WO2023221920A1 - 访问关系的建立方法、装置、电子设备及存储介质 - Google Patents
访问关系的建立方法、装置、电子设备及存储介质 Download PDFInfo
- Publication number
- WO2023221920A1 WO2023221920A1 PCT/CN2023/094189 CN2023094189W WO2023221920A1 WO 2023221920 A1 WO2023221920 A1 WO 2023221920A1 CN 2023094189 W CN2023094189 W CN 2023094189W WO 2023221920 A1 WO2023221920 A1 WO 2023221920A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- type
- message
- access request
- identity
- server
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000004891 communication Methods 0.000 claims description 52
- 238000012544 monitoring process Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004886 process control Methods 0.000 claims description 6
- 238000012546 transfer Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 11
- 230000003287 optical effect Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 3
- 230000000644 propagated effect Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
- H04L67/125—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Definitions
- This application relates to the field of network security technology, for example, to a method, device, electronic device and storage medium for establishing an access relationship.
- the access method of the industrial control system is that the authentication device sends a first identity request message to the client, and then receives the first identity response message sent by the client and encapsulates the received first identity response message in the first access request. message and sends the first access request message to the authentication server.
- the authentication server receives the first access request message sent by the authentication device and parses the first identity response message in the access request message to obtain the client
- the client's user name and address are then used to control the client's access rights based on the client's user name and address.
- this access method cannot judge the rationality of access control behavior.
- This application provides a method, device, electronic device, and storage medium for establishing an access relationship, which effectively avoids operations such as identity forgery, malicious use of permissions, and unauthorized access, and achieves standardized, legal, effective, and secure access control.
- the embodiment of this application provides a method for establishing an access relationship.
- the method includes:
- the access request message carries identity information and message characteristic values
- the identity information includes identity information factor, original hash encryption value and hash encryption seed,
- the identification information includes a first hash encrypted value and a second hash encrypted value.
- determine the identity identification information corresponding to the access request message based on the identity information including: running a hash encryption process on the identity information factor through the hash encryption seed to determine the first hash encryption value; using the identity identification database
- the information factor replaces the immutable factor in the identity information factor to obtain the target identity information factor, and runs a hash encryption process on the target identity information factor through the hash encryption seed to determine the second hash encryption value.
- determining the identity recognition result based on the identity information and the identity recognition information includes: matching the first hash encryption value and the second hash encryption value with the original hash encryption value to obtain the identity recognition result.
- determine the host type corresponding to the access request message based on the message characteristic value including: comparing the message characteristic value with the characteristic value in the preset protocol message characteristic database to obtain the characteristic value comparison result ; According to the characteristic value comparison result, determine the message type of the access request message; according to the message type of the access request message, determine the host type corresponding to the access request message.
- the message characteristic value at least includes field type, field offset, field length, and field value.
- determine the host type corresponding to the access request message according to the message type of the access request message including: determining the component type according to the message type of the access request message.
- the component type includes the session corresponding to the access request message.
- the client type and server type of both communicating parties based on the correspondence between the message type and the component type, determine the host type corresponding to the access request message.
- the host type is the engineering station; if the correspondence between the message type and the component type includes: monitoring software client and monitoring protocol, configuration software server and To configure the communication protocol, RPC server and RPC protocol, License client and license communication protocol, the host type is the operator station client; if the correspondence between the message type and the component type includes: monitoring software server and monitoring protocol, group If the server and configuration communication protocol, RPC server and RPC protocol, database client and database communication protocol, License client and license communication protocol are used, the host type is the operator station server; if the message type corresponds to the component type The relationship includes: controller monitoring server and monitoring protocol, controller configuration server and configuration communication protocol, then the host type is an embedded controller; if the corresponding relationship between message type and component type includes: historical database server and historical database communication protocol, then the host type
- establish an access relationship based on the identity recognition result and the host type including: obtaining a preset correspondence table between the access identity and the host type; judging whether the identity recognition result matches the host type according to the correspondence table; if the identity recognition If the result matches the host type, an access relationship is established.
- the embodiment of the present application also provides a device for establishing an access relationship, which device includes:
- the request acquisition module is configured to obtain access request messages, where the access request messages carry identity information and message characteristic values;
- the first determination module is configured to determine the identity identification information and host type corresponding to the access request message based on the identity information and message characteristic values respectively;
- the second determination module is configured to determine the identity recognition result based on the identity information and identity recognition information
- the access establishment module is set to establish access relationships based on identity recognition results and host types.
- Embodiments of the present application also provide an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor.
- the processor is configured to implement the steps in the embodiments of the present application when executing the computer program. Any method of establishing an access relationship described above.
- Embodiments of the present application also provide a computer-readable storage medium on which a computer program is stored.
- the computer program is executed by a processor, the method for establishing an access relationship as described in any of the embodiments of the present application is implemented.
- Figure 1 is a schematic flowchart of a method for establishing an access relationship provided by an embodiment of the present application
- Figure 2 is a schematic diagram of the data structure of an access request message provided by an embodiment of the present application.
- Figure 3(a) is a schematic diagram of the determination process of the first hash encryption value provided by the embodiment of the present application.
- Figure 3(b) is a schematic diagram of the determination process of the second hash encryption value provided by the embodiment of the present application.
- Figure 4 is a schematic structural diagram of a device for establishing an access relationship provided by an embodiment of the present application
- FIG. 5 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
- Figure 1 is a schematic flowchart of a method for establishing an access relationship provided by an embodiment of the present application.
- This embodiment can be applied to the establishment of an access relationship, for example, the establishment of an access relationship in an industrial control system environment.
- This method can be executed by the device for establishing an access relationship provided by the embodiment of the present application.
- the device can be implemented in the form of software and/or hardware.
- the device can be integrated in an electronic device. The following embodiments will be described by taking the device integrated in an electronic device as an example. Referring to Figure 1, the method includes the following steps.
- the access request message includes a request message for accessing the industrial control system.
- the access request message needs to be obtained through a gateway and/or other access proxy components;
- the identity information includes the identity information factor, the original hash encryption value and the hash value. Encrypted seeds are not limited in the embodiments of this application.
- the identity information factors include user identification number (Identity Document, ID), password summary, time, request type, protocol type, uniform resource locator (Uniform Resource Location, URL), etc.; message characteristic values include field types , field offset, field length, field value, etc., the embodiments of this application do not limit this.
- Figure 2 is a schematic diagram of the data structure of an access request message provided by an embodiment of the present application.
- P represents an access request message
- S 1 , S 2 , S 3 , S 4 ... ...S n is the identity information factor
- the secret key (key) is the hash encryption seed
- HASH is the original hash encryption value.
- the key is created by session negotiation, and the HASH is sent by the client.
- IP Internet Protocol
- you can also preprocess the access request message including: sending the access request message according to the source Internet Protocol (IP) address, destination IP address, and destination port information.
- IP Internet Protocol
- you can also preprocess the access request message including: sending the access request message according to the source Internet Protocol (IP) address, destination IP address, and destination port information.
- IP Internet Protocol
- S102 Determine the identity corresponding to the access request message based on the identity information and message characteristic values. Different information and host type.
- the identification information includes the first hash encrypted value and the second hash encrypted value
- the host type includes engineering station, operator station client, operator station server, embedded controller, historical database server, real-time database server, human-machine Interface devices, object connections and embedded servers for process control, etc. are not limited in the embodiments of this application.
