified identity is built for different systems and devices under the system, and one-to-many cross-domain authentication between heterogeneous identity systems is realized.
  • S110 Generate the attribute certificate of the system requesting access in the source domain by using the attribute mapping method through the third-party proxy authentication center, and the system requesting access sends an access request to the system requesting access in the target domain using the attribute certificate;
  • the attribute certificate includes the identity information of the device, key information, unique certificate serial number, valid period of the certificate, information about attributes, domain of use, issuing unit, public key information of the issuing unit, and certificate type and other information.
  • the access request specifically includes information such as the unique identity of the device, the content requested to be accessed, the operation requested to be supported, the validity period and time stamp of the requested access, and the endorsement certificate.
  • S120 Use the third-party proxy authentication center to verify the identity of the system requesting access according to the access request and the attribute certificate. If the verification is passed, establish cross-domain security interaction between the system requesting access in the source domain and the system requested access in the target domain;
  • the verification if the verification is passed, it means that the system requesting access is trustworthy, and a data sharing domain that supports read and write operations is opened in the data domain of the system that is requested to access.
  • This data sharing domain can support data reading and writing by devices in the source domain system and other modification operations, while being able to support the modification operation of the source domain system, it also ensures the confidentiality of the target domain system.
  • FIG. 2 is a flowchart of a cross-domain secure interaction method according to the second embodiment of the present application.
  • the cross-domain security interaction method in the second embodiment of the present application includes the following steps:
  • the third-party proxy certification center includes a digital certification center, an attribute mapping center, and a data operation record cache center. It has information about all systems that support cross-domain access, and has a private key generation function to assist in the communication between the system and the devices under the system. Key negotiation.
  • a unified identity is built for different systems and devices under the system, and one-to-many cross-domain authentication between heterogeneous identity systems is realized.
  • S210 Use a third-party proxy authentication center to identify system information that requests access to the authentication center, and issue a digital certificate to a system that supports cross-domain access;
  • digital certificates are used to verify whether system access with endorsement credentials is supported.
  • S220 Receive the registration request sent by the device under the system supporting cross-domain access through the third-party proxy authentication center, and after analyzing the registration request, issue an endorsement certificate to the corresponding device according to the authentication methods of different systems;
  • the endorsement certificate is a type of digital certificate.
  • Each device under the system only needs to register once with the third-party proxy certification center to directly access other systems that support the proxy with the issued endorsement certificate, without cross-domain access. And cause additional burden to equipment.
  • the process of issuing the endorsement certificate to the device by the third-party agency certification center specifically includes: parsing the registration request of the device, verifying the identity information of the device and whether the registration request is legal, and if so, querying the system information of the target domain that the device expects to access, and generating a pair of passwords.
  • the endorsement certificate includes the unique identity of the device, the identity of the certificate issuing system, the name of the certificate issuing system, the authentication method of the certificate issuing system, the device authentication result, the valid time and timestamp of the certificate, the digital signature issued by the certificate, and the expected access Information such as the system identifier of the target domain, the attribute operations supported by the requested system in the target domain, and the key for encrypted communication with the device.
  • S230 Generate the attribute certificate of the system requesting access in the source domain by using the attribute mapping method through the third-party proxy authentication center, and the system requesting access in the source domain sends an access request to the system requesting access in the target domain by using the attribute certificate;
  • the attribute certificate is generated by the attribute mapping center in the third-party agency authentication center and the user key.
  • the user key refers to the corresponding key accessed by different systems, that is, the identification number of different systems.
  • the attribute mapping center uses hybrid encryption to encrypt the key and attribute access rights before putting them on the link for transmission to ensure safe transmission during the generation of attribute certificates.
  • the attribute certificate includes the identity information of the device, the key information, the unique certificate serial number, the validity period of the certificate, the relevant information of the attribute, the domain of use, the issuing unit, the public key information of the issuing unit, and the type of the certificate.
  • the access request specifically includes information such as the unique identity of the device, the content requested to be accessed, the operation requested to be supported, the validity period and time stamp of the requested access, and the endorsement certificate.
  • the attribute mapping method specifically includes:
  • S231 Construct an attribute table storage module; the attribute table storage module is used to store the attribute conversion relationship between domains, and the attribute table storage module adopts an index structure of a hash table to facilitate extraction of corresponding attributes supported by the requested access system.
  • S232 Construct an attribute mapping table; the attribute mapping table is a two-dimensional matrix, the first column and the first row respectively record all attributes in the source domain and the target domain; the numbers in the table record the mutual mapping relationship between attributes; 1 means full mapping, 0 means no mapping, and a number between 0 and 1 means partial mapping.
  • S233 Construct a buffer in the attribute mapping service module, and store the attribute mapping table between commonly used domains through the buffer; since in a multi-domain environment, it is often fixed several commonly used domains for cross-domain access control, therefore, in the attribute mapping
  • the service module constructs a buffer and stores the attribute mapping table between common domains through the buffer, so that the attribute mapping table of the common domain can be found in the buffer first when performing attribute mapping.
  • S234 Use the attribute mapping table to perform attribute mapping on the attribute certificate. If the attribute mapping table can be completely mapped, it means that cross-domain access and synchronous modification operations are supported; if the attribute mapping table cannot be mapped, it means that cross-domain access is not possible; if Partial mapping of the attribute mapping table means that cross-domain access can be performed but modification operations cannot be performed; among them, the embodiment of this application adds the operation of attribute mapping to the attribute certificate, which ensures the security of data while realizing cross-domain system identity verification , and to a certain extent reduces the difficulty of data reading.
  • the method of attribute mapping can be applied to multiple control domain environments, which improves the performance of the entire data network in processing data.
  • the source domain system with the attribute certificate can directly use the attribute certificate to request data access from the target domain system, and obtain the plaintext through data decryption, which improves the access efficiency and the security of cross-domain access control.
  • S240 Analyze the access request and the attribute certificate through the requested access system in the target domain, verify whether the requested access system is trustworthy according to the parsed access request and attribute certificate through the third-party proxy authentication center, and return the verification result to the target the domain's system to which access is requested;
  • the parsing process of the access request and the attribute certificate specifically includes: first, the requested system parses the access request, checks the time stamp and request content of the access request; then queries the endorsement certificate issuer through the third-party proxy certification center information, verify the digital signature, and verify the integrity of the endorsement certificate; finally check the validity period of the endorsement certificate and the status of the issuer, verify whether the access request is compliant, and check whether the issuer of the endorsement certificate is in the trust list of the domain.
  • S250 Open up a data sharing domain in the data domain of the requested access system according to the verification result returned by the third-party proxy authentication center, and establish a secure connection between the source domain system and the target domain system and data sharing operations;
  • the target domain system opens up a data sharing domain based on the security considerations of its own system and according to the verification results returned by the third-party proxy authentication center.
  • the operation records are transmitted to the third-party agency authentication center for maintenance, which can support the modification operation of the source domain system and at the same time ensure the privacy of the target domain system, realize the safe interaction of cross-domain access, and solve the difficulty of cross-domain operation in the existing technology Implementation and cross-domain operations are requested to access the system's low security technical flaws.
  • the data sharing domain is indicated to the target domain by the third-party proxy authentication center.
  • the cross-domain security interaction method of the embodiment of the present application establishes a trusted third-party proxy authentication center, and uses the third-party proxy authentication center to construct a unified identity for different systems and devices under the system, and use digital certificates to Verify the cross-domain identity of different systems in the Internet of Things environment to realize one-to-many cross-domain identity verification between heterogeneous systems;
  • the data sharing domain of the write operation realizes safe interoperability between different domains, and at the same time ensures the security of some data domains that cannot be modified and accessed, and avoids the waste of resources.
  • the invention adopts the data transmission mode based on the attribute certificate encryption algorithm in the cross-domain access process, which improves the access efficiency and the security of the cross-domain access control.
  • FIG. 4 is a schematic structural diagram of a cross-domain secure interaction system according to an embodiment of the present application.
  • the cross-domain security interaction system 40 of the embodiment of the present application includes:
  • Certification center building module 41 used to build a third-party proxy certification center, issue digital certificates to systems that support cross-domain access through the third-party proxy certification center, and issue endorsement certificates to devices under the system;
  • Request sending module 42 used to generate the attribute certificate of the system requesting access in the source domain through the attribute mapping method through the third-party proxy authentication center, and the system requesting access uses the attribute certificate to send an access request to the system requested to access in the target domain; including endorsement certificates;
  • System verification module 43 used to verify the identity of the system requesting access through the third-party proxy authentication center according to the access request and the attribute certificate, and if the verification is passed, establish a cross-domain connection between the system requesting access in the source domain and the system requested to access in the target domain Safe interaction.
  • FIG. 5 is a schematic diagram of a terminal structure in an embodiment of the present application.
  • the terminal 50 includes a processor 51 and a memory 52 coupled to the processor 51 .
  • the memory 52 stores program instructions for realizing the above cross-domain secure interaction method.
  • the processor 51 is configured to execute program instructions stored in the memory 52 to control cross-domain security interaction.
  • the processor 51 may also be referred to as a CPU (Central Processing Unit, central processing unit).
  • the processor 51 may be an integrated circuit chip with signal processing capability.
  • the processor 51 can also be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components .
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • FIG. 6 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
  • the storage medium of the embodiment of the present application stores a program file 61 capable of realizing all the above-mentioned methods, wherein the program file 61 can be stored in the above-mentioned storage medium in the form of a software product, and includes several instructions to make a computer device (which can It is a personal computer, a server, or a network device, etc.) or a processor (processor) that executes all or part of the steps of the methods in various embodiments of the present invention.
  • a computer device which can It is a personal computer, a server, or a network device, etc.
  • processor processor
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. , or terminal devices such as computers, servers, mobile phones, and tablets.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to a cross-domain secure interaction method and system, a terminal, and a storage medium. The method comprises: constructing a third-party proxy authentication center, issuing, by means of the third-party proxy authentication center, a digital certificate to a system supporting cross-domain access, and issuing an endorsement credential to a device under the system; by means of the third-party proxy authentication center, generating, by using an attribute mapping method, an attribute certificate of a system requesting access in a source domain, the system requesting access sending, by using the attribute certificate, an access request to a system requested in a target domain for access; by means of the third-party proxy authentication center, performing, according to the access request and the attribute certificate, identity verification on the system requesting access, and if verified, establishing a cross-domain security interaction between the system requesting access in the source domain and the system requested in the target domain for access. The embodiments of the present application achieves one-to-many cross-domain identity verification between heterogeneous systems, and improves access efficiency and the security of cross-domain access control.

