WO2024021408A1 - Control device admission method and apparatus, and related product - Google Patents

Control device admission method and apparatus, and related product Download PDF

Info

Publication number
WO2024021408A1
WO2024021408A1 PCT/CN2022/135139 CN2022135139W WO2024021408A1 WO 2024021408 A1 WO2024021408 A1 WO 2024021408A1 CN 2022135139 W CN2022135139 W CN 2022135139W WO 2024021408 A1 WO2024021408 A1 WO 2024021408A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
new device
access
port
authentication
Prior art date
Application number
PCT/CN2022/135139
Other languages
French (fr)
Chinese (zh)
Inventor
褚健
陈银桃
王磊阳
孙杭
罗冰
Original Assignee
浙江中控技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 浙江中控技术股份有限公司 filed Critical 浙江中控技术股份有限公司
Publication of WO2024021408A1 publication Critical patent/WO2024021408A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network

Definitions

  • the present invention relates to the field of control system communication, and in particular to a method, device and related products for controlling equipment access.
  • management and control integrated control systems such as distributed control system (DCS).
  • DCS distributed control system
  • OPC software mainly relies on OPC software to provide real-time data to the outside world.
  • the operating system environment that OPC software relies on has great security vulnerabilities. When dangerous or easily infected terminals are connected to the network, there will be security risks such as network attacks and ransomware viruses, resulting in the risk of leakage during the data transmission process.
  • the existing technology can use the 802.1X protocol as an access protocol for terminals to access the network. That is, the client port installs the 802.1X protocol for access authentication.
  • the specific process is that the client sends an authentication request, the switch passes the received authentication information to the authentication server, and the authentication server compares the information to make authentication judgments.
  • not all ports can be installed with the 802.1X protocol, which makes the protocol have poor adaptability during use, and the accuracy of authenticating devices to access the network is low, resulting in poor network security for control devices.
  • this application provides a method, device and related products for controlling equipment access, aiming to make a preliminary access judgment through a preset protocol, and then use the key encryption method to make a second access judgment, thereby avoiding the need to only use
  • the poor adaptability problem caused by the 802.1X protocol improves the accuracy of authentication equipment access to the network, thereby improving the network security of control equipment.
  • this application provides a method for controlling device access, which method includes:
  • encrypting the authentication message according to the first key and transmitting the encrypted authentication message to the network switching device for comparison and verification includes:
  • Decrypt the encrypted authentication message to obtain the first key, and verify whether the first key and the second key are the same.
  • the method further includes:
  • the port timer is used to obtain a preset time and regularly update the first key
  • the response that the first key is the same as the second key and feedback that the authentication is successful includes:
  • the method also includes:
  • the unauthorized port is a port that the user is not allowed to access.
  • the preliminary admission judgment of the new device according to the preset protocol includes:
  • the second preset protocol is a protocol for authentication through identity identification.
  • the method also includes:
  • the new device In response to the new device being a device that logs in for the first time, assign a third key to the new device; the third key is a port-specific key;
  • this application provides a device for controlling equipment access, which device includes:
  • the first judgment unit is used to make a preliminary access judgment on the new device according to the preset protocol when it is detected that the new device has accessed the control system local area network;
  • an allocation unit configured to allocate a first key to the new device in response to the new device meeting the preliminary access condition
  • the second judgment unit is configured to encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification;
  • a response unit configured to respond to the fact that the first key and the second key are the same, feedback that the authentication is successful, and determine that the new device is admitted to the local area network of the control system.
  • inventions of the present application provide an electronic device.
  • the device includes: memory and processor.
  • Memory is used to store and transfer program code to the processor.
  • Processor configured to execute the method steps of controlling device access described in any one of the first aspects according to instructions in the program code.
  • embodiments of the present application provide a computer-readable storage medium. Code is stored on the computer-readable storage medium. When the code is executed by a processor, the control device as described in any one of the first aspects is implemented. Admission method steps.
  • This application provides a method, device and related products for controlling equipment access.
  • a preliminary access judgment is made according to a preset protocol.
  • a first key is assigned to the new device, and the first key is used to encrypt the authentication message.
  • the encrypted authentication message is transmitted to the device, the first key and the second key contained in the encrypted authentication message are compared and verified. If the two are the same, it means the authentication is successful and the authentication success result will be fed back. This means that the port of the new device is an authorized port for user access.
  • the preliminary access judgment of the preset protocol and the secondary judgment of the key encryption method are used to avoid the problem of poor adaptability caused by only using the 802.1X protocol, thereby improving the accuracy of the authentication device's access to the network, thereby improving the network control equipment safety.
  • Figure 1 is an exemplary application scenario diagram of a method for controlling device access provided by an embodiment of the present application
  • Figure 2 is a flow chart of a method for controlling device access provided by an embodiment of the present application
  • Figure 3 is a flow chart of another method for controlling device access provided by an embodiment of the present application.
  • Figure 4 is a flow chart of another method for controlling device access provided by an embodiment of the present application.