- determining the identity identification information corresponding to the access request message includes: running a hash encryption process on the identity information factor through the hash encryption seed to determine the first hash encryption value; using the identity identification database.
- the information factor replaces the immutable factor in the identity information factor to obtain the target identity factor, and a hash encryption process is run on the target identity information factor through the hash encryption seed to determine the second hash encryption value.
- Determine the identity information corresponding to the access request message based on the identity information including: running a hash encryption process on the identity information factor through the hash encryption seed to determine the first hash encryption value; using the information factor in the identity recognition library to replace the identity
- the immutable factor in the information factor is used to obtain the target identity information factor, and a hash encryption process is run on the target identity information factor through the hash encryption seed to determine the second hash encryption value.
- Figure 3(a) is a schematic diagram of the determination process of the first hash encrypted value provided by the embodiment of the present application
- Figure 3(b) is a schematic diagram of the determination process of the second hash encrypted value provided by the embodiment of the present application.
- the first hash encryption value is HASH 1
- the second hash encryption value is HASH 2.
- HASH 2 uses the information factors S 1,1 , S 2,1 ... in the identity recognition library to replace the identity.
- the immutable factor in the information factor is the target identity factor, which is obtained by running a hash encryption process on the target identity information factor through the hash encryption seed Key.
- the implementation method of determining the host type corresponding to the access request message according to the message characteristic value including: comparing the message characteristic value with the preset protocol message Compare the feature values in the text feature database to obtain the feature value comparison results; determine the message type of the access request message based on the feature value comparison results; determine the access request message based on the message type of the access request message The corresponding host type.
- Message characteristic values include field type, field offset, field length, field value, etc.
- the setting process includes: extracting key field feature values, such as field type, field offset, field length, and Field values, etc., and determine the unique key field through the key field characteristic value; sort the characteristic values of all key fields according to the field offset, and establish a protocol message characteristic database.
- key field feature values such as field type, field offset, field length, and Field values, etc.
- the message characteristic value is compared with the characteristic value in the preset protocol message characteristic database to obtain the characteristic value comparison result, including: obtaining the corresponding arrangement of the characteristic value of the access request message in the message. sequence; compare the feature values at the corresponding arrangement positions with the features in the preset protocol message feature library Compare the values to obtain the eigenvalue comparison results.
- the message type of the access request message can be determined.
- determining the host type corresponding to the access request message according to the message type of the access request message includes: determining the component type according to the message type of the access request message.
- the component type includes the session corresponding to the access request message.
- the client type and server type of both communicating parties based on the correspondence between the message type and the component type, determine the host type corresponding to the access request message.
- the host type is the engineering station; if the message type The corresponding relationship with the component type includes: monitoring software client and monitoring protocol, configuration software server and configuration communication protocol, RPC server and RPC protocol, License client and license communication protocol, then the host type is operator station client ; If the correspondence between message type and component type includes: monitoring software server and monitoring protocol, configuration software server and configuration communication protocol, RPC server and RPC protocol, database client and database communication protocol, License client and license communication protocol, then the host type is operator station server; if the correspondence between message type and component type includes: controller monitoring server and monitoring protocol, controller configuration server and configuration communication protocol, then the host type is embedded control If the corresponding relationship between the message type and the
- the characteristic value comparison result is obtained; according to the characteristic value comparison result, the message type of the access request message is determined; according to the access request The message type of the message determines the host type corresponding to the access request message, and can accurately and quickly obtain the host type corresponding to the access request message.
- the key fields of the user's identity can be obtained, including ID, password summary, permissions, etc.
- the system is preset with key fields and other information corresponding to multiple identities. By comparing the key fields Fields and other information can determine the user's identity.
- determining the identity recognition result based on the identity information and the identity recognition information includes: matching the first hash encryption value and the second hash encryption value with the original hash encryption value to obtain the identity recognition result.
- the first hash encrypted value and the second hash encrypted value are matched with the original hash encrypted value, and the identity recognition result obtained is the first hash encrypted value HASH 1 and the second hash encrypted value HASH 1 obtained by the operation
- the encrypted value HASH 2 is matched with the hashed encrypted value HASH extracted from the access request message to confirm the user's identity.
- an access relationship can be established based on the user identity information and host type.
- the access relationship is established; otherwise, the access relationship is not established, which can reduce malicious use of permissions and unauthorized access.
- establish an access relationship based on the identity recognition result and the host type including: obtaining a preset correspondence table between the access identity and the host type; judging whether the identity recognition result matches the host type according to the correspondence table; if the identity recognition If the result matches the host type, an access relationship is established.
- the access permissions corresponding to different access identities and the host type corresponding to each access permission are pre-stored in the system. By looking up the corresponding correspondence table, it can be determined whether the identity recognition result matches the host type.
- identity A matches host type 1
- the access relationship is established only when the identity recognition result is identity A and the host type is type 1, otherwise (if the identity recognition result is identity A and the host type is not satisfied) In the case of type 1), no access relationship is established.
- the technical solution of this embodiment is to obtain the access request message, which carries identity information and message feature values; and determine the identity information and host corresponding to the access request message based on the identity information and message feature values respectively.
- Type determine the identity recognition result based on the identity information and identity recognition information; establish an access relationship based on the identity recognition result and host type.
- the technical solution of this application can effectively avoid identity forgery, malicious use of permissions and unauthorized access by confirming the identity information and message characteristic values in the access request message, and determining whether the access relationship is established based on the identity recognition information and host type. and other operations to achieve standardized, legal, effective, and secure access control.
- the device for establishing an access relationship provided by the embodiments of this application can execute the method for establishing an access relationship provided by any of the above embodiments of this application, and has functional modules and effects corresponding to the execution method.
- Figure 4 is a schematic structural diagram of an apparatus for establishing an access relationship provided by an embodiment of the present application. As shown in Figure 4, it includes: a request acquisition module 401, a first determination module 402, a second determination module 403 and an access establishment module 404.
- the request acquisition module 401 is configured to obtain an access request message, where the access request message carries identity information and message characteristic values.
- the first determination module 402 is configured to determine the identity identification information and host type corresponding to the access request message based on the identity information and message feature values respectively.
- the second determination module 403 is configured to determine the identity recognition result based on the identity information and identity recognition information.
- the access establishment module 404 is configured to establish an access relationship based on the identity recognition result and the host type.
- the device for establishing an access relationship provided by this embodiment is used to implement the method for establishing an access relationship in the above embodiment.
- the implementation principles and technical effects of the device for establishing an access relationship provided by this embodiment are similar to those of the above embodiment, and will not be described again here. .
- the identity information includes an identity information factor, an original hash encryption value and a hash encryption seed, and the identity identification information includes a first hash encryption value and a second hash encryption value.
- the first determination module 402 is configured to run a hash encryption process on the identity information factor through the hash encryption seed to determine the first hash encryption value; use the information factor in the identity recognition library to replace the unavailable identity information factor.
- the variable factor is used to obtain the target identity information factor, and a hash encryption process is run on the target identity information factor through the hash encryption seed to determine the second hash encryption value.
- the second determination module 403 is configured to match the first hash encrypted value and the second hash encrypted value with the original hash encrypted value to obtain the identity recognition result.