Description

一种跨域安全交互方法、系统、终端以及存储介质A cross-domain secure interaction method, system, terminal and storage medium 技术领域technical field
本申请属于网络安全技术领域,特别涉及一种跨域安全交互方法、系统、终端以及存储介质。The present application belongs to the technical field of network security, and in particular relates to a cross-domain secure interaction method, system, terminal and storage medium.
背景技术Background technique
近年来,为了消除信息孤岛,实施互联互通,推进集约化建设,政务信息整合和共享受到各级政府的高度重视。用户注册数据库统一建立在省政务服务平台,用户注册统一由省政务服务平台提供,各市、部门政务服务页面不再提供用户注册功能。同样,用户登录界面也由省政务服务平台统一提供,各市、各部门只提供相应的跳转链接。各部门政务服务系统虽然不提供用户注册和登录检验功能,但是必须建立一个统一用户认证对接管理模块,统一处理和省政务服务平台用户认证子系统之间的相互调用。In recent years, in order to eliminate isolated information islands, implement interconnection, and promote intensive construction, the integration and sharing of government information has been highly valued by governments at all levels. The user registration database is uniformly established on the provincial government service platform, and user registration is uniformly provided by the provincial government service platform, and the government service pages of various cities and departments no longer provide user registration functions. Similarly, the user login interface is also uniformly provided by the provincial government service platform, and each city and department only provides corresponding jump links. Although the government affairs service systems of various departments do not provide user registration and login verification functions, a unified user authentication docking management module must be established to uniformly handle the mutual calls between the user authentication subsystems of the provincial government service platform.
异构系统是指节点分布在不同安全域中的系统结构,跨域认证也就是针对不同信任域下的用户在进行跨域访问、通信时进行身份验证。常见的网络安全方案中,服务器一般通过约定好的身份验证协议验证客户端的身份,由于物联网中存在种类繁多的设备和应用系统,这种传统的安全模式存在各种弊端。首先,如果设备数量过于庞大可能导致设备身份的管理困难,并导致系统服务器的性能要求高和身份管理代价大;其次,不同的应用系统独立存储设备的身份信息并独立完成身份验证,这种相互独立的模式,每个系统都将是一个信任孤岛,各个系统之间的资源、信息无法共享使用,造成资源的浪费;最后,相互独立的不同系统之间的认证机制可能不相同,不同种类的设备的安全性也不相同,这也导致客户端的身份的认证存在诸多的不确定性因素。A heterogeneous system refers to a system structure in which nodes are distributed in different security domains. Cross-domain authentication refers to identity verification for users in different trust domains when conducting cross-domain access and communication. In a common network security solution, the server generally verifies the identity of the client through an agreed authentication protocol. Due to the wide variety of devices and application systems in the Internet of Things, this traditional security model has various drawbacks. First of all, if the number of devices is too large, it may lead to difficulties in device identity management, resulting in high performance requirements for system servers and high cost of identity management; secondly, different application systems independently store device identity information and complete identity verification independently. Independent mode, each system will be an isolated island of trust, resources and information between systems cannot be shared and used, resulting in waste of resources; finally, authentication mechanisms between different independent systems may be different, different types of The security of the devices is also different, which also leads to many uncertain factors in the authentication of the identity of the client.
另外,为了保护用户的隐私,在域中传输数据时需要对数据进行加密。传统方法是使用对称或非对称加密算法,但该方法不适用于政务系统的复杂场景。In addition, in order to protect the privacy of users, the data needs to be encrypted when it is transmitted in the domain. The traditional method is to use symmetric or asymmetric encryption algorithms, but this method is not suitable for complex scenarios of government affairs systems.
基于上述,如何在分布式的多域环境下,对原本独立安全的单个域构建安全高效的跨域访问控制模型进而与外域进行安全交互成为研究难点。Based on the above, how to construct a safe and efficient cross-domain access control model for an originally independent and secure single domain in a distributed multi-domain environment, and then conduct secure interactions with external domains has become a research difficulty.
发明内容Contents of the invention
本申请提供了一种跨域安全交互方法、系统、终端以及存储介质,旨在至少在一定程度上解决现有技术中的上述技术问题之一。The present application provides a cross-domain secure interaction method, system, terminal and storage medium, aiming to solve one of the above-mentioned technical problems in the prior art at least to a certain extent.
为了解决上述问题,本申请提供了如下技术方案:In order to solve the above problems, the application provides the following technical solutions:
一种跨域安全交互方法,包括:A cross-domain secure interaction method, comprising:
构建第三方代理认证中心,通过所述第三方代理认证中心向支持跨域访问的系统签发数字证书,并向所述系统下的设备签发背书凭证;Build a third-party proxy certification center, issue digital certificates to systems that support cross-domain access through the third-party proxy certification center, and issue endorsement certificates to devices under the system;
通过所述第三方代理认证中心利用属性映射方法生成源域内请求访问的系统的属性证书,所述请求访问的系统利用属性证书向目标域内被请求访问的系统发送访问请求;所述访问请求中包括背书凭证;The third-party proxy authentication center uses the attribute mapping method to generate the attribute certificate of the system requesting access in the source domain, and the system requesting access uses the attribute certificate to send an access request to the system requested to access in the target domain; the access request includes endorsement certificate;
通过所述第三方代理认证中心根据访问请求和属性证书对请求访问的系统进行身份验证,如果验证通过,建立所述源域内请求访问的系统与目标域内被请求访问的系统的跨域安全交互。The third-party proxy authentication center authenticates the system requesting access according to the access request and the attribute certificate, and if the verification passes, establishes cross-domain security interaction between the system requesting access in the source domain and the system requested access in the target domain.
本申请实施例采取的技术方案还包括:所述向支持跨域访问的系统签发数字证书,并向所述系统下的设备签发背书凭证具体为:The technical solution adopted in the embodiment of the present application also includes: issuing a digital certificate to a system that supports cross-domain access, and issuing an endorsement certificate to a device under the system is specifically:
识别请求接入所述第三方代理认证中心的系统信息,向支持跨域访问的系统签发数字证书;Identify the system information that requests access to the third-party proxy authentication center, and issue a digital certificate to the system that supports cross-domain access;
接收所述系统下的设备发送的注册请求,并对所述注册请求进行解析后,根据所述系统的认证方式向所述设备签发背书凭证。Receive the registration request sent by the device under the system, and after analyzing the registration request, issue an endorsement certificate to the device according to the authentication mode of the system.
本申请实施例采取的技术方案还包括:所述向设备签发背书凭证具体包括:The technical solution adopted in the embodiment of the present application further includes: the issuing of the endorsement certificate to the device specifically includes:
解析所述设备的注册请求,验证设备的用户身份信息以及注册请求是否合法,如何合法,查询所述设备期待访问的目标域信息,并生成一对密钥,根据所述密钥和用户身份信息生成背书凭证;Parse the registration request of the device, verify the user identity information of the device and whether the registration request is legal and how legal, query the target domain information that the device expects to access, and generate a pair of keys, according to the key and user identity information Generate an endorsement certificate;
使用所述数字证书中的密钥对背书凭证进行数字签名;digitally sign the endorsement certificate using the key in said digital certificate;
将所述背书凭证、数字签名以及私钥签发给设备,并将所述背书凭证签发记录写入到第三方代理认证中心;Issue the endorsement certificate, digital signature and private key to the device, and write the endorsement certificate issuance record into a third-party agency certification center;