  • Figure 5 is a schematic structural diagram of a device for controlling device access provided by an embodiment of the present application.
  • the existing technology can use the 802.1X protocol as the access protocol for terminal access to the network. That is, the client port installs the 802.1X protocol for access authentication. However, not all ports can be installed with the 802.1X protocol, which makes the protocol less adaptable during use and leads to poor security when the device is connected to the network.
  • the inventor found that in order to solve the problem of poor network adaptability based on the 802.1X protocol, the existing technology proposes to bind the MAC address to the switch port for protection on dumb terminal devices that cannot install the 802.1X protocol. That is, the MAC address is used as the unique identifier for authentication.
  • the inventor discovered that illegal users can still access the network by counterfeiting the MAC addresses of these dumb terminal devices and evade network security authentication checks.
  • this application conducts a preliminary access judgment on the new access device through a preset protocol, and then uses key encryption to conduct a secondary access judgment on the new access device, so as to avoid only The problem of poor network adaptability caused by the use of 802.1X protocol.
  • the accuracy of network security authentication is improved, thereby improving the network security of control equipment.
  • FIG. 1 is an exemplary application scenario diagram of a method for controlling device access provided by an embodiment of the present application.
  • This method is applied in a typical C/S architecture, that is, client/server architecture. It includes client 101, network switching device 102, and authentication server 103.
  • the client 101 supports the extensible authentication protocol EAPoL on the local area network to ensure that the client 101 can always send or receive authentication messages.
  • the network switching device 102 provides a LAN access port for the client 101, acts as an intermediary between the client 101 and the authentication server 103, requests identity information from the client 101, and verifies the information with the authentication server 103.
  • the authentication server 103 can be a RADIUS server, used to perform authentication on clients that need to access the local area network, and determine the authorized or non-authorized status of the controlled port based on the authentication result (Accept or Reject). Take control.
  • the client 101 can be a terminal device such as a desktop computer with a display screen, or other control device.
  • the number of clients 101 may be one or multiple, and is not specifically limited in the embodiment of this application.
  • the network switching device 102 may be an 802.1X authentication device, used to provide the client 101 with a port to access the local area network.
  • This port includes controlled ports and uncontrolled ports.
  • the uncontrolled port is always in a bidirectional connectivity state and is mainly used to transmit the extensible authentication protocol EAPoL.
  • the authorization state indicates that the controlled port is in a bidirectional connectivity state and is used to transmit service messages. It is prohibited to receive authentication messages from the client 101 in an unauthorized state.
  • FIG. 2 is a flow chart of a method for controlling device access provided by an embodiment of the present application, and is applied to a distributed control system. As can be seen from the figure, this method at least includes the following steps:
  • control system When the control system detects the entry of a new device, it makes a preliminary admission judgment on the new device based on the preset protocol. When it is detected that a new device does not meet the access conditions, it will be directly authenticated and rejected. Save subsequent work processes.
  • a preliminary admission judgment can be made on the new device according to the first preset protocol.
  • the commonly used 802.1X protocol is used to determine access. If the new device passes the 802.1X admission protocol, it means that the new device meets the preliminary admission conditions. If the new device cannot pass the 802.1X access protocol, consider the new device's dumb terminal device and make another judgment by binding the second default protocol to the network switching device.
  • the second preset protocol is a protocol for authentication through identity identification, such as a MAC bypass authentication protocol or a Portal authentication backup mechanism.
  • the new device meets the preliminary access conditions by determining whether the new device satisfies the second preset protocol. That is, if the new device passes the second preset protocol, it means that the new device meets the preliminary access conditions. This can avoid the problem of low authentication accuracy caused by insufficient adaptability of only the 802.1X protocol.
  • the control system After determining that the new device meets the preliminary access conditions, the control system allocates a first key to the new device for encrypting the authentication message.
  • the distributed first key may be an RSA key.
  • the server of the control system assigns the first key dedicated to the industrial control network to the port of the new device and sends it to the new device through the network switching device.
  • S203 Encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification.
  • the control system After the new device port obtains the first key, the control system will encrypt the authentication message based on the first key.
  • the server of the control system allocates a preset encryption algorithm to the new device port. Then, the authentication message is encrypted according to the preset encryption algorithm and the first key, and the encrypted authentication message is transmitted to the data link layer of the network switching device. Decrypt the encrypted authentication message at the data link layer to obtain the first key. Verify whether the first key and the second key are the same.
  • the second key may pre-store a local key for the network switching device.
  • the first key can be added to the header of the authentication message, the middle of the authentication message, or the tail of the authentication message through a preset algorithm.
  • the network switch compares and verifies that the first key and the second key are the same, it indicates that the feedback authentication is successful, and the message is sent to the LAN communication to determine the new device's admission to the control system.
  • the feedback authentication fails.
  • the new device does not meet the admission conditions, and the port of the new device becomes an unauthorized port.
  • unauthorized ports are ports that users are not allowed to access. It corresponds to the authorization port.