- the first determination module 402 is configured to compare the message characteristic value with the characteristic value in the preset protocol message characteristic database to obtain the characteristic value comparison result; according to the characteristic value comparison result, determine The message type of the access request message; according to the message type of the access request message, determine the host type corresponding to the access request message.
- the message characteristic value at least includes field type, field offset, field length, and field value.
- the first determination module 402 is configured to determine the component type according to the message type of the access request message.
- the component type includes the client type of the session communication parties corresponding to the access request message and Server type; determine the host type corresponding to the access request message based on the correspondence between the message type and the component type.
- the host type is the engineering station; if the correspondence between the message type and the component type includes: monitoring software client and monitoring protocol, configuration software server and configuration Communication protocol, RPC server and RPC protocol, License client and license communication protocol, the host type is the operator station client; if the correspondence between the message type and the component type includes: monitoring software server and monitoring protocol, configuration software Server and configuration communication protocol, RPC server and RPC protocol, database client and database communication protocol, License client and license communication protocol, then the host type is the operator station server; if the correspondence between the message type and the component type includes : Controller monitoring server and monitoring protocol, controller configuration server and configuration communication protocol, the host type is an embedded controller; if the correspondence between message type and component type includes: historical database server and historical database communication protocol, Then the host type is a historical database server;
- the access establishment module 404 is configured to obtain a preset correspondence table between the access identity and the host type; and determine whether the identity recognition result matches the host type according to the correspondence table; if the identity recognition result matches the host type, An access relationship is established.
- FIG. 5 is a schematic structural diagram of an electronic device in an embodiment of the present application. 5 illustrates a block diagram of an exemplary electronic device 12 suitable for implementing embodiments of the present application.
- the electronic device 12 shown in FIG. 5 is only an example and should not bring any limitations to the functions and scope of use of the embodiments of the present application.
- electronic device 12 is embodied in the form of a general computing device.
- the components of electronic device 12 may include one or more processing units or processors 16, system memory 28, and a bus 18 connecting various system components, including system memory 28 and processor 16.
- Bus 18 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a graphics accelerated port, a processor, or a local bus using any of a variety of bus structures.
- these architectures include Industry Subversive Alliance (ISA) bus, Micro Channel Architecture (Micro Channel Architecture, MCA) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local area bus and Peripheral Component Interconnect (PCI) bus.
- ISA Industry Subversive Alliance
- MCA Micro Channel Architecture
- VESA Video Electronics Standards Association
- PCI Peripheral Component Interconnect
- Electronic device 12 includes a variety of computer system readable media. These media can be any available media that can be accessed by electronic device 12, including volatile and nonvolatile media, removable and non-removable media.
- the storage medium may be a non-transitory storage medium.
- System memory 28 may include computer system readable media in the form of volatile memory, such as random access memory (RAM) 30 and/or cache 32.
- Electronic device 12 may include other removable/non-removable, volatile/non-volatile computer system storage media.
- storage system 34 may be configured to read and write to non-removable, non-volatile magnetic media (not shown in Figure 5, commonly referred to as a "hard drive”).
- a disk drive may be provided for reading and writing to a removable non-volatile disk (such as a "floppy disk”), and a disk drive for reading and writing a removable non-volatile optical disk (such as a Compact Disk Read-Only Memory).
- System memory 28 may include at least one program product having a set (eg, at least one) of program modules configured to perform the functions of various embodiments of the present application.
- a program/utility 40 having a set of (at least one) program modules 42, including an operating system, one or more application programs, other program modules, and program data, may be stored, for example, in system memory 28. Each or a combination of examples may include implementation of a network environment.
- Program modules 42 generally perform functions and/or methods in the embodiments described herein.
- Electronic device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), may also communicate with one or more devices that enable a user to interact with electronic device 12, and/or with Any device (eg, network card, modem, etc.) that enables the electronic device 12 to communicate with one or more other computing devices. This communication may occur through an input/output (I/O) interface 22 .
- the display 24 does not exist as an independent entity, but is embedded in the mirror. When the display surface of the display 24 is not displayed, the display surface of the display 24 and the mirror surface are visually integrated.
- the electronic device 12 may also communicate with one or more networks (such as a local area network (LAN), a wide area network (WAN) and/or a public network such as the Internet) through the network adapter 20 .
- network adapter 20 communicates with other modules of electronic device 12 via bus 18 .
- other hardware and/or software modules may be used in conjunction with electronic device 12 , including: microcode, device drivers, redundant processing units, external disk drive arrays, Redundant Arrays of Independent Drives, RAID) systems, tape drives and data backup storage systems, etc.
- the processor 16 executes a variety of functional applications and data processing by running programs stored in the system memory 28, such as implementing the method for establishing an access relationship provided by the embodiment of the present application, which method includes:
- the access request message carries identity information and message characteristic values
- Embodiments of the present application provide a computer-readable storage medium on which a computer program is stored.
- the computer program is executed by a processor, the method for establishing an access relationship as provided in all embodiments of the present application is implemented.
- the method includes:
- the access request message carries identity information and message characteristic values
- the computer-readable medium may be a computer-readable signal medium or a computer-readable storage medium.
- the computer-readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof.
- the storage medium may be a non-transitory storage medium.
- Computer-readable storage media include: electrical connections with one or more wires, portable computer disks, hard drives, RAM, Read-Only Memory (ROM), Erasable Programmable Read-Only Memory (Erasable Programmable Read-Only Memory) Only Memory, EPROM), flash memory, optical fiber, portable CD-ROM, optical storage device, magnetic storage device, or any suitable combination of the above.
- a computer-readable storage medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device.
- a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying computer-readable program code therein. Such propagated data signals may take many forms, including electromagnetic signals, optical signals, or any suitable combination of the above.
- the computer-readable signal medium may also be any computer-readable medium other than computer-readable storage media. Material may be sent, propagated, or transmitted for use by or in conjunction with an instruction execution system, apparatus, or device.
- Program code embodied on a computer-readable medium can be transmitted using any suitable medium, including wireless, wire, optical cable, radio frequency (Radio Frequency, RF), etc., or any suitable combination of the above.
- Computer program code for performing operations of the present application may be written in one or more programming languages, including object-oriented programming languages such as Java, Smalltalk, C++, and conventional A procedural programming language, such as the "C" language or similar programming language.