所述背书凭证中包括设备的唯一身份标识、凭证出具系统的标识、凭证出具系统的名称、凭证出具系统的认证方式、设备认证结果、凭证有效时间以及时间戳、数字签名、期待访问的目标域系统标识、目标域内被请求访问的系统支持的属性操作以及与设备加密通信的密钥。The endorsement certificate includes the unique identity of the device, the identifier of the certificate issuing system, the name of the certificate issuing system, the authentication method of the certificate issuing system, the device authentication result, the valid time and timestamp of the certificate, digital signature, and the target domain expected to be accessed The system identifier, the attribute operations supported by the requested system in the target domain, and the key for encrypted communication with the device.
本申请实施例采取的技术方案还包括:所述属性证书中包括设备的身份信息、密钥信息,唯一的证书序列号、证书的有效使用期限、属性信息、使用域、签发单位、签发单位的公钥信息以及证书类型;The technical solution adopted in the embodiment of the present application also includes: the attribute certificate includes the identity information of the device, key information, the unique serial number of the certificate, the valid period of use of the certificate, attribute information, the domain of use, the issuing unit, and the issuing unit’s Public key information and certificate type;
所述访问请求中包括设备的唯一身份标识、请求访问的内容、请求支持的操作、请求访问的有效期和时间戳以及背书凭证。The access request includes the unique identity of the device, the content requested to be accessed, the operation requested to be supported, the validity period and time stamp of the requested access, and the endorsement certificate.
本申请实施例采取的技术方案还包括:所述通过第三方代理认证中心利用属性映射方法生成源域内请求访问的系统的属性证书具体包括:The technical solution adopted in the embodiment of the present application also includes: the generation of the attribute certificate of the system requesting access in the source domain through the third-party proxy authentication center using the attribute mapping method specifically includes:
构造属性表存储模块,所述属性表存储模块用于存储域与域之间的属性转换关系;Constructing an attribute table storage module, the attribute table storage module is used to store the attribute conversion relationship between domains;
构造属性映射表,所述属性映射表用于记录源域和目标域的所有属性,以 及属性间的相互映射关系;Constructing an attribute mapping table, the attribute mapping table is used to record all attributes of the source domain and the target domain, and the mutual mapping relationship between the attributes;
在属性映射服务模块构造缓冲区,通过所述缓冲区存储常用域间的属性映射表;A buffer is constructed in the attribute mapping service module, and the attribute mapping table between common domains is stored through the buffer;
利用所述属性映射表对属性证书进行属性映射,如果属性映射表对应可完全映射,则代表支持跨域访问以及同步修改操作;如果属性映射表对应不能映射,则代表不能进行跨域访问;如果属性映射表部分映射,则代表可进行跨域访问但不能进行修改操作。Use the attribute mapping table to perform attribute mapping on the attribute certificate. If the corresponding attribute mapping table can be completely mapped, it means that cross-domain access and synchronous modification operations are supported; if the corresponding attribute mapping table cannot be mapped, it means that cross-domain access cannot be performed; if If the attribute mapping table is partially mapped, it means that it can be accessed across domains but cannot be modified.
本申请实施例采取的技术方案还包括:所述通过所述第三方代理认证中心根据访问请求和属性证书对请求访问的系统进行身份验证还包括:The technical solution adopted in the embodiment of the present application further includes: the identity verification of the system requesting access through the third-party proxy authentication center according to the access request and the attribute certificate further includes:
通过所述目标域内被请求访问的系统对所述访问请求和属性证书进行解析;所述解析过程包括:Analyzing the access request and the attribute certificate through the requested access system in the target domain; the parsing process includes:
对所述访问请求进行解析,查看所述访问请求的时间戳和请求内容;Analyzing the access request, checking the timestamp and request content of the access request;
通过所述第三方代理认证中心查询背书凭证签发方的信息,验证数字签名,并验证所述背书凭证是否完整;Query the information of the issuer of the endorsement certificate through the third-party agency certification center, verify the digital signature, and verify whether the endorsement certificate is complete;
检查所述背书凭证的有效期以及签发方状态,验证所述访问请求是否合规,并查看所述背书凭证签发方是否在本域的信任列表中。Check the validity period of the endorsement certificate and the status of the issuer, verify whether the access request is compliant, and check whether the issuer of the endorsement certificate is in the trust list of the domain.
本申请实施例采取的技术方案还包括:所述如果验证通过,建立所述源域内请求访问的系统与目标域内被请求访问的系统的跨域安全交互具体包括:The technical solution adopted in the embodiment of the present application further includes: if the verification is passed, establishing cross-domain security interaction between the system requesting access in the source domain and the system requested access in the target domain specifically includes:
在所述目标域内被请求访问的系统的数据域中开辟可支持读写操作的数据共享域,所述数据共享域支持源域内请求访问的系统下的设备进行同步修改操作;Opening a data sharing domain that can support read and write operations in the data domain of the system that is requested to access in the target domain, and the data sharing domain supports devices under the system that requests access in the source domain to perform synchronous modification operations;
所述数据共享域由第三方代理认证中心向目标域指明。The data sharing domain is indicated to the target domain by the third-party proxy authentication center.
本申请实施例采取的另一技术方案为:一种跨域安全交互系统,包括:Another technical solution adopted by the embodiment of the present application is: a cross-domain security interaction system, including:
认证中心构建模块:用于构建第三方代理认证中心,通过所述第三方代理认证中心向支持跨域访问的系统签发数字证书,并向所述系统下的设备签发背书凭证;Certification center building module: used to build a third-party proxy certification center, issue digital certificates to systems supporting cross-domain access through the third-party proxy certification center, and issue endorsement certificates to devices under the system;
请求发送模块:用于通过所述第三方代理认证中心利用属性映射方法生成源域内请求访问的系统的属性证书,所述请求访问的系统利用属性证书向目标域内被请求访问的系统发送访问请求;所述访问请求中包括背书凭证;The request sending module: used to generate the attribute certificate of the system requesting access in the source domain by using the attribute mapping method through the third-party proxy authentication center, and the system requesting access uses the attribute certificate to send an access request to the system requested to access in the target domain; The access request includes an endorsement credential;
系统验证模块:用于通过所述第三方代理认证中心根据访问请求和属性证书对请求访问的系统进行身份验证,如果验证通过,建立所述源域内请求访问的系统与目标域内被请求访问的系统的跨域安全交互。System verification module: used to verify the identity of the system requesting access through the third-party proxy authentication center according to the access request and the attribute certificate, and if the verification is passed, establish the system requesting access in the source domain and the system requested access in the target domain Cross-domain security interaction.
本申请实施例采取的又一技术方案为:一种终端,所述终端包括处理器、与所述处理器耦接的存储器,其中,Another technical solution adopted by the embodiment of the present application is: a terminal, the terminal includes a processor and a memory coupled to the processor, wherein,
所述存储器存储有用于实现所述跨域安全交互方法的程序指令;The memory stores program instructions for implementing the cross-domain secure interaction method;
所述处理器用于执行所述存储器存储的所述程序指令以控制跨域安全交互。The processor is configured to execute the program instructions stored in the memory to control cross-domain security interaction.
本申请实施例采取的又一技术方案为:一种存储介质,存储有处理器可运行的程序指令,所述程序指令用于执行所述跨域安全交互方法。Another technical solution adopted by the embodiment of the present application is: a storage medium storing program instructions executable by a processor, and the program instructions are used to execute the cross-domain security interaction method.