  • the network switching device can also perform authentication on clients that need to access the local area network, and control the authorized status/non-authorized status of the controlled port based on the authentication results.
  • the new device port becomes an unauthorized port.
  • the authorized port When other users unplug the authorized port network cable, connect other hosts to the authorized port through the network cable, and then enter the LAN. At this time, the key comparison of other users fails, and the authorized port will be locked. Unauthorized port.
  • the authorized port when other users access the authorized port through the HUB device, and the key comparison of the other users fails, the authorized port will be locked and become an unauthorized port.
  • This application provides a method for controlling device access. First, when a new device is detected to be connected to the control system LAN, a preliminary access judgment is made based on a preset protocol. After the new device meets the preliminary access conditions, a first key is assigned to the new device, and the first key is used to encrypt the authentication message. When the encrypted authentication message is transmitted to the device, the first key and the second key contained in the encrypted authentication message are compared and verified. If the two are the same, it means the authentication is successful and the authentication success result will be fed back. This means that the port of the new device is an authorized port for user access.
  • the preliminary access judgment of the preset protocol and the secondary judgment of the key encryption method are used to avoid the problem of poor adaptability caused by only using the 802.1X protocol, thereby improving the accuracy of the authentication device's access to the network, thereby improving the network control equipment safety.
  • FIG. 3 there is a flow chart of another method for controlling device access provided by the embodiment of the present application, which is applied to a distributed control system.
  • the method at least includes the following steps:
  • S301 The client that complies with the extensible authentication protocol EAPoL issues a request to access the network switching device.
  • step S302 Determine whether the access device is the access device for first login. If satisfied, proceed to step S303. Otherwise, proceed to step S310.
  • S303 The server allocates a third key to the new device, initially encrypts the authentication message based on the third key, and transmits the encrypted authentication message to the network switching device for comparison and verification.
  • the third key is a port-specific key.
  • the server has added a key distribution judgment system, which judges whether the new device is an access device for the first login. If so, it will randomly assign a port-specific key, that is, a third key.
  • the network switching device records this port key. During subsequent use, the third key is compared with the fourth key recorded by the network switching device through message encryption and decryption.
  • the new device meets the identity requirements. That is, the device is not illegally logged in.
  • step S305 Determine whether the access device meets the 802.1X access protocol. If satisfied, proceed to step S306. Otherwise, proceed to step S310.
  • step S306 Determine whether the access device meets the second preset protocol. If so, it meets the preliminary access conditions and proceeds to step S307. Otherwise, proceeds to step S310.
  • S308 Encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification.
  • S307 to S310 are the same as S202 to S204 in Figure 2 and will not be discussed here.
  • the identity recognition judgment in S302 and the access protocol judgment in S305 can be performed at the same time, or S302 can be performed first and then S305. You can also execute S305 first and then execute S302.
  • the control device access method provided by the embodiment of the present application authenticates the identity of the new device through a port-specific key, which avoids the solution generated by the existing technology of using a user name and password for identification, which can easily lead to address theft and illegal Problems with device access and multiple people using the same account.
  • the network security of control equipment is further improved.
  • FIG. 4 is a flow chart of another control device admission method provided by an embodiment of the present application. This method is applied to a distributed control system. The method at least includes the following steps:
  • step S401 When it is detected that the client sends a request to access the network switching device, a preliminary admission judgment is made on the new device through the 802.1X protocol and MAC bypass authentication. If satisfied, proceed to step S402. Otherwise, go to step S407
  • S402 Assign an RSA key to the new device and encrypt the authentication message based on the RSA key. Transmit the encrypted authentication message to the network switching device for decryption and comparison verification.
  • the RSA key is the same as the local key pre-recorded by the network switching device, which means the authentication is successful and the feedback is that the authentication is successful. Otherwise, go to step S407
  • S404 Use the port timer to regularly update the RSA key and the local key pre-recorded by the network switching device.
  • the port timer is timed.
  • the RSA key and the local key pre-recorded by the network switching device are randomly updated.
  • S405 Use the updated RSA key to encrypt the authentication message. Transmit the encrypted authentication message to the network switching device for decryption and comparison verification.
  • the key is regularly updated through a timer to further enhance the security of the key and improve the accuracy of the authentication device accessing the network, thereby improving the network security of the control device.
  • FIG. 5 is a schematic structural diagram 500 of a device for controlling device access provided by an embodiment of the present application.
  • the device includes at least the following units:
  • the first judgment unit 501 is configured to make a preliminary admission judgment on the new device according to a preset protocol when it is detected that a new device has accessed the control system local area network.
  • the allocation unit 502 is configured to allocate a first key to the new device in response to the new device meeting the preliminary access conditions.
  • the second judgment unit 503 is configured to encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification.
  • the response unit 504 is configured to respond to the fact that the first key and the second key are the same, feedback that the authentication is successful, and determine that the port of the new device is an authorized port; the authorized port allows the user to access the port.
  • This application provides a device for controlling equipment access.