- the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
- the remote computer may be connected to the user computer through any kind of network, including a LAN or WAN, or may be connected to an external computer (eg, through the Internet using an Internet service provider).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Power Engineering (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请提供了一种访问关系的建立方法、装置、电子设备及存储介质。该访问关系的建立方法包括:获取访问请求报文,访问请求报文中携带身份信息和报文特征值;分别根据身份信息和报文特征值,确定访问请求报文对应的身份识别信息及主机类型;根据身份信息和身份识别信息,确定身份识别结果;根据身份识别结果及主机类型,建立访问关系。
Description
本申请要求在2022年05月16日提交中国专利局、申请号为202210527095.7的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。
本申请涉及网络安全技术领域,例如涉及一种访问关系的建立方法、装置、电子设备及存储介质。
工业控制系统的信息安全问题在工业信息化、以及数字化发展过程中逐渐暴露,存在很多安全风险,其中,工业控制系统中的身份识别和访问控制是网络信息安全的重要内容。
工业控制系统的访问方法是认证设备向客户端发送第一身份请求报文,然后接收客户端发送的第一身份响应报文并将接收到的第一身份响应报文封装在第一接入请求报文中以及将第一接入请求报文发送至认证服务器,认证服务器接收认证设备发送的第一接入请求报文并解析该接入请求报文中的第一身份响应报文,获取客户端的用户名和地址,再根据客户端的用户名和地址,对客户端的访问权限进行控制。但这种访问方法无法对访问控制行为的合理性做出判断。
发明内容
本申请提供一种访问关系的建立方法、装置、电子设备及存储介质,有效避免了身份伪造、权限恶意利用及越权访问等操作,实现规范、合法、有效、且安全的访问控制。
本申请实施例提供了一种访问关系的建立方法,该方法包括:
获取访问请求报文,其中,访问请求报文中携带身份信息和报文特征值;
分别根据身份信息和报文特征值,确定访问请求报文对应的身份识别信息及主机类型;
根据身份信息和身份识别信息,确定身份识别结果;
根据身份识别结果及主机类型,建立访问关系。
可选的,身份信息包括身份信息因子、原始散列加密值和散列加密种子,
身份识别信息包括第一散列加密值和第二散列加密值。
可选的,根据身份信息,确定访问请求报文对应的身份识别信息,包括:通过散列加密种子对身份信息因子运行散列加密过程,确定第一散列加密值;利用身份识别库中的信息因子替换身份信息因子中不可变的因子,得到目标身份信息因子,并通过散列加密种子对目标身份信息因子运行散列加密过程,确定第二散列加密值。
可选的,根据身份信息和身份识别信息,确定身份识别结果,包括:将第一散列加密值和第二散列加密值与原始散列加密值进行匹配,得到身份识别结果。
可选的,根据报文特征值,确定访问请求报文对应的主机类型,包括:将报文特征值与预先设置的协议报文特征库中的特征值进行比对,得到特征值比对结果;根据特征值比对结果,确定访问请求报文的报文类型;根据访问请求报文的报文类型,确定访问请求报文对应的主机类型。
可选的,报文特征值至少包括字段类型、字段偏移、字段长度以及字段取值。
可选的,根据访问请求报文的报文类型,确定访问请求报文对应的主机类型,包括:根据访问请求报文的报文类型,确定组件类型,组件类型包括访问请求报文对应的会话通信双方的客户端类型以及服务器类型;根据报文类型与组件类型的对应关系,确定访问请求报文对应的主机类型。
可选的,若报文类型与组件类型的对应关系包括:组态软件客户端与组态通信协议、全球广域网Web服务器与超文本传输协议HTTP、远程过程调用协议RPC客户端与RPC协议、数据库客户端与数据库通信协议、许可证License客户端与许可证通信协议,则主机类型为工程师站;若报文类型与组件类型的对应关系包括:监控软件客户端与监控协议、组态软件服务器与组态通信协议、RPC服务器与RPC协议、License客户端与许可证通信协议,则主机类型为操作员站客户端;若报文类型与组件类型的对应关系包括:监控软件服务器与监控协议、组态软件服务器与组态通信协议、RPC服务器与RPC协议、数据库客户端与数据库通信协议、License客户端与许可证通信协议,则主机类型为操作员站服务器;若报文类型与组件类型的对应关系包括:控制器监控服务器与监控协议、控制器组态服务器与组态通信协议,则主机类型为嵌入式控制器;若报文类型与组件类型的对应关系包括:历史数据库服务器与历史数据库通信协议,则主机类型为历史数据库服务器;若报文类型与组件类型的对应关系包括:实时数据库服务器与实时数据库通信协议,则主机类型为实时数据库服务器;若报文类型与组件类型的对应关系包括:监控软件客户端与监控协议,则主机类
型为人机接口设备;若报文类型与组件类型的对应关系包括:组态软件服务器与组态通信协议、用于过程控制的对象连接与嵌入OPC服务与OPC协议,则主机类型为OPC服务器。
可选的,根据身份识别结果及主机类型,建立访问关系,包括:获取预先设置的访问身份与主机类型的对应关系表;根据对应关系表,判断身份识别结果与主机类型是否匹配;若身份识别结果与主机类型匹配,则建立访问关系。
本申请实施例还提供了一种访问关系的建立装置,该装置包括:
请求获取模块,设置为获取访问请求报文,其中,访问请求报文中携带身份信息和报文特征值;
第一确定模块,设置为分别根据身份信息和报文特征值,确定访问请求报文对应的身份识别信息及主机类型;
第二确定模块,设置为根据身份信息和身份识别信息,确定身份识别结果;
访问建立模块,设置为根据身份识别结果及主机类型,建立访问关系。
本申请实施例还提供了一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器用于在执行计算机程序时实现如本申请实施例中任一所述的访问关系的建立方法。
本申请实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如本申请实施例中任一所述的访问关系的建立方法。
图1是本申请实施例提供的一种访问关系的建立方法的流程示意图;
图2是本申请实施例提供的一种访问请求报文的数据结构示意图;
图3(a)是本申请实施例提供的第一散列加密值的确定过程的示意图;
图3(b)是本申请实施例提供的第二散列加密值的确定过程的示意图;
图4是本申请实施例提供的一种访问关系的建立装置的结构示意图;
图5是本申请实施例提供的一种电子设备的结构示意图。
下面结合附图和实施例对本申请作说明。此处所描述的实施例仅仅用于解释本申请,而非对本申请的限定。为了便于描述,附图中仅示出了与本申请相
关的部分而非全部结构。
图1为本申请实施例提供的一种访问关系的建立方法的流程示意图,本实施例可适用于访问关系的建立的情况,例如,工业控制系统环境中的访问关系的建立。该方法可以由本申请实施例提供的访问关系的建立装置来执行,该装置可采用软件和/或硬件的方式实现,在一个实施例中,该装置可以集成在电子设备中。以下实施例将以该装置集成在电子设备中为例进行说明,参考图1,该方法包括如下步骤。
S101、获取访问请求报文,访问请求报文中携带身份信息和报文特征值。
访问请求报文包括访问工业控制系统的请求报文,示例性的,访问请求报文需要通过网关和/或其他访问代理组件进行获取;身份信息包括身份信息因子、原始散列加密值和散列加密种子,本申请实施例对此不进行限定。
示例性的,身份信息因子包括用户身份识别号(Identity Document,ID)、口令摘要、时间、请求类型、协议类型、统一资源定位符(Uniform Resource Location,URL)等;报文特征值包括字段类型、字段偏移、字段长度、以及字段取值等,本申请实施例对此不进行限定。
示例性的,图2是本申请实施例提供的一种访问请求报文的数据结构示意图,如图2所示,P表示一个访问请求报文,S1、S2、S3、S4……Sn为身份信息因子,秘钥(key)为散列加密种子,HASH为原始散列加密值,示例性的,key由会话协商创建,HASH由客户端发送。为访问请求报文中的报文特征值,其中,报文特征值由组成,报文特征值由组成,以此类推,报文特征值由组成。