相对于现有技术,本申请实施例产生的有益效果在于:本申请实施例的跨域安全交互方法、系统、终端以及存储介质通过建立一个可信的第三方代理认证中心,通过该第三方代理认证中心为不同系统和系统下的设备构建统一的身份标识,利用数字证书对不同系统在物联网环境下的跨域身份进行验证,实现异构系统之间一对多的跨域身份验证;并在身份验证成功之后在被请求访问的系统的数据域中划分出可支持读写操作的数据共享域,实现不同域间安全互操作的同时,保证了某些不可被修改访问的数据域的安全性,且避免了资源的浪 费。本发明在跨域访问过程中采用基于属性证书加密算法的数据传输方式,提高了访问效率和跨域访问控制的安全性。Compared with the prior art, the beneficial effect produced by the embodiment of the present application lies in that the cross-domain secure interaction method, system, terminal and storage medium of the embodiment of the present application establish a trusted third-party agent authentication center, and through the third-party agent The certification center builds a unified identity for different systems and devices under the system, uses digital certificates to verify the cross-domain identity of different systems in the Internet of Things environment, and realizes one-to-many cross-domain identity verification between heterogeneous systems; and After the identity verification is successful, a data sharing domain that supports read and write operations is divided in the data domain of the requested system to achieve safe interoperability between different domains, while ensuring the security of some data domains that cannot be modified and accessed and avoid wastage of resources. The invention adopts the data transmission mode based on the attribute certificate encryption algorithm in the cross-domain access process, which improves the access efficiency and the security of the cross-domain access control.
附图说明Description of drawings
图1是本申请第一实施例的跨域安全交互方法的流程图;FIG. 1 is a flowchart of a cross-domain security interaction method according to the first embodiment of the present application;
图2是本申请第二实施例的跨域安全交互方法的流程图;FIG. 2 is a flowchart of a cross-domain security interaction method according to a second embodiment of the present application;
图3为本申请实施例的属性证书示意图;FIG. 3 is a schematic diagram of an attribute certificate in an embodiment of the present application;
图4为本申请实施例的跨域安全交互系统结构示意图;FIG. 4 is a schematic structural diagram of a cross-domain security interaction system according to an embodiment of the present application;
图5为本申请实施例的终端结构示意图;FIG. 5 is a schematic structural diagram of a terminal according to an embodiment of the present application;
图6为本申请实施例的存储介质的结构示意图。FIG. 6 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solution and advantages of the present application clearer, the present application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application, not to limit the present application.
请参阅图1,是本申请第一实施例的跨域安全交互方法的流程图。本申请第一实施例的跨域安全交互方法包括以下步骤:Please refer to FIG. 1 , which is a flowchart of a cross-domain secure interaction method according to the first embodiment of the present application. The cross-domain security interaction method in the first embodiment of the present application includes the following steps:
S100:构建第三方代理认证中心,通过第三方代理认证中心向支持跨域访问的系统签发数字证书,并向系统下的设备签发背书凭证;S100: Build a third-party proxy certification center, issue digital certificates to systems that support cross-domain access through the third-party proxy certification center, and issue endorsement certificates to devices under the system;
其中,第三方代理认证中心包括数字认证中心、属性映射中心以及数据操作记录缓存中心,具有所有支持跨域访问的系统的信息,并具有私钥生成功能,用于协助系统与系统下的设备之间进行密钥协商。通过第三方代理认证中心为不同的系统和系统下的设备构建统一的身份标识,实现异构身份系统之间一对多的跨域认证。Among them, the third-party proxy certification center includes a digital certification center, an attribute mapping center, and a data operation record cache center. It has information about all systems that support cross-domain access, and has a private key generation function to assist the system and devices under the system. Negotiate the key between them. Through the third-party proxy authentication center, a unified identity is built for different systems and devices under the system, and one-to-many cross-domain authentication between heterogeneous identity systems is realized.
S110:通过第三方代理认证中心利用属性映射方法生成源域内请求访问的系统的属性证书,请求访问的系统利用属性证书向目标域内被请求访问的系统发送访问请求;S110: Generate the attribute certificate of the system requesting access in the source domain by using the attribute mapping method through the third-party proxy authentication center, and the system requesting access sends an access request to the system requesting access in the target domain using the attribute certificate;
其中,属性证书中包括设备的身份信息、密钥信息,唯一的证书序列号、证书的有效使用期限、属性的相关信息、使用域、签发单位、签发单位的公钥信息以及证书类型等信息。访问请求具体包括设备的唯一身份标识、请求访问的内容、请求支持的操作、请求访问的有效期和时间戳以及背书凭证等信息。Among them, the attribute certificate includes the identity information of the device, key information, unique certificate serial number, valid period of the certificate, information about attributes, domain of use, issuing unit, public key information of the issuing unit, and certificate type and other information. The access request specifically includes information such as the unique identity of the device, the content requested to be accessed, the operation requested to be supported, the validity period and time stamp of the requested access, and the endorsement certificate.
S120:通过第三方代理认证中心根据访问请求和属性证书对请求访问的系统进行身份验证,如果验证通过,建立源域内请求访问的系统与目标域内被请求访问的系统的跨域安全交互;S120: Use the third-party proxy authentication center to verify the identity of the system requesting access according to the access request and the attribute certificate. If the verification is passed, establish cross-domain security interaction between the system requesting access in the source domain and the system requested access in the target domain;
其中,如果验证通过,表示请求访问的系统可信任,则在被请求访问的系统的数据域中开辟支持读写操作的数据共享域,该数据共享域可支持源域系统的设备进行数据读写等修改操作,在能够支持源域系统修改操作的同时,保障了目标域系统的隐秘性。Among them, if the verification is passed, it means that the system requesting access is trustworthy, and a data sharing domain that supports read and write operations is opened in the data domain of the system that is requested to access. This data sharing domain can support data reading and writing by devices in the source domain system and other modification operations, while being able to support the modification operation of the source domain system, it also ensures the confidentiality of the target domain system.
请参阅图2,是本申请第二实施例的跨域安全交互方法的流程图。本申请第二实施例的跨域安全交互方法包括以下步骤:Please refer to FIG. 2 , which is a flowchart of a cross-domain secure interaction method according to the second embodiment of the present application. The cross-domain security interaction method in the second embodiment of the present application includes the following steps:
S200:构建第三方代理认证中心;S200: Build a third-party agency certification center;
本步骤中,通过在第三方系统或者云服务器中建立一个被不同系统信任的认证中心,不同的系统接入该认证中心,通过设备在系统中进行注册并登录所注册的系统。第三方代理认证中心包括数字认证中心、属性映射中心以及数据操作记录缓存中心,具有所有支持跨域访问的系统的信息,并具有私钥生成功能,用于协助系统与系统下的设备之间进行密钥协商。通过第三方代理认证中心为不同的系统和系统下的设备构建统一的身份标识,实现异构身份系统之间 一对多的跨域认证。In this step, by establishing an authentication center trusted by different systems in the third-party system or cloud server, different systems access the authentication center, register in the system through the device, and log in to the registered system. The third-party proxy certification center includes a digital certification center, an attribute mapping center, and a data operation record cache center. It has information about all systems that support cross-domain access, and has a private key generation function to assist in the communication between the system and the devices under the system. Key negotiation. Through the third-party proxy authentication center, a unified identity is built for different systems and devices under the system, and one-to-many cross-domain authentication between heterogeneous identity systems is realized.
S210:通过第三方代理认证中心识别请求接入该认证中心的系统信息,并向支持跨域访问的系统签发数字证书;S210: Use a third-party proxy authentication center to identify system information that requests access to the authentication center, and issue a digital certificate to a system that supports cross-domain access;
本步骤中,数字证书用于验证是否支持具有背书凭证的系统访问。In this step, digital certificates are used to verify whether system access with endorsement credentials is supported.
S220:通过第三方代理认证中心接收支持跨域访问的系统下的设备发送的注册请求,并对注册请求进行解析后,根据不同系统的认证方式向对应的设备签发背书凭证;S220: Receive the registration request sent by the device under the system supporting cross-domain access through the third-party proxy authentication center, and after analyzing the registration request, issue an endorsement certificate to the corresponding device according to the authentication methods of different systems;