  • the first judgment unit 501 detects that a new device is included in the control system local area network, it makes a preliminary admission judgment according to a preset protocol.
  • the allocation unit 502 allocates the first key to the new device after the new device meets the initial admission conditions.
  • the second judgment unit 503 uses the first key to encrypt the authentication message.
  • the encrypted authentication message is transmitted to the device, the first key and the second key contained in the encrypted authentication message are processed. Comparison verification.
  • the response unit 503 responds that the two are the same, indicating that the authentication is successful, and feeds back the authentication success result. This means that the port of the new device is an authorized port for user access.
  • the preliminary access judgment of the preset protocol and the secondary judgment of the key encryption method are used to avoid the problem of poor adaptability caused by only using the 802.1X protocol, thereby improving the accuracy of the authentication device's access to the network, thereby improving the network control equipment safety.
  • An embodiment of the present application also provides an electronic device.
  • the device includes: memory and processor.
  • Memory is used to store and transfer program code to the processor.
  • Processor used to execute the steps of one of the above methods for controlling device admission according to instructions in the program code.
  • An embodiment of the present application provides a computer-readable storage medium on which a computer program is stored.
  • the program is executed by a processor, a method for controlling device access according to the embodiment of the present application is implemented.
  • the computer-readable storage medium may be any combination of one or more computer-readable media.
  • the computer-readable medium may be a computer-readable signal medium or a computer-readable storage medium.
  • the computer-readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof. More specific examples (non-exhaustive list) of computer readable storage media include: electrical connections having one or more conductors, portable computer disks, hard drives, random access memory (RAM), read only memory (ROM), Erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • a computer-readable storage medium may be any tangible medium that contains or stores a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.
  • a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying computer-readable program code therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above.
  • a computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device .
  • Program code embodied on a computer-readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wire, optical cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for performing the operations of the present invention may be written in one or more programming languages, including object-oriented programming languages such as Java, Smalltalk, C++, and conventional Procedural programming language—such as "C" or a similar programming language.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (such as an Internet service provider through Internet connection).
  • LAN local area network
  • WAN wide area network
  • Internet service provider such as an Internet service provider through Internet connection

Abstract

Provided in the present application are a control device admission method and apparatus, and a related product. The method comprises: first, when detecting that a new device accesses a control system local area network, carrying out preliminary admission judgment according to a preset protocol; after the new device meets a preliminary admission condition, allocating a first key to the new device, and encrypting an authentication message by using the first key; when the encrypted authentication message is transmitted to a device end, carrying out comparison and verification on the first key contained in the encrypted authentication message and a second key; and if said two keys are the same, which represents that the authentication succeeds, feeding back an authentication success result, which represents that a port of the new device is a licensed port allowing user access. That is, by means of the preliminary admission judgment based on the preset protocol and second judgment based on a key encryption mode, the problem of poor adaptability caused by only using 802.1X protocol is avoided, and the accuracy of an authenticated device accessing a network is improved, thus improving the network security of a control device.

Description

一种控制设备准入的方法、装置及相关产品A method, device and related products for controlling equipment access
本发明要求于2022年07月26日提交中华人民共和国国家知识产权局、申请号为CN202210885577.X、申请名称为“一种控制设备准入的方法、装置及相关产品”的中国专利申请的优先权,其全部内容通过引用结合在本发明中。This invention requires priority for the Chinese patent application submitted to the State Intellectual Property Office of the People's Republic of China on July 26, 2022, with the application number CN202210885577.X and the application title "A method, device and related products for controlling equipment access" rights, the entire contents of which are incorporated herein by reference.
技术领域Technical field
本发明涉及控制系统通信领域,特别涉及一种控制设备准入的方法、装置及相关产品。The present invention relates to the field of control system communication, and in particular to a method, device and related products for controlling equipment access.
背景技术Background technique
随着自动化控制技术的发展,越来越多的企业采用管理控制一体化控制系统,比如分布式控制系统(Distributed Control System)DCS。目前,对于管理控制一体化控制系统主要依赖于OPC软件对外提供实时数据。而OPC软件依赖的操作系统环境具有很大的安全漏洞,当由危险或易感染终端接入网络后,会存在网络攻击、勒索病毒等安全隐患,导致数据传输过程存在泄露风险。With the development of automation control technology, more and more enterprises are adopting management and control integrated control systems, such as distributed control system (DCS). At present, the management and control integrated control system mainly relies on OPC software to provide real-time data to the outside world. The operating system environment that OPC software relies on has great security vulnerabilities. When dangerous or easily infected terminals are connected to the network, there will be security risks such as network attacks and ransomware viruses, resulting in the risk of leakage during the data transmission process.