可选的,获取访问请求报文后,还可以对访问请求报文进行预处理,包括:根据源互联网协议(Internet Protocol,IP)地址、目的IP地址以及目的端口信息,将访问请求报文发送至不同的会话处理流程。即根据源IP地址、目的IP地址以及目的端口信息分别建立通信会话进行处理。若后续出现符合每个会话特征的报文,直接进入相应的会话流程进行处理,能够缩短处理时间,提高系统的性能。
S102、分别根据身份信息和报文特征值,确定访问请求报文对应的身份识
别信息及主机类型。
身份识别信息包括第一散列加密值和第二散列加密值,主机类型包括工程师站、操作员站客户端、操作员站服务器、嵌入式控制器、历史数据库服务器、实时数据库服务器、人机接口设备、用于过程控制的对象连接与嵌入服务器等,本申请实施例对此不进行限定。
示例性的,根据身份信息,确定访问请求报文对应的身份识别信息,包括:通过散列加密种子对身份信息因子运行散列加密过程,确定第一散列加密值;利用身份识别库中的信息因子替换身份信息因子中不可变的因子,得到目标身份因子,并通过散列加密种子对目标身份信息因子运行散列加密过程,确定第二散列加密值。根据身份信息,确定访问请求报文对应的身份识别信息,包括:通过散列加密种子对身份信息因子运行散列加密过程,确定第一散列加密值;利用身份识别库中的信息因子替换身份信息因子中不可变的因子,得到目标身份信息因子,并通过散列加密种子对目标身份信息因子运行散列加密过程,确定第二散列加密值。
图3(a)是本申请实施例提供的第一散列加密值的确定过程的示意图,图3(b)是本申请实施例提供的第二散列加密值的确定过程的示意图。其中,第一散列加密值是HASH1,第二散列加密值是HASH2,示例性的,HASH2是利用身份识别库中的信息因子S1,1、S2,1……替换身份信息因子中不可变的因子,得到目标身份因子,并通过散列加密种子Key对目标身份信息因子运行散列加密过程得到的。
在一个实施例中,以上述实施例为基础,对根据报文特征值,确定访问请求报文对应的主机类型的步骤的实现方法进行说明,包括:将报文特征值与预先设置的协议报文特征库中的特征值进行比对,得到特征值比对结果;根据特征值比对结果,确定访问请求报文的报文类型;根据访问请求报文的报文类型,确定访问请求报文对应的主机类型。
报文特征值包括字段类型、字段偏移、字段长度以及字段取值等。
示例性的,协议报文特征库内设置有多种特征,设置过程包括:根据访问请求报文样本中报文的特征提取关键字段特征值,例如字段类型、字段偏移、字段长度、以及字段取值等,并通过关键字段特征值确定唯一的关键字段;依据字段偏移对所有关键字段的特征值进行排序,建立协议报文特征库。
示例性的,将报文特征值与预先设置的协议报文特征库中的特征值进行比对,得到特征值比对结果,包括:获取访问请求报文的特征值在报文中对应的排列顺序;将相应排列位置上的特征值与预先设置的协议报文特征库中的特征
值进行比对,得到特征值比对结果。
在一个示例中,如果一个特征值匹配成功,则继续下一个特征值的匹配;如果一个特征值匹配失败,则立即终止匹配过程;如果一个访问请求报文与协议报文特征库中的一个报文类型的所有特征值均匹配成功,则获取该特征值对应的报文类型。根据报文类型与特征值的对应关系,即可确定访问请求报文的报文类型。
示例性的,根据访问请求报文的报文类型,确定访问请求报文对应的主机类型,包括:根据访问请求报文的报文类型,确定组件类型,组件类型包括访问请求报文对应的会话通信双方的客户端类型以及服务器类型;根据报文类型与组件类型的对应关系,确定访问请求报文对应的主机类型。
示例性的,若报文类型与组件类型的对应关系包括:组态软件客户端与组态通信协议、全球广域网(World Wide Web,Web)服务器与超文本传输协议(HyperText Transfer Protocol,HTTP)、远程过程调用协议(Remote Procedure Call Protocol,RPC)客户端与RPC协议、数据库客户端与数据库通信协议、许可证(License)客户端与许可证通信协议,则主机类型为工程师站;若报文类型与组件类型的对应关系包括:监控软件客户端与监控协议、组态软件服务器与组态通信协议、RPC服务器与RPC协议、License客户端与许可证通信协议,则主机类型为操作员站客户端;若报文类型与组件类型的对应关系包括:监控软件服务器与监控协议、组态软件服务器与组态通信协议、RPC服务器与RPC协议、数据库客户端与数据库通信协议、License客户端与许可证通信协议,则主机类型为操作员站服务器;若报文类型与组件类型的对应关系包括:控制器监控服务器与监控协议、控制器组态服务器与组态通信协议,则主机类型为嵌入式控制器;若报文类型与组件类型的对应关系包括:历史数据库服务器与历史数据库通信协议,则主机类型为历史数据库服务器;若报文类型与组件类型的对应关系包括:实时数据库服务器与实时数据库通信协议,则主机类型为实时数据库服务器;若报文类型与组件类型的对应关系包括:监控软件客户端与监控协议,则主机类型为人机接口设备;若报文类型与组件类型的对应关系包括:组态软件服务器与组态通信协议、用于过程控制的对象连接与嵌入(Object Linking and Embedding for Process Control,OPC)服务与OPC协议,则主机类型为OPC服务器。
通过将报文特征值与预先设置的协议报文特征库中的特征值进行比对,得到特征值比对结果;根据特征值比对结果,确定访问请求报文的报文类型;根据访问请求报文的报文类型,确定访问请求报文对应的主机类型,能够精准、快速的得到与访问请求报文相对应的主机类型。
S103、根据身份信息和身份识别信息,确定身份识别结果。
示例性的,根据身份信息和身份识别信息,可以获得用户身份的关键字段,包括ID、口令摘要、权限等,系统中预先设置有多种身份对应的关键字段等信息,通过比对关键字段等信息即可确定用户的身份。
可选的,根据身份信息和身份识别信息,确定身份识别结果,包括:将第一散列加密值和第二散列加密值与原始散列加密值进行匹配,得到身份识别结果。
示例性的,将第一散列加密值和第二散列加密值与原始散列加密值进行匹配,得到身份识别结果即为将运算得到的第一散列加密值HASH1、第二散列加密值HASH2与从访问请求报文中提取的散列加密值HASH进行匹配,以此来确认用户身份。
S104、根据身份识别结果及主机类型,建立访问关系。
示例性的,不同用户身份具有不同的访问权限,不同的访问权限对应不同的主机类型,且不同用户身份具有规律的访问历史,因此,依据用户身份信息及主机类型,即可建立访问关系。
示例性的,如若身份识别结果与主机类型相对应,则建立访问关系,否则,不建立访问关系,能够减少权限恶意利用及越权访问等操作。
可选的,根据身份识别结果及主机类型,建立访问关系,包括:获取预先设置的访问身份与主机类型的对应关系表;根据对应关系表,判断身份识别结果与主机类型是否匹配;若身份识别结果与主机类型匹配,则建立访问关系。
示例性的,系统中预先存储有不同的访问身份对应的访问权限及每个访问权限对应的主机类型,通过查找相应的对应关系表,即可判断身份识别结果与主机类型是否匹配。
示例性的,如若身份A与主机类型1相匹配,那么,只有当身份识别结果为身份A且主机类型为类型1时,建立访问关系,否则(在不满足身份识别结果为身份A且主机类型为类型1的情况下),不建立访问关系。
本实施例的技术方案,通过获取访问请求报文,访问请求报文中携带身份信息和报文特征值;分别根据身份信息和报文特征值,确定访问请求报文对应的身份识别信息及主机类型;根据身份信息和身份识别信息,确定身份识别结果;根据身份识别结果及主机类型,建立访问关系。本申请的技术方案,通过对访问请求报文中的身份信息和报文特征值进行确认,并基于身份识别信息和主机类型确定访问关系是否建立,能够有效避免身份伪造、权限恶意利用及越权访问等操作,实现规范、合法、有效、且安全的访问控制。
本申请实施例所提供的访问关系的建立装置可执行本申请上述实施例中任意实施例所提供的访问关系的建立方法,具备执行方法相应的功能模块和效果。
图4为本申请实施例提供的一种访问关系的建立装置的结构示意图,如图4所示,包括:请求获取模块401、第一确定模块402、第二确定模块403和访问建立模块404。
请求获取模块401,设置为获取访问请求报文,其中,访问请求报文中携带身份信息和报文特征值。
第一确定模块402,设置为分别根据身份信息和报文特征值,确定访问请求报文对应的身份识别信息及主机类型。
第二确定模块403,设置为根据身份信息和身份识别信息,确定身份识别结果。
访问建立模块404,设置为根据身份识别结果及主机类型,建立访问关系。
本实施例提供的访问关系的建立装置用于实现上述实施例中的访问关系的建立方法,本实施例提供的访问关系的建立装置实现原理和技术效果与上述实施例类似,此处不再赘述。
可选的,身份信息包括身份信息因子、原始散列加密值和散列加密种子,身份识别信息包括第一散列加密值和第二散列加密值。