具体的,背书凭证是数字证书的一种,系统下的每个设备只需要在第三方代理认证中心中注册一次即可凭签发的背书凭证直接访问支持代理的其他系统,不会因为跨域访问而给设备造成额外的负担。第三方代理认证中心向设备签发背书凭证的过程具体包括:解析设备的注册请求,验证设备身份信息以及注册请求是否合法,如何合法,则查询设备期待访问的目标域系统信息,并生成一对密钥,根据密钥和设备身份信息生成背书凭证;然后,使用第三方代理认证中心签发的数字证书中的密钥对背书凭证进行数字签名;最后,将背书凭证、数字签名以及私钥发送给设备,同时将背书凭证签发记录写入到第三方代理认证中心的数据操作记录缓存中心。其中,背书凭证中包括设备的唯一身份标识、凭证出具系统的标识、凭证出具系统的名称、凭证出具系统的认证方式、设备认证结果、凭证有效时间以及时间戳、凭证出具的数字签名、期待访问的目标域系统标识、目标域内被请求访问的系统支持的属性操作以及与设备加密通信的密钥等信息。Specifically, the endorsement certificate is a type of digital certificate. Each device under the system only needs to register once with the third-party proxy certification center to directly access other systems that support the proxy with the issued endorsement certificate, without cross-domain access. And cause additional burden to equipment. The process of issuing the endorsement certificate to the device by the third-party agency certification center specifically includes: parsing the registration request of the device, verifying the identity information of the device and whether the registration request is legal, and if so, querying the system information of the target domain that the device expects to access, and generating a pair of passwords. key, and generate an endorsement certificate based on the key and device identity information; then, use the key in the digital certificate issued by a third-party proxy certification center to digitally sign the endorsement certificate; finally, send the endorsement certificate, digital signature and private key to the device , and at the same time write the endorsement certificate issuance record to the data operation record cache center of the third-party agency certification center. Among them, the endorsement certificate includes the unique identity of the device, the identity of the certificate issuing system, the name of the certificate issuing system, the authentication method of the certificate issuing system, the device authentication result, the valid time and timestamp of the certificate, the digital signature issued by the certificate, and the expected access Information such as the system identifier of the target domain, the attribute operations supported by the requested system in the target domain, and the key for encrypted communication with the device.
S230:通过第三方代理认证中心利用属性映射方法生成源域内请求访问的系统的属性证书,源域内请求访问的系统利用属性证书向目标域内被请求访问的系统发送访问请求;S230: Generate the attribute certificate of the system requesting access in the source domain by using the attribute mapping method through the third-party proxy authentication center, and the system requesting access in the source domain sends an access request to the system requesting access in the target domain by using the attribute certificate;
本步骤中,如图3所示,为本申请实施例的属性证书示意图。属性证书由第三方代理认证中心里的属性映射中心和用户密钥生成,用户密钥是指不同系统访问的对应密钥,即不同系统的识别号。属性映射中心使用混合加密的方式将密钥和属性访问权限进行加密后再放到链路上进行传输,保证在属性证书生成过程中的安全传输。属性证书中包括设备的身份信息、密钥信息,唯一的证书序列号、证书的有效使用期限、属性的相关信息、使用域、签发单位、签发单位的公钥信息以及证书类型等信息。访问请求具体包括设备的唯一身份标识、请求访问的内容、请求支持的操作、请求访问的有效期和时间戳以及背书凭证等信息。In this step, as shown in FIG. 3 , it is a schematic diagram of the attribute certificate in this embodiment of the application. The attribute certificate is generated by the attribute mapping center in the third-party agency authentication center and the user key. The user key refers to the corresponding key accessed by different systems, that is, the identification number of different systems. The attribute mapping center uses hybrid encryption to encrypt the key and attribute access rights before putting them on the link for transmission to ensure safe transmission during the generation of attribute certificates. The attribute certificate includes the identity information of the device, the key information, the unique certificate serial number, the validity period of the certificate, the relevant information of the attribute, the domain of use, the issuing unit, the public key information of the issuing unit, and the type of the certificate. The access request specifically includes information such as the unique identity of the device, the content requested to be accessed, the operation requested to be supported, the validity period and time stamp of the requested access, and the endorsement certificate.
本申请实施例中,属性映射方法具体包括:In the embodiment of this application, the attribute mapping method specifically includes:
S231:构造属性表存储模块;属性表存储模块用于存储域与域之间的属性转换关系,属性表存储模块采用哈希表的索引结构,便于提取被请求访问的系统支持的相应属性。S231: Construct an attribute table storage module; the attribute table storage module is used to store the attribute conversion relationship between domains, and the attribute table storage module adopts an index structure of a hash table to facilitate extraction of corresponding attributes supported by the requested access system.
S232:构造属性映射表;属性映射表是一个二维矩阵,第一列和第一行分别记录了源域和目标域中的所有属性;表中的数字记录了属性间的相互映射关系;其中1表示完全映射,0表示不能映射,介于0、1之间的数字表示部分映射。S232: Construct an attribute mapping table; the attribute mapping table is a two-dimensional matrix, the first column and the first row respectively record all attributes in the source domain and the target domain; the numbers in the table record the mutual mapping relationship between attributes; 1 means full mapping, 0 means no mapping, and a number between 0 and 1 means partial mapping.
S233:在属性映射服务模块构造缓冲区,通过缓冲区存储常用域间的属性映射表;由于在多域环境中,进行跨域访问控制的往往是固定的几个常用域,因此,在属性映射服务模块构造一个缓冲区,通过该缓冲区存储常用域间的属性映射表,便于在进行属性映射时先在该缓冲区中寻找常用域的属性映射表。S233: Construct a buffer in the attribute mapping service module, and store the attribute mapping table between commonly used domains through the buffer; since in a multi-domain environment, it is often fixed several commonly used domains for cross-domain access control, therefore, in the attribute mapping The service module constructs a buffer and stores the attribute mapping table between common domains through the buffer, so that the attribute mapping table of the common domain can be found in the buffer first when performing attribute mapping.
S234:利用属性映射表对属性证书进行属性映射,如果属性映射表对应可完全映射,则代表支持跨域访问以及同步修改操作;如果属性映射表对应不能 映射,则代表不能进行跨域访问;如果属性映射表部分映射,则代表可进行跨域访问但不能进行修改操作;其中,本申请实施例在属性证书上加入属性映射的操作,在实现跨域系统身份验证的同时,保障了数据的安全,并且在一定程度上减少了数据读取的难度。属性映射的方法可以适用于多个控制域环境,提升了整个数据网络处理数据的性能。S234: Use the attribute mapping table to perform attribute mapping on the attribute certificate. If the attribute mapping table can be completely mapped, it means that cross-domain access and synchronous modification operations are supported; if the attribute mapping table cannot be mapped, it means that cross-domain access is not possible; if Partial mapping of the attribute mapping table means that cross-domain access can be performed but modification operations cannot be performed; among them, the embodiment of this application adds the operation of attribute mapping to the attribute certificate, which ensures the security of data while realizing cross-domain system identity verification , and to a certain extent reduces the difficulty of data reading. The method of attribute mapping can be applied to multiple control domain environments, which improves the performance of the entire data network in processing data.
通过上述操作,拥有属性证书的源域系统可以直接利用属性证书向目标域系统请求进行数据访问,并通过数据解密的方式获得明文,提高了访问效率和跨域访问控制的安全性。Through the above operations, the source domain system with the attribute certificate can directly use the attribute certificate to request data access from the target domain system, and obtain the plaintext through data decryption, which improves the access efficiency and the security of cross-domain access control.
S240:通过目标域内被请求访问的系统对访问请求和属性证书进行解析,通过第三方代理认证中心根据解析后的访问请求和属性证书验证请求访问的系统是否可信任,并将验证结果返回至目标域的被请求访问的系统;S240: Analyze the access request and the attribute certificate through the requested access system in the target domain, verify whether the requested access system is trustworthy according to the parsed access request and attribute certificate through the third-party proxy authentication center, and return the verification result to the target the domain's system to which access is requested;