现有技术可以采用基于802.1X协议作为终端接入网络的准入协议。即客户端端口安装802.1X协议的方式进行准入认证。具体过程为客户端发送认证请求,交换机把接收到的认证信息传递给认证服务器,认证服务器进行信息比对,来进行认证判断。然而,并非所有端口都可以安装802.1X协议,这使得该协议在使用过程中适配性差,进而认证设备准入网络的准确度低,从而导致控制设备的网络安全性差。The existing technology can use the 802.1X protocol as an access protocol for terminals to access the network. That is, the client port installs the 802.1X protocol for access authentication. The specific process is that the client sends an authentication request, the switch passes the received authentication information to the authentication server, and the authentication server compares the information to make authentication judgments. However, not all ports can be installed with the 802.1X protocol, which makes the protocol have poor adaptability during use, and the accuracy of authenticating devices to access the network is low, resulting in poor network security for control devices.
发明内容Contents of the invention
有鉴于此,本申请提供了一种控制设备准入的方法、装置及相关产品,旨在通过预设协议进行初步准入判断,再利用密钥加密方法进行再次准入判断,从而避免只采用802.1X协议产生的适应性差的问题,提高认证设备准入网络的准确度,从而提升控制设备的网络安全性。In view of this, this application provides a method, device and related products for controlling equipment access, aiming to make a preliminary access judgment through a preset protocol, and then use the key encryption method to make a second access judgment, thereby avoiding the need to only use The poor adaptability problem caused by the 802.1X protocol improves the accuracy of authentication equipment access to the network, thereby improving the network security of control equipment.
第一方面,为实现上述发明目的,本申请提供了一种控制设备准入的方法,所述方法包括:In a first aspect, in order to achieve the above-mentioned object of the invention, this application provides a method for controlling device access, which method includes:
当检测到新设备接入控制系统局域网时,根据预设协议对所述新设备进行初步准入判断;When a new device is detected to be connected to the control system LAN, a preliminary access judgment is made for the new device according to the preset protocol;
响应于所述新设备满足初步准入条件,为所述新设备分配第一密钥;Responsive to the new device meeting preliminary admission conditions, assigning a first key to the new device;
根据所述第一密钥加密认证报文,并使加密后的所述认证报文传输至网络交换设备进行比对验证;Encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the network switching device for comparison and verification;
响应于所述第一密钥与第二密钥相同,反馈认证成功,确定所述新设备准入控制系统局域网。In response to the first key and the second key being the same, it is fed back that the authentication is successful, and it is determined that the new device is admitted to the local area network of the control system.
可选的,所述根据所述第一密钥加密认证报文,并使加密后的所述认证报文传输至网络交换设备进行比对验证,包括:Optionally, encrypting the authentication message according to the first key and transmitting the encrypted authentication message to the network switching device for comparison and verification includes:
根据预设加密算法和所述第一密钥加密所述认证报文;Encrypt the authentication message according to the preset encryption algorithm and the first key;
将加密后的所述认证报文传输至交换设备的数据链路层;Transmit the encrypted authentication message to the data link layer of the switching device;
解密加密后的所述认证报文获取所述第一密钥,并比对所述第一密钥与所述第二 密钥是否相同进行验证。Decrypt the encrypted authentication message to obtain the first key, and verify whether the first key and the second key are the same.
可选的,所述为所述新设备分配第一密钥之后,所述方法还包括:Optionally, after allocating the first key to the new device, the method further includes:
启动端口定时器;所述端口定时器用于获取预设时间对所述第一密钥进行定时更新;Start a port timer; the port timer is used to obtain a preset time and regularly update the first key;
根据所述端口定时器的预设时间对所述第一密钥和所述第二密钥进行定时更新;Regularly update the first key and the second key according to the preset time of the port timer;
所述响应于所述第一密钥与第二密钥相同,反馈认证成功,包括:The response that the first key is the same as the second key and feedback that the authentication is successful includes:
响应于定时更新后的所述第一密钥和所述第二密钥相同,反馈认证成功。In response to the regularly updated first key and the second key being the same, it is fed back that the authentication is successful.
可选的,所述方法还包括:Optionally, the method also includes:
响应于所述第一密钥与所述第二密钥不相同,反馈认证失败,确定所述新设备的端口为非授权端口;所述非授权端口为不允许用户访问的端口。In response to the fact that the first key and the second key are different, feedback authentication fails, and it is determined that the port of the new device is an unauthorized port; the unauthorized port is a port that the user is not allowed to access.
可选的,所述根据预设协议对所述新设备进行初步准入判断,包括:Optionally, the preliminary admission judgment of the new device according to the preset protocol includes:
判断所述新设备是否满足第一预设协议;Determine whether the new device meets the first preset protocol;
若是,则确定所述新设备满足初步准入条件;If so, it is determined that the new equipment meets the preliminary access conditions;
如否,响应于所述新设备满足第二预设协议,确定所述新设备满足初步准入条件;所述第二预设协议为通过身份标识进行认证的协议。If not, in response to the new device meeting the second preset protocol, it is determined that the new device meets the preliminary access condition; the second preset protocol is a protocol for authentication through identity identification.