可选的,第一确定模块402,是设置为通过散列加密种子对身份信息因子运行散列加密过程,确定第一散列加密值;利用身份识别库中的信息因子替换身份信息因子中不可变的因子,得到目标身份信息因子,并通过散列加密种子对目标身份信息因子运行散列加密过程,确定第二散列加密值。
可选的,第二确定模块403,是设置为将第一散列加密值和第二散列加密值与原始散列加密值进行匹配,得到身份识别结果。
可选的,第一确定模块402,是设置为将报文特征值与预先设置的协议报文特征库中的特征值进行比对,得到特征值比对结果;根据特征值比对结果,确定访问请求报文的报文类型;根据访问请求报文的报文类型,确定访问请求报文对应的主机类型。
可选的,报文特征值至少包括字段类型、字段偏移、字段长度以及字段取值。
可选的,第一确定模块402,是设置为根据访问请求报文的报文类型,确定组件类型,组件类型包括访问请求报文对应的会话通信双方的客户端类型以及
服务器类型;根据报文类型与组件类型的对应关系,确定访问请求报文对应的主机类型。
可选的,若报文类型与组件类型的对应关系包括:组态软件客户端与组态通信协议、全球广域网Web服务器与超文本传输协议HTTP、远程过程调用协议RPC客户端与RPC协议、数据库客户端与数据库通信协议、License客户端与许可证通信协议,则主机类型为工程师站;若报文类型与组件类型的对应关系包括:监控软件客户端与监控协议、组态软件服务器与组态通信协议、RPC服务器与RPC协议、License客户端与许可证通信协议,则主机类型为操作员站客户端;若报文类型与组件类型的对应关系包括:监控软件服务器与监控协议、组态软件服务器与组态通信协议、RPC服务器与RPC协议、数据库客户端与数据库通信协议、License客户端与许可证通信协议,则主机类型为操作员站服务器;若报文类型与组件类型的对应关系包括:控制器监控服务器与监控协议、控制器组态服务器与组态通信协议,则主机类型为嵌入式控制器;若报文类型与组件类型的对应关系包括:历史数据库服务器与历史数据库通信协议,则主机类型为历史数据库服务器;若报文类型与组件类型的对应关系包括:实时数据库服务器与实时数据库通信协议,则主机类型为实时数据库服务器;若报文类型与组件类型的对应关系包括:监控软件客户端与监控协议,则主机类型为人机接口设备;若报文类型与组件类型的对应关系包括:组态软件服务器与组态通信协议、用于过程控制的对象连接与嵌入OPC服务与OPC协议,则主机类型为OPC服务器。
可选的,访问建立模块404,是设置为获取预先设置的访问身份与主机类型的对应关系表;根据对应关系表,判断身份识别结果与主机类型是否匹配;若身份识别结果与主机类型匹配,则建立访问关系。
图5为本申请实施例中的一种电子设备的结构示意图。图5示出了适于用来实现本申请实施方式的示例性电子设备12的框图。图5显示的电子设备12仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。
如图5所示,电子设备12以通用计算设备的形式表现。电子设备12的组件可以包括:一个或者多个处理单元或者处理器16,系统存储器28,连接不同系统组件(包括系统存储器28和处理器16)的总线18。
总线18表示几类总线结构中的一种或多种,包括存储器总线或者存储器控制器,外围总线,图形加速端口,处理器或者使用多种总线结构中的任意总线结构的局域总线。举例来说,这些体系结构包括工业标准体系结构(Industry Subversive Alliance,ISA)总线,微通道体系结构(Micro Channel Architecture,
MCA)总线,增强型ISA总线、视频电子标准协会(Video Electronics Standards Association,VESA)局域总线以及外围组件互连(Peripheral Component Interconnect,PCI)总线。
电子设备12包括多种计算机系统可读介质。这些介质可以是任何能够被电子设备12访问的可用介质,包括易失性和非易失性介质,可移动的和不可移动的介质。存储介质可以是非暂态(non-transitory)存储介质。
系统存储器28可以包括易失性存储器形式的计算机系统可读介质,例如随机存取存储器(Random Access Memory,RAM)30和/或高速缓存32。电子设备12可以包括其它可移动/不可移动的、易失性/非易失性计算机系统存储介质。仅作为举例,存储系统34可以设置为读写不可移动的、非易失性磁介质(图5未显示,通常称为“硬盘驱动器”)。尽管图5中未示出,可以提供用于对可移动非易失性磁盘(例如“软盘”)读写的磁盘驱动器,以及对可移动非易失性光盘(例如紧凑磁盘只读存储器(Compact Disc Read Only Memory,CD-ROM),数字多功能盘只读存储器(Digital Video Disk Read Only Memory,DVD-ROM)或者其它光介质)读写的光盘驱动器。在这些情况下,每个驱动器可以通过一个或者多个数据介质接口与总线18相连。系统存储器28可以包括至少一个程序产品,该程序产品具有一组(例如至少一个)程序模块,这些程序模块被配置以执行本申请多个实施例的功能。
具有一组(至少一个)程序模块42的程序/实用工具40,可以存储在例如系统存储器28中,这样的程序模块42包括操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或一种组合中可能包括网络环境的实现。程序模块42通常执行本申请所描述的实施例中的功能和/或方法。
电子设备12也可以与一个或多个外部设备14(例如键盘、指向设备、显示器24等)通信,还可与一个或者多个使得用户能与该电子设备12交互的设备通信,和/或与使得该电子设备12能与一个或多个其它计算设备进行通信的任何设备(例如网卡,调制解调器等等)通信。这种通信可以通过输入/输出(Input/Output,I/O)接口22进行。另外,本实施例中的电子设备12,显示器24不是作为独立个体存在,而是嵌入镜面中,在显示器24的显示面不予显示时,显示器24的显示面与镜面从视觉上融为一体。并且,电子设备12还可以通过网络适配器20与一个或者多个网络(例如局域网(Local Area Network,LAN),广域网(Wide Area Network,WAN)和/或公共网络,例如因特网)通信。如图5所示,网络适配器20通过总线18与电子设备12的其它模块通信。尽管图5中未示出,可以结合电子设备12使用其它硬件和/或软件模块,包括:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、磁盘阵列(Redundant Arrays of
Independent Drives,RAID)系统、磁带驱动器以及数据备份存储系统等。
处理器16通过运行存储在系统存储器28中的程序,从而执行多种功能应用以及数据处理,例如实现本申请实施例所提供的访问关系的建立方法,该方法包括:
获取访问请求报文,其中,访问请求报文中携带身份信息和报文特征值;
分别根据身份信息和报文特征值,确定访问请求报文对应的身份识别信息及主机类型;
根据身份信息和身份识别信息,确定身份识别结果;
根据身份识别结果及主机类型,建立访问关系。
本申请实施例提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如本申请所有申请实施例提供的访问关系的建立方法,该方法包括:
获取访问请求报文,其中,访问请求报文中携带身份信息和报文特征值;
分别根据身份信息和报文特征值,确定访问请求报文对应的身份识别信息及主机类型;
根据身份信息和身份识别信息,确定身份识别结果;
根据身份识别结果及主机类型,建立访问关系。
可以采用一个或多个计算机可读的介质的任意组合。计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质。计算机可读存储介质例如可以是电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。存储介质可以是非暂态(non-transitory)存储介质。计算机可读存储介质包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、RAM、只读存储器(Read-Only Memory,ROM)、可擦式可编程只读存储器(Erasable Programmable Read-Only Memory,EPROM)、闪存、光纤、便携式CD-ROM、光存储器件、磁存储器件、或者上述的任意合适的组合。在本文件中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。
计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介
质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。