本步骤中,对访问请求和属性证书的解析过程具体包括:首先被请求访问的系统对访问请求进行解析,查看访问请求的时间戳和请求内容;然后通过第三方代理认证中心查询背书凭证签发方的信息,验证数字签名,并验证背书凭证是否完整;最后检查背书凭证的有效期以及签发方状态,验证访问请求是否合规,并查看背书凭证签发方是否在本域的信任列表中。In this step, the parsing process of the access request and the attribute certificate specifically includes: first, the requested system parses the access request, checks the time stamp and request content of the access request; then queries the endorsement certificate issuer through the third-party proxy certification center information, verify the digital signature, and verify the integrity of the endorsement certificate; finally check the validity period of the endorsement certificate and the status of the issuer, verify whether the access request is compliant, and check whether the issuer of the endorsement certificate is in the trust list of the domain.
S250:根据第三方代理认证中心返回的验证结果在被请求访问的系统的数据域中开辟数据共享域,建立源域系统与目标域系统的安全连接以及数据共享操作;S250: Open up a data sharing domain in the data domain of the requested access system according to the verification result returned by the third-party proxy authentication center, and establish a secure connection between the source domain system and the target domain system and data sharing operations;
本步骤中,目标域系统基于自身系统的安全性考虑根据第三方代理认证中心返回的验证结果开辟数据共享域,该数据共享域可支持源域系统的设备进行数据读写等修改操作,并将操作记录传输至第三方代理认证中心进行维护,在能够支持源域系统修改操作的同时,保障了目标域系统的隐秘性,实现了跨域 访问的安全交互,解决现有技术中跨域操作难以实现以及跨域操作被请求访问的系统安全性较低的技术缺陷。其中数据共享域由第三方代理认证中心向目标域指明。In this step, the target domain system opens up a data sharing domain based on the security considerations of its own system and according to the verification results returned by the third-party proxy authentication center. The operation records are transmitted to the third-party agency authentication center for maintenance, which can support the modification operation of the source domain system and at the same time ensure the privacy of the target domain system, realize the safe interaction of cross-domain access, and solve the difficulty of cross-domain operation in the existing technology Implementation and cross-domain operations are requested to access the system's low security technical flaws. The data sharing domain is indicated to the target domain by the third-party proxy authentication center.
基于上述,本申请实施例的跨域安全交互方法通过建立一个可信的第三方代理认证中心,通过该第三方代理认证中心为不同系统和系统下的设备构建统一的身份标识,利用数字证书对不同系统在物联网环境下的跨域身份进行验证,实现异构系统之间一对多的跨域身份验证;并在身份验证成功之后在被请求访问的系统的数据域中划分出可支持读写操作的数据共享域,实现不同域间安全互操作的同时,保证了某些不可被修改访问的数据域的安全性,且避免了资源的浪费。本发明在跨域访问过程中采用基于属性证书加密算法的数据传输方式,提高了访问效率和跨域访问控制的安全性。Based on the above, the cross-domain security interaction method of the embodiment of the present application establishes a trusted third-party proxy authentication center, and uses the third-party proxy authentication center to construct a unified identity for different systems and devices under the system, and use digital certificates to Verify the cross-domain identity of different systems in the Internet of Things environment to realize one-to-many cross-domain identity verification between heterogeneous systems; The data sharing domain of the write operation realizes safe interoperability between different domains, and at the same time ensures the security of some data domains that cannot be modified and accessed, and avoids the waste of resources. The invention adopts the data transmission mode based on the attribute certificate encryption algorithm in the cross-domain access process, which improves the access efficiency and the security of the cross-domain access control.
请参阅图4,为本申请实施例的跨域安全交互系统结构示意图。本申请实施例的跨域安全交互系统40包括:Please refer to FIG. 4 , which is a schematic structural diagram of a cross-domain secure interaction system according to an embodiment of the present application. The cross-domain security interaction system 40 of the embodiment of the present application includes:
认证中心构建模块41:用于构建第三方代理认证中心,通过第三方代理认证中心向支持跨域访问的系统签发数字证书,并向系统下的设备签发背书凭证;Certification center building module 41: used to build a third-party proxy certification center, issue digital certificates to systems that support cross-domain access through the third-party proxy certification center, and issue endorsement certificates to devices under the system;
请求发送模块42:用于通过第三方代理认证中心利用属性映射方法生成源域内请求访问的系统的属性证书,请求访问的系统利用属性证书向目标域内被请求访问的系统发送访问请求;访问请求中包括背书凭证;Request sending module 42: used to generate the attribute certificate of the system requesting access in the source domain through the attribute mapping method through the third-party proxy authentication center, and the system requesting access uses the attribute certificate to send an access request to the system requested to access in the target domain; including endorsement certificates;
系统验证模块43:用于通过第三方代理认证中心根据访问请求和属性证书对请求访问的系统进行身份验证,如果验证通过,建立源域内请求访问的系统与目标域内被请求访问的系统的跨域安全交互。System verification module 43: used to verify the identity of the system requesting access through the third-party proxy authentication center according to the access request and the attribute certificate, and if the verification is passed, establish a cross-domain connection between the system requesting access in the source domain and the system requested to access in the target domain Safe interaction.
请参阅图5,为本申请实施例的终端结构示意图。该终端50包括处理器51、与处理器51耦接的存储器52。Please refer to FIG. 5 , which is a schematic diagram of a terminal structure in an embodiment of the present application. The terminal 50 includes a processor 51 and a memory 52 coupled to the processor 51 .
存储器52存储有用于实现上述跨域安全交互方法的程序指令。The memory 52 stores program instructions for realizing the above cross-domain secure interaction method.
处理器51用于执行存储器52存储的程序指令以控制跨域安全交互。The processor 51 is configured to execute program instructions stored in the memory 52 to control cross-domain security interaction.
其中,处理器51还可以称为CPU(Central Processing Unit,中央处理单元)。处理器51可能是一种集成电路芯片,具有信号的处理能力。处理器51还可以是通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。Wherein, the processor 51 may also be referred to as a CPU (Central Processing Unit, central processing unit). The processor 51 may be an integrated circuit chip with signal processing capability. The processor 51 can also be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components . A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
请参阅图6,为本申请实施例的存储介质的结构示意图。本申请实施例的存储介质存储有能够实现上述所有方法的程序文件61,其中,该程序文件61可以以软件产品的形式存储在上述存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施方式方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质,或者是计算机、服务器、手机、平板等终端设备。Please refer to FIG. 6 , which is a schematic structural diagram of a storage medium according to an embodiment of the present application. The storage medium of the embodiment of the present application stores a program file 61 capable of realizing all the above-mentioned methods, wherein the program file 61 can be stored in the above-mentioned storage medium in the form of a software product, and includes several instructions to make a computer device (which can It is a personal computer, a server, or a network device, etc.) or a processor (processor) that executes all or part of the steps of the methods in various embodiments of the present invention. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. , or terminal devices such as computers, servers, mobile phones, and tablets.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本发明中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本发明所示的这些实施例,而是要符合与本发明所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined in this invention may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to these embodiments shown in the present invention, but will conform to the widest scope consistent with the principles and novel features disclosed in the present invention.