可选的,所述方法还包括:Optionally, the method also includes:
响应于新设备为首次登录的设备,为所述新设备分配第三密钥;所述第三密钥为端口专属密钥;In response to the new device being a device that logs in for the first time, assign a third key to the new device; the third key is a port-specific key;
根据所述第三密钥对所述认证报文进行初次加密,并将加密后的认证报文传输至网络交换设备进行比对验证;Perform initial encryption on the authentication message according to the third key, and transmit the encrypted authentication message to the network switching device for comparison and verification;
响应于所述第三密钥与第四密钥相同,确定所述新设备满足身份要求;In response to the third key being the same as the fourth key, determining that the new device meets the identity requirement;
根据所述身份要求和所述预设协议确定所述新设备满足初步准入条件。It is determined that the new device meets preliminary access conditions based on the identity requirements and the preset protocol.
第二方面,本申请提供了一种控制设备准入的装置,该装置包括:In the second aspect, this application provides a device for controlling equipment access, which device includes:
第一判断单元,用于当检测到新设备接入控制系统局域网时,根据预设协议对所述新设备进行初步准入判断;The first judgment unit is used to make a preliminary access judgment on the new device according to the preset protocol when it is detected that the new device has accessed the control system local area network;
分配单元,用于响应于所述新设备满足初步准入条件,为所述新设备分配第一密钥;an allocation unit configured to allocate a first key to the new device in response to the new device meeting the preliminary access condition;
第二判断单元,用于根据所述第一密钥加密认证报文,并将加密后的所述认证报文传输至设备端进行比对验证;The second judgment unit is configured to encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification;
响应单元,用于响应于所述第一密钥与第二密钥相同,反馈认证成功,确定所述新设备准入控制系统局域网。A response unit, configured to respond to the fact that the first key and the second key are the same, feedback that the authentication is successful, and determine that the new device is admitted to the local area network of the control system.
第三方面,本申请实施例提供了一种电子设备。该设备包括:存储器和处理器。In a third aspect, embodiments of the present application provide an electronic device. The device includes: memory and processor.
存储器用于用于存储程序代码,并将程序代码传输给处理器。Memory is used to store and transfer program code to the processor.
处理器:用于根据程序代码中的指令执行第一方面中任一项所述控制设备准入的方法步骤。Processor: configured to execute the method steps of controlling device access described in any one of the first aspects according to instructions in the program code.
第四方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质上存储代码,所述代码被处理器执行时实现如第一方面中任一项所述控制设备准入的方法的步骤。In the fourth aspect, embodiments of the present application provide a computer-readable storage medium. Code is stored on the computer-readable storage medium. When the code is executed by a processor, the control device as described in any one of the first aspects is implemented. Admission method steps.
本申请提供了一种控制设备准入的方法、装置及相关产品。在执行所述方法时, 首先当检测到新设备接入控制系统局域网时,根据预设协议进行初步准入判断。当新设备满足初步准入条件之后,为新设备分配第一密钥,并利用该第一密钥对认证报文进行加密。当加密后的认证报文传输至设备端时,对加密后的认证报文含有的第一密钥与第二密钥进行比对验证。如果两者相同,表示认证成功,反馈认证成功结果。即表示新设备的端口为授权端口,运行用户访问。即通过预设协议初步准入判断和密钥加密方式进行二次判断,避免了只采用802.1X协议产生的适应性差的问题,从而提高认证设备准入网络的准确度,从而提升控制设备的网络安全性。This application provides a method, device and related products for controlling equipment access. When executing the method, firstly, when a new device is detected to access the control system local area network, a preliminary access judgment is made according to a preset protocol. After the new device meets the preliminary access conditions, a first key is assigned to the new device, and the first key is used to encrypt the authentication message. When the encrypted authentication message is transmitted to the device, the first key and the second key contained in the encrypted authentication message are compared and verified. If the two are the same, it means the authentication is successful and the authentication success result will be fed back. This means that the port of the new device is an authorized port for user access. That is, the preliminary access judgment of the preset protocol and the secondary judgment of the key encryption method are used to avoid the problem of poor adaptability caused by only using the 802.1X protocol, thereby improving the accuracy of the authentication device's access to the network, thereby improving the network control equipment safety.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are only These are embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on the provided drawings without exerting creative efforts.
图1为本申请实施例提供的一种控制设备准入的方法示例性应用场景图;Figure 1 is an exemplary application scenario diagram of a method for controlling device access provided by an embodiment of the present application;
图2为本申请实施例提供的一种控制设备准入的方法流程图;Figure 2 is a flow chart of a method for controlling device access provided by an embodiment of the present application;
图3为本申请实施例提供的另一种控制设备准入的方法流程图;Figure 3 is a flow chart of another method for controlling device access provided by an embodiment of the present application;
图4为本申请实施例提供的另一种控制设备准入的方法流程图;Figure 4 is a flow chart of another method for controlling device access provided by an embodiment of the present application;
图5为本申请实施例提供的一种控制设备准入的装置结构示意图。Figure 5 is a schematic structural diagram of a device for controlling device access provided by an embodiment of the present application.