计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括无线、电线、光缆、射频(Radio Frequency,RF)等等,或者上述的任意合适的组合。
可以以一种或多种程序设计语言或其组合来编写用于执行本申请操作的计算机程序代码,所述程序设计语言包括面向对象的程序设计语言,诸如Java、Smalltalk、C++,还包括常规的过程式程序设计语言,诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络——包括LAN或WAN—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。
Claims (10)
- 一种访问关系的建立方法,包括:获取访问请求报文,其中,所述访问请求报文中携带身份信息和报文特征值;分别根据所述身份信息和所述报文特征值,确定所述访问请求报文对应的身份识别信息及主机类型;根据所述身份信息和所述身份识别信息,确定身份识别结果;根据所述身份识别结果及所述主机类型,建立访问关系。
- 根据权利要求1所述的方法,其中,所述身份信息包括身份信息因子、原始散列加密值和散列加密种子,所述身份识别信息包括第一散列加密值和第二散列加密值;所述根据所述身份信息,确定所述访问请求报文对应的身份识别信息,包括:通过所述散列加密种子对所述身份信息因子运行散列加密过程,确定所述第一散列加密值;利用身份识别库中的信息因子替换所述身份信息因子中不可变的因子,得到目标身份信息因子,并通过所述散列加密种子对所述目标身份信息因子运行散列加密过程,确定所述第二散列加密值。
- 根据权利要求2所述的方法,其中,所述根据所述身份信息和所述身份识别信息,确定身份识别结果,包括:将所述第一散列加密值和所述第二散列加密值与所述原始散列加密值进行匹配,得到所述身份识别结果。
- 根据权利要求1所述的方法,其中,所述根据所述报文特征值,确定所述访问请求报文对应的主机类型,包括:将所述报文特征值与预先设置的协议报文特征库中的特征值进行比对,得到特征值比对结果;根据所述特征值比对结果,确定所述访问请求报文的报文类型;根据所述访问请求报文的报文类型,确定所述访问请求报文对应的主机类型。
- 根据权利要求4所述的方法,其中,所述报文特征值包括字段类型、字段偏移、字段长度以及字段取值。
- 根据权利要求4所述的方法,其中,所述根据所述访问请求报文的报文 类型,确定所述访问请求报文对应的主机类型,包括:根据所述访问请求报文的报文类型,确定组件类型,其中,所述组件类型包括所述访问请求报文对应的会话通信双方的客户端类型以及服务器类型;根据报文类型与组件类型的对应关系,确定所述访问请求报文对应的主机类型。
- 根据权利要求6所述的方法,其中,在所述报文类型与组件类型的对应关系包括:组态软件客户端与组态通信协议、全球广域网Web服务器与超文本传输协议HTTP、远程过程调用协议RPC客户端与RPC协议、数据库客户端与数据库通信协议、以及许可证License客户端与许可证通信协议的情况下,所述主机类型为工程师站;在所述报文类型与组件类型的对应关系包括:监控软件客户端与监控协议、组态软件服务器与组态通信协议、RPC服务器与RPC协议、以及License客户端与许可证通信协议的情况下,所述主机类型为操作员站客户端;在所述报文类型与组件类型的对应关系包括:监控软件服务器与监控协议、组态软件服务器与组态通信协议、RPC服务器与RPC协议、数据库客户端与数据库通信协议、以及License客户端与许可证通信协议的情况下,所述主机类型为操作员站服务器;在所述报文类型与组件类型的对应关系包括:控制器监控服务器与监控协议、以及控制器组态服务器与组态通信协议的情况下,所述主机类型为嵌入式控制器;在所述报文类型与组件类型的对应关系包括:历史数据库服务器与历史数据库通信协议的情况下,所述主机类型为历史数据库服务器;在所述报文类型与组件类型的对应关系包括:实时数据库服务器与实时数据库通信协议的情况下,所述主机类型为实时数据库服务器;在所述报文类型与组件类型的对应关系包括:监控软件客户端与监控协议的情况下,所述主机类型为人机接口设备;在所述报文类型与组件类型的对应关系包括:组态软件服务器与组态通信协议、以及用于过程控制的对象连接与嵌入OPC服务与OPC协议的情况下,所述主机类型为OPC服务器。
- 根据权利要求1所述的方法,其中,所述根据所述身份识别结果及所述主机类型,建立访问关系,包括:获取预先设置的访问身份与主机类型的对应关系表;根据所述对应关系表,判断所述身份识别结果与所述主机类型是否匹配;在所述身份识别结果与所述主机类型匹配的情况下,建立所述访问关系。
- 一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,其中,所述处理器执行所述计算机程序时实现如权利要求1至8中任一项所述的访问关系的建立方法。
- 一种计算机可读存储介质,其上存储有计算机程序,其中,所述计算机程序被处理器执行时实现如权利要求1至8中任一项所述的访问关系的建立方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210527095.7 | 2022-05-16 | ||
CN202210527095.7A CN114866258A (zh) | 2022-05-16 | 2022-05-16 | 一种访问关系的建立方法、装置、电子设备及存储介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023221920A1 true WO2023221920A1 (zh) | 2023-11-23 |
Family
ID=82636415
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2023/094189 WO2023221920A1 (zh) | 2022-05-16 | 2023-05-15 | 访问关系的建立方法、装置、电子设备及存储介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN114866258A (zh) |
WO (1) | WO2023221920A1 (zh) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114866258A (zh) * | 2022-05-16 | 2022-08-05 | 卡奥斯工业智能研究院(青岛)有限公司 | 一种访问关系的建立方法、装置、电子设备及存储介质 |
CN115396183B (zh) * | 2022-08-23 | 2023-08-11 | 北京百度网讯科技有限公司 | 用户身份识别方法及装置 |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106131021A (zh) * | 2016-07-15 | 2016-11-16 | 北京元支点信息安全技术有限公司 | 一种请求认证方法及系统 |
CN106998316A (zh) * | 2016-01-22 | 2017-08-01 | 中国移动通信集团公司 | 一种鉴权方法、应用客户端及网关设备 |
CN107222476A (zh) * | 2017-05-27 | 2017-09-29 | 国网山东省电力公司 | 一种认证服务方法 |
CN107332859A (zh) * | 2017-08-07 | 2017-11-07 | 浙江国利信安科技有限公司 | 一种工业控制系统风险识别方法及装置 |
CN107404461A (zh) * | 2016-05-19 | 2017-11-28 | 阿里巴巴集团控股有限公司 | 数据安全传输方法、客户端及服务端方法、装置及系统 |
US20200314104A1 (en) * | 2019-04-01 | 2020-10-01 | Citrix Systems, Inc. | Authentication for secure file sharing |
CN112632578A (zh) * | 2020-12-25 | 2021-04-09 | 平安银行股份有限公司 | 业务系统权限控制方法、装置、电子设备及存储介质 |
CN113794697A (zh) * | 2021-08-27 | 2021-12-14 | 北京深思数盾科技股份有限公司 | 基于代理服务的信息处理方法、系统以及存储介质 |
CN114866258A (zh) * | 2022-05-16 | 2022-08-05 | 卡奥斯工业智能研究院(青岛)有限公司 | 一种访问关系的建立方法、装置、电子设备及存储介质 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101917398A (zh) * | 2010-06-28 | 2010-12-15 | 北京星网锐捷网络技术有限公司 | 一种客户端访问权限控制方法及设备 |