Claims (10)

  1. 一种跨域安全交互方法,其特征在于,包括:A cross-domain secure interaction method, characterized in that it includes:
    构建第三方代理认证中心,通过所述第三方代理认证中心向支持跨域访问的系统签发数字证书,并向所述系统下的设备签发背书凭证;Build a third-party proxy certification center, issue digital certificates to systems that support cross-domain access through the third-party proxy certification center, and issue endorsement certificates to devices under the system;
    通过所述第三方代理认证中心利用属性映射方法生成源域内请求访问的系统的属性证书,所述请求访问的系统利用属性证书向目标域内被请求访问的系统发送访问请求;所述访问请求中包括背书凭证;The third-party proxy authentication center uses the attribute mapping method to generate the attribute certificate of the system requesting access in the source domain, and the system requesting access uses the attribute certificate to send an access request to the system requested to access in the target domain; the access request includes endorsement certificate;
    通过所述第三方代理认证中心根据访问请求和属性证书对请求访问的系统进行身份验证,如果验证通过,建立所述源域内请求访问的系统与目标域内被请求访问的系统的跨域安全交互。The third-party proxy authentication center authenticates the system requesting access according to the access request and the attribute certificate, and if the verification passes, establishes cross-domain security interaction between the system requesting access in the source domain and the system requested access in the target domain.
  2. 根据权利要求1所述的跨域安全交互方法,其特征在于,所述向支持跨域访问的系统签发数字证书,并向所述系统下的设备签发背书凭证具体为:The cross-domain security interaction method according to claim 1, wherein the issuing of a digital certificate to a system supporting cross-domain access, and issuing an endorsement certificate to a device under the system is specifically:
    识别请求接入所述第三方代理认证中心的系统信息,向支持跨域访问的系统签发数字证书;Identify the system information that requests access to the third-party proxy authentication center, and issue a digital certificate to the system that supports cross-domain access;
    接收所述系统下的设备发送的注册请求,并对所述注册请求进行解析后,根据所述系统的认证方式向所述设备签发背书凭证。Receive the registration request sent by the device under the system, and after analyzing the registration request, issue an endorsement certificate to the device according to the authentication mode of the system.
  3. 根据权利要求2所述的跨域安全交互方法,其特征在于,所述向设备签发背书凭证具体包括:The cross-domain security interaction method according to claim 2, wherein the issuing of the endorsement certificate to the device specifically includes:
    解析所述设备的注册请求,验证设备的用户身份信息以及注册请求是否合法,如何合法,查询所述设备期待访问的目标域信息,并生成一对密钥,根据所述密钥和用户身份信息生成背书凭证;Parse the registration request of the device, verify the user identity information of the device and whether the registration request is legal and how legal, query the target domain information that the device expects to access, and generate a pair of keys, according to the key and user identity information Generate endorsement certificate;
    使用所述数字证书中的密钥对背书凭证进行数字签名;digitally sign the endorsement certificate using the key in said digital certificate;
    将所述背书凭证、数字签名以及私钥签发给设备,并将所述背书凭证签发记录写入到第三方代理认证中心;Issue the endorsement certificate, digital signature and private key to the device, and write the endorsement certificate issuance record into a third-party agency certification center;
    所述背书凭证中包括设备的唯一身份标识、凭证出具系统的标识、凭证出具系统的名称、凭证出具系统的认证方式、设备认证结果、凭证有效时间以及时间戳、数字签名、期待访问的目标域系统标识、目标域内被请求访问的系统支持的属性操作以及与设备加密通信的密钥。The endorsement certificate includes the unique identity of the device, the identifier of the certificate issuing system, the name of the certificate issuing system, the authentication method of the certificate issuing system, the device authentication result, the valid time and timestamp of the certificate, digital signature, and the target domain expected to be accessed The system identifier, the attribute operations supported by the requested system in the target domain, and the key for encrypted communication with the device.
  4. 根据权利要求1至3任一项所述的跨域安全交互方法,其特征在于,所述属性证书中包括设备的身份信息、密钥信息,唯一的证书序列号、证书的有效使用期限、属性信息、使用域、签发单位、签发单位的公钥信息以及证书类型;The cross-domain secure interaction method according to any one of claims 1 to 3, wherein the attribute certificate includes device identity information, key information, unique certificate serial number, valid period of use of the certificate, and attribute Information, use domain, issuing unit, public key information of the issuing unit, and certificate type;
    所述访问请求中包括设备的唯一身份标识、请求访问的内容、请求支持的操作、请求访问的有效期和时间戳以及背书凭证。The access request includes the unique identity of the device, the content requested to be accessed, the operation requested to be supported, the validity period and time stamp of the requested access, and the endorsement certificate.
  5. 根据权利要求4所述的跨域安全交互方法,其特征在于,所述通过第三方代理认证中心利用属性映射方法生成源域内请求访问的系统的属性证书具体包括:The cross-domain secure interaction method according to claim 4, wherein the generating the attribute certificate of the system requesting access in the source domain through the third-party proxy authentication center using the attribute mapping method specifically includes:
    构造属性表存储模块,所述属性表存储模块用于存储域与域之间的属性转换关系;Constructing an attribute table storage module, the attribute table storage module is used to store the attribute conversion relationship between domains;
    构造属性映射表,所述属性映射表用于记录源域和目标域的所有属性,以及属性间的相互映射关系;Constructing an attribute mapping table, the attribute mapping table is used to record all attributes of the source domain and the target domain, and the mutual mapping relationship between the attributes;
    在属性映射服务模块构造缓冲区,通过所述缓冲区存储常用域间的属性映射表;A buffer is constructed in the attribute mapping service module, and the attribute mapping table between common domains is stored through the buffer;
    利用所述属性映射表对属性证书进行属性映射,如果属性映射表对应可完全映射,则代表支持跨域访问以及同步修改操作;如果属性映射表对应不能映射,则代表不能进行跨域访问;如果属性映射表部分映射,则代表可进行跨域访问但 不能进行修改操作。Use the attribute mapping table to perform attribute mapping on the attribute certificate. If the corresponding attribute mapping table can be completely mapped, it means that cross-domain access and synchronous modification operations are supported; if the corresponding attribute mapping table cannot be mapped, it means that cross-domain access cannot be performed; if If the attribute mapping table is partially mapped, it means that it can be accessed across domains but cannot be modified.
  6. 根据权利要求5所述的跨域安全交互方法,其特征在于,所述通过所述第三方代理认证中心根据访问请求和属性证书对请求访问的系统进行身份验证还包括:The cross-domain secure interaction method according to claim 5, wherein the authentication of the system requesting access by the third-party proxy authentication center according to the access request and the attribute certificate further includes:
    通过所述目标域内被请求访问的系统对所述访问请求和属性证书进行解析;所述解析过程包括:Analyzing the access request and the attribute certificate through the requested access system in the target domain; the parsing process includes:
    对所述访问请求进行解析,查看所述访问请求的时间戳和请求内容;Analyzing the access request, checking the timestamp and request content of the access request;
    通过所述第三方代理认证中心查询背书凭证签发方的信息,验证数字签名,并验证所述背书凭证是否完整;Query the information of the issuer of the endorsement certificate through the third-party agency certification center, verify the digital signature, and verify whether the endorsement certificate is complete;
    检查所述背书凭证的有效期以及签发方状态,验证所述访问请求是否合规,并查看所述背书凭证签发方是否在本域的信任列表中。Check the validity period of the endorsement certificate and the status of the issuer, verify whether the access request is compliant, and check whether the issuer of the endorsement certificate is in the trust list of the domain.
  7. 根据权利要求6所述的跨域安全交互方法,其特征在于,所述如果验证通过,建立所述源域内请求访问的系统与目标域内被请求访问的系统的跨域安全交互具体包括:The cross-domain security interaction method according to claim 6, wherein if the verification is passed, establishing the cross-domain security interaction between the system requesting access in the source domain and the system requested access in the target domain specifically includes:
    在所述目标域内被请求访问的系统的数据域中开辟可支持读写操作的数据共享域,所述数据共享域支持源域内请求访问的系统下的设备进行同步修改操作;Opening a data sharing domain that can support read and write operations in the data domain of the system that is requested to access in the target domain, and the data sharing domain supports devices under the system that requests access in the source domain to perform synchronous modification operations;
    所述数据共享域由第三方代理认证中心向目标域指明。The data sharing domain is indicated to the target domain by the third-party proxy authentication center.
  8. 一种跨域安全交互系统,其特征在于,包括:A cross-domain security interaction system is characterized in that it includes:
    认证中心构建模块:用于构建第三方代理认证中心,通过所述第三方代理认证中心向支持跨域访问的系统签发数字证书,并向所述系统下的设备签发背书凭证;Certification center building module: used to build a third-party proxy certification center, issue digital certificates to systems supporting cross-domain access through the third-party proxy certification center, and issue endorsement certificates to devices under the system;
    请求发送模块:用于通过所述第三方代理认证中心利用属性映射方法生成源 域内请求访问的系统的属性证书,所述请求访问的系统利用属性证书向目标域内被请求访问的系统发送访问请求;所述访问请求中包括背书凭证;The request sending module: used to generate the attribute certificate of the system requesting access in the source domain by using the attribute mapping method through the third-party proxy authentication center, and the system requesting access uses the attribute certificate to send an access request to the system requested to access in the target domain; The access request includes an endorsement credential;
    系统验证模块:用于通过所述第三方代理认证中心根据访问请求和属性证书对请求访问的系统进行身份验证,如果验证通过,建立所述源域内请求访问的系统与目标域内被请求访问的系统的跨域安全交互。System verification module: used to verify the identity of the system requesting access through the third-party proxy authentication center according to the access request and the attribute certificate, and if the verification is passed, establish the system requesting access in the source domain and the system requested access in the target domain Cross-domain secure interaction.
  9. 一种终端,其特征在于,所述终端包括处理器、与所述处理器耦接的存储器,其中,A terminal, characterized in that the terminal includes a processor and a memory coupled to the processor, wherein,
    所述存储器存储有用于实现权利要求1-7任一项所述的跨域安全交互方法的程序指令;The memory stores program instructions for realizing the cross-domain secure interaction method according to any one of claims 1-7;
    所述处理器用于执行所述存储器存储的所述程序指令以控制跨域安全交互。The processor is configured to execute the program instructions stored in the memory to control cross-domain security interaction.
  10. 一种存储介质,其特征在于,存储有处理器可运行的程序指令,所述程序指令用于执行权利要求1至7任一项所述跨域安全交互方法。A storage medium, characterized in that it stores program instructions executable by a processor, and the program instructions are used to execute the cross-domain secure interaction method according to any one of claims 1 to 7.
PCT/CN2021/112257 2021-08-02 2021-08-12 Cross-domain secure interaction method and system, terminal, and storage medium WO2023010608A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110880949.5 2021-08-02
CN202110880949.5A CN113612770A (en) 2021-08-02 2021-08-02 Cross-domain secure interaction method, system, terminal and storage medium