具体实施方式Detailed ways
本申请说明书和权利要求书及附图说明中的术语“第一”、“第二”“第三”、和“第四”等是用于区别不同对象,而不是用于限定特定顺序。The terms “first”, “second”, “third”, and “fourth” in the description, claims and drawings of this application are used to distinguish different objects, rather than to limit a specific order.
在本申请实施例中,“作为示例”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“作为示例”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“作为示例”或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of this application, words such as "as an example" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described in the embodiments of the application as "as an example" or "such as" should not be construed as being preferred or advantageous over other embodiments or designs. Rather, the use of the words "as an example" or "for example" is intended to present the concept in a concrete way.
本申请的实施方式部分使用的术语仅用于对本申请的具体实施例进行解释,而非旨在限定本申请。The terms used in the embodiments of the present application are only used to explain specific embodiments of the present application and are not intended to limit the present application.
正如前文所述,现有技术可以采用基于802.1X协议作为终端接入网络的准入协议。即客户端端口安装802.1X协议的方式进行准入认证。然而,并非所有端口都可以安装802.1X协议,这使得该协议在使用过程中适配性差,进而导致设备接入网络时安全性较差。此外,发明人发现,针对采用基于802.1X协议网络适配性差的问题,现有技术提出了在不能安装802.1X协议的哑终端设备采用在交换机端口绑定MAC地址的方式进行防护。即利用MAC地址作为其身份唯一标识进行认证。但发明人发现,非法用户仍旧可以利用仿冒这些哑终端设备MAC地址的方式接入网络,逃避网络安全认证检查。As mentioned above, the existing technology can use the 802.1X protocol as the access protocol for terminal access to the network. That is, the client port installs the 802.1X protocol for access authentication. However, not all ports can be installed with the 802.1X protocol, which makes the protocol less adaptable during use and leads to poor security when the device is connected to the network. In addition, the inventor found that in order to solve the problem of poor network adaptability based on the 802.1X protocol, the existing technology proposes to bind the MAC address to the switch port for protection on dumb terminal devices that cannot install the 802.1X protocol. That is, the MAC address is used as the unique identifier for authentication. However, the inventor discovered that illegal users can still access the network by counterfeiting the MAC addresses of these dumb terminal devices and evade network security authentication checks.
基于此,本申请在现有技术基础上,通过预设协议对新接入设备进行初步准入判断,接着利用密钥加密的方式对新接入设备进行二次准入判断,以此避免只采用802.1X协议导 致的网络适配性差问题。提高了网络安全认证准确度,从而提高了控制设备的网络安全性。Based on this, based on the existing technology, this application conducts a preliminary access judgment on the new access device through a preset protocol, and then uses key encryption to conduct a secondary access judgment on the new access device, so as to avoid only The problem of poor network adaptability caused by the use of 802.1X protocol. The accuracy of network security authentication is improved, thereby improving the network security of control equipment.
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to enable those in the technical field to better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only These are part of the embodiments of this application, but not all of them. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
参见图1,为本申请实施例提供的一种控制设备准入的方法示例性应用场景图。该方法应用在典型C/S架构,即客户端/服务端架构。包括客户端101、网络交换设备102、认证服务器103。Refer to Figure 1, which is an exemplary application scenario diagram of a method for controlling device access provided by an embodiment of the present application. This method is applied in a typical C/S architecture, that is, client/server architecture. It includes client 101, network switching device 102, and authentication server 103.
在本申请实施例中,客户端101支持局域网上的可拓展认证协议EAPoL,用于保证客户端101始终能够发出或接收认证报文。网络交换设备102为客户端101提供接入局域网端口,充当客户端101和认证服务器103之间的中介,从客户端101请求身份信息,与认证服务器103验证该信息。In this embodiment of the present application, the client 101 supports the extensible authentication protocol EAPoL on the local area network to ensure that the client 101 can always send or receive authentication messages. The network switching device 102 provides a LAN access port for the client 101, acts as an intermediary between the client 101 and the authentication server 103, requests identity information from the client 101, and verifies the information with the authentication server 103.
在本申请实施例中,认证服务器103可以为RADIUS服务器,用于对需要接入局域网的客户端执行认证,并根据认证结果(接收Accept或拒接Reject)对受控端口的授权或非授权状态进行控制。客户端101可以是具有显示屏的台式计算机等终端设备,也可以是其他具有控制设备等。客户端101数量可以为1个,也可以是多个,在本申请实施例中不做具体限制。In the embodiment of this application, the authentication server 103 can be a RADIUS server, used to perform authentication on clients that need to access the local area network, and determine the authorized or non-authorized status of the controlled port based on the authentication result (Accept or Reject). Take control. The client 101 can be a terminal device such as a desktop computer with a display screen, or other control device. The number of clients 101 may be one or multiple, and is not specifically limited in the embodiment of this application.
在本申请实施例中,网络交换设备102可以为802.1X认证设备端,用于为客户端101提供接入局域网的端口。这一端口包括受控端口和非受控端口两种。其中,非受控端口始终处于双向连通状态,主要用来传递可拓展认证协议EAPoL。在本申请实施例中,授权状态表示受控端口处于双向连通状态,用于传递业务报文。在非授权状态下禁止从客户端101接收认证报文。In this embodiment of the present application, the network switching device 102 may be an 802.1X authentication device, used to provide the client 101 with a port to access the local area network. This port includes controlled ports and uncontrolled ports. Among them, the uncontrolled port is always in a bidirectional connectivity state and is mainly used to transmit the extensible authentication protocol EAPoL. In the embodiment of this application, the authorization state indicates that the controlled port is in a bidirectional connectivity state and is used to transmit service messages. It is prohibited to receive authentication messages from the client 101 in an unauthorized state.
显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。Obviously, the described embodiments are only some of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
参见图2,为本申请实施例提供的一种控制设备准入的方法流程图,应用于分布式控制系统。由图可知,该方法至少包括以下步骤:Refer to Figure 2, which is a flow chart of a method for controlling device access provided by an embodiment of the present application, and is applied to a distributed control system. As can be seen from the figure, this method at least includes the following steps:
S201:当检测到新设备接入控制系统局域网时,根据预设协议对新设备进行初步准入判断。S201: When a new device is detected to be connected to the control system LAN, a preliminary access judgment is made for the new device according to the preset protocol.
控制系统在检测到有新设备进入时,根据预设协议对新设备进行初步准入判断。当检测到新设备不满足准入条件时,直接认证拒接。节约后续工作流程。When the control system detects the entry of a new device, it makes a preliminary admission judgment on the new device based on the preset protocol. When it is detected that a new device does not meet the access conditions, it will be directly authenticated and rejected. Save subsequent work processes.
在本申请实施例中,可以根据第一预设协议对新设备进行初步准入判断。比如采用常用的802.1X协议进行准入判断。若新设备通过802.1X准入协议,则表示该新设备满足初步准入条件。如果新设备不能通过802.1X准入协议,考虑新设备的哑终端设备,通过在网络交换设备绑定第二预设协议进行再次判断。其中,第二预设协议为通过身份标识进行认证的协议,比如可以为MAC旁路认证协议或Portal认证备用机制等。In this embodiment of the present application, a preliminary admission judgment can be made on the new device according to the first preset protocol. For example, the commonly used 802.1X protocol is used to determine access. If the new device passes the 802.1X admission protocol, it means that the new device meets the preliminary admission conditions. If the new device cannot pass the 802.1X access protocol, consider the new device's dumb terminal device and make another judgment by binding the second default protocol to the network switching device. Among them, the second preset protocol is a protocol for authentication through identity identification, such as a MAC bypass authentication protocol or a Portal authentication backup mechanism.
具体来讲,可以通过判断新设备是否满足第二预设协议,确定新设备满足初步准入条件。即新设备通过第二预设协议,则表示新设备满足初步准入条件。由此可以避免只采用 802.1X协议适配性不足,导致认证准确度低的问题。Specifically, it can be determined that the new device meets the preliminary access conditions by determining whether the new device satisfies the second preset protocol. That is, if the new device passes the second preset protocol, it means that the new device meets the preliminary access conditions. This can avoid the problem of low authentication accuracy caused by insufficient adaptability of only the 802.1X protocol.
S202:响应于所述新设备满足初步准入条件,为所述新设备分配第一密钥。S202: In response to the new device meeting preliminary admission conditions, allocate a first key to the new device.
当确定新设备满足初步准入条件之后,则控制系统为新设备分配第一密钥,用于加密认证报文。在本申请实施例中,分配的第一密钥可以为RSA密钥。具体来讲,控制系统的服务器接收到新设备满足初步准入条件的指令后,为新设备的端口分配工业控制网络专用的第一密钥,通过网络交换设备发送至新设备。After determining that the new device meets the preliminary access conditions, the control system allocates a first key to the new device for encrypting the authentication message. In this embodiment of the present application, the distributed first key may be an RSA key. Specifically, after receiving the instruction that the new device meets the preliminary access conditions, the server of the control system assigns the first key dedicated to the industrial control network to the port of the new device and sends it to the new device through the network switching device.
S203:根据所述第一密钥加密认证报文,并使加密后的所述认证报文传输至设备端进行比对验证。S203: Encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification.
当新设备端口获取第一密钥之后,控制系统会根据第一密钥加密认证报文。在本申请实施例中,控制系统的服务器会为新设备端口分配预设加密算法。然后根据预设加密算法和第一密钥加密认证报文,并将加密后的认证报文传输至网络交换设备的数据链路层。在数据链路层解密加密后的认证报文获取第一密钥。比对第一密钥和第二密钥是否相同,进行验证。其中,第二密钥可以为网络交换设备预存本地密钥。After the new device port obtains the first key, the control system will encrypt the authentication message based on the first key. In this embodiment of the present application, the server of the control system allocates a preset encryption algorithm to the new device port. Then, the authentication message is encrypted according to the preset encryption