AU2014256396B2 (en) * | 2013-11-15 | 2020-08-20 | Fidelity Information Services, Llc | Systems and methods for real-time account access |
CN106789834B (zh) * | 2015-11-20 | 2019-09-10 | 中国电信股份有限公司 | 用于识别用户身份的方法、网关、pcrf网元和系统 |
CN107465730A (zh) * | 2017-07-26 | 2017-12-12 | 深圳市金立通信设备有限公司 | 一种业务请求方法及终端 |
CN110061987B (zh) * | 2019-04-19 | 2021-03-16 | 武汉大学 | 一种基于角色和终端可信性的接入访问控制方法及装置 |
CN110659467A (zh) * | 2019-09-29 | 2020-01-07 | 浪潮(北京)电子信息产业有限公司 | 一种远程用户身份认证方法、装置、系统、终端及服务器 |
CN111193706B (zh) * | 2019-11-25 | 2022-03-15 | 泰康保险集团股份有限公司 | 一种身份验证方法及装置 |
CN113051229A (zh) * | 2019-12-26 | 2021-06-29 | 中兴通讯股份有限公司 | 一种用户数据获取方法、装置、终端及可读存储介质 |
CN113783703B (zh) * | 2021-11-10 | 2022-02-25 | 清华大学 | 一种卫星网络终端安全接入认证方法、装置及系统 |
CN114301967B (zh) * | 2021-12-29 | 2023-05-23 | 中国电信股份有限公司 | 窄带物联网控制方法、装置及设备 |
-
2022
- 2022-05-16 CN CN202210527095.7A patent/CN114866258A/zh active Pending
-
2023
- 2023-05-15 WO PCT/CN2023/094189 patent/WO2023221920A1/zh unknown
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106998316A (zh) * | 2016-01-22 | 2017-08-01 | 中国移动通信集团公司 | 一种鉴权方法、应用客户端及网关设备 |
CN107404461A (zh) * | 2016-05-19 | 2017-11-28 | 阿里巴巴集团控股有限公司 | 数据安全传输方法、客户端及服务端方法、装置及系统 |
CN106131021A (zh) * | 2016-07-15 | 2016-11-16 | 北京元支点信息安全技术有限公司 | 一种请求认证方法及系统 |
CN107222476A (zh) * | 2017-05-27 | 2017-09-29 | 国网山东省电力公司 | 一种认证服务方法 |
CN107332859A (zh) * | 2017-08-07 | 2017-11-07 | 浙江国利信安科技有限公司 | 一种工业控制系统风险识别方法及装置 |
US20200314104A1 (en) * | 2019-04-01 | 2020-10-01 | Citrix Systems, Inc. | Authentication for secure file sharing |
CN112632578A (zh) * | 2020-12-25 | 2021-04-09 | 平安银行股份有限公司 | 业务系统权限控制方法、装置、电子设备及存储介质 |
CN113794697A (zh) * | 2021-08-27 | 2021-12-14 | 北京深思数盾科技股份有限公司 | 基于代理服务的信息处理方法、系统以及存储介质 |
CN114866258A (zh) * | 2022-05-16 | 2022-08-05 | 卡奥斯工业智能研究院(青岛)有限公司 | 一种访问关系的建立方法、装置、电子设备及存储介质 |
Also Published As
Publication number | Publication date |
---|---|
CN114866258A (zh) | 2022-08-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10999354B2 (en) | Opening local applications from browsers | |
AU2020200059B2 (en) | Method and system for providing a secure secrets proxy | |
WO2023221920A1 (zh) | 访问关系的建立方法、装置、电子设备及存储介质 | |
JP4164855B2 (ja) | プラグ対応認可システムに対するサーバサポート方法およびシステム | |
US11196561B2 (en) | Authorized data sharing using smart contracts | |
US10257157B2 (en) | Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates | |
EP3610623B1 (en) | Protocol-level identity mapping | |
US11829502B2 (en) | Data sharing via distributed ledgers | |
US9906518B2 (en) | Managing exchanges of sensitive data | |
CN113924551A (zh) | 使用虚拟应用访问远程存储的文件的方法和系统 | |
US11070533B2 (en) | Encrypted server name indication inspection | |
JP2008015733A (ja) | ログ管理計算機 | |
CN114584381A (zh) | 基于网关的安全认证方法、装置、电子设备和存储介质 | |
US11539711B1 (en) | Content integrity processing on browser applications | |
CN116346486A (zh) | 联合登录方法、装置、设备及存储介质 | |
US11275867B1 (en) | Content integrity processing | |
US10482397B2 (en) | Managing identifiers | |
CN116244682A (zh) | 数据库的访问方法、装置、设备以及存储介质 | |
US11386194B1 (en) | Generating and validating activation codes without data persistence | |
US20140032897A1 (en) | Securely establishing a communication channel between a switch and a network-based application using a unique identifier for the network-based application | |
US10554789B2 (en) | Key based authorization for programmatic clients | |
US20240073029A1 (en) | Multi-Computer System For User Authentication Based on Client-Side One-Time Passcode | |
US11741213B2 (en) | Systems for enhanced bilateral machine security | |
CN113783835B (zh) | 一种口令分享方法、装置、设备及存储介质 | |
CN117220924A (zh) | 系统权限控制方法、装置及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23806872 Country of ref document: EP Kind code of ref document: A1 |