Publications (1)

Publication Number Publication Date
WO2023010608A1 true WO2023010608A1 (en) 2023-02-09

Family

ID=78306481

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/112257 WO2023010608A1 (en) 2021-08-02 2021-08-12 Cross-domain secure interaction method and system, terminal, and storage medium

Country Status (2)

Country Link
CN (1) CN113612770A (en)
WO (1) WO2023010608A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114221796A (en) * 2021-12-02 2022-03-22 北京八分量信息科技有限公司 Anonymous identity authentication method and device in heterogeneous network and related products
CN114205132A (en) * 2021-12-02 2022-03-18 北京八分量信息科技有限公司 Access authentication method and device in heterogeneous network and related products
CN114157503A (en) * 2021-12-08 2022-03-08 北京天融信网络安全技术有限公司 Access request authentication method and device, API gateway equipment and storage medium
CN114329380A (en) * 2021-12-23 2022-04-12 北京八分量信息科技有限公司 Authentication method and device for request in heterogeneous network and related product
CN116963057A (en) * 2022-04-20 2023-10-27 北京京东方技术开发有限公司 Method, control terminal, server and system for controlling cross-domain equipment
CN115085998B (en) * 2022-06-09 2024-09-10 任文杰 Safety access control system based on big data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399671A (en) * 2008-11-18 2009-04-01 中国科学院软件研究所 Cross-domain authentication method and system thereof
US20140245417A1 (en) * 2011-10-20 2014-08-28 Alcatel Lucent Centralized secure management method of third-party application, system and corresponding communication system
CN110166444A (en) * 2019-05-05 2019-08-23 桂林电子科技大学 Isomery cross-domain authentication method based on trusted agent under a kind of cloud environment
CN111447187A (en) * 2020-03-19 2020-07-24 重庆邮电大学 Cross-domain authentication method for heterogeneous Internet of things
CN112532591A (en) * 2020-11-06 2021-03-19 西安电子科技大学 Cross-domain access control method, system, storage medium, computer equipment and terminal

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657156A (en) * 2017-02-08 2017-05-10 济南浪潮高新科技投资发展有限公司 Cloud computing access method based on cross domain identity authentication
US11627132B2 (en) * 2018-06-13 2023-04-11 International Business Machines Corporation Key-based cross domain registration and authorization
CN109257364B (en) * 2018-10-12 2019-12-24 成都信息工程大学 Multi-core mesh type multi-level cross-domain access control method based on cloud platform

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399671A (en) * 2008-11-18 2009-04-01 中国科学院软件研究所 Cross-domain authentication method and system thereof
US20140245417A1 (en) * 2011-10-20 2014-08-28 Alcatel Lucent Centralized secure management method of third-party application, system and corresponding communication system
CN110166444A (en) * 2019-05-05 2019-08-23 桂林电子科技大学 Isomery cross-domain authentication method based on trusted agent under a kind of cloud environment
CN111447187A (en) * 2020-03-19 2020-07-24 重庆邮电大学 Cross-domain authentication method for heterogeneous Internet of things
CN112532591A (en) * 2020-11-06 2021-03-19 西安电子科技大学 Cross-domain access control method, system, storage medium, computer equipment and terminal

Also Published As

Publication number Publication date
CN113612770A (en) 2021-11-05

Similar Documents

Publication Publication Date Title
WO2023010608A1 (en) Cross-domain secure interaction method and system, terminal, and storage medium
US10764752B1 (en) Secure mobile initiated authentication
US11924358B2 (en) Method for issuing digital certificate, digital certificate issuing center, and medium
US11973750B2 (en) Federated identity management with decentralized computing platforms
US20230413050A1 (en) Secure mobile initiated authentications to web-services
US20200167364A1 (en) Stateful database application programming interface
US11159307B2 (en) Ad-hoc trusted groups on a blockchain
US9209973B2 (en) Delegate authorization in cloud-based storage system
US20180062852A1 (en) Systems and methods for secure collaboration with precision access management
Gasser et al. An architecture for practical delegation in a distributed system
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
JP4298969B2 (en) Method and system for controlling the scope of delegation of authentication credentials
US11134069B2 (en) Method for authorizing access and apparatus using the method
US20230014599A1 (en) Data processing method and apparatus for blockchain system
US11829502B2 (en) Data sharing via distributed ledgers
AU2017225928A1 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
US20130006865A1 (en) Systems, methods, apparatuses, and computer program products for providing network-accessible patient health records
US11531777B2 (en) Methods and systems for restricting data access based on properties of at least one of a process and a machine executing the process
CN110543545A (en) file management method and device based on block chain and storage medium
JP2018504806A (en) Data security processing with expected values
CN111917551B (en) Handle access protection method and system based on certificateless public key
Zhang et al. A Secure and Privacy‐Preserving Medical Data Sharing via Consortium Blockchain
CN111147525A (en) Authentication method, system, server and storage medium based on API gateway
US20240039707A1 (en) Mobile authenticator for performing a role in user authentication
CN114051031A (en) Encryption communication method, system, equipment and storage medium based on distributed identity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21952479

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21952479

Country of ref document: EP

Kind code of ref document: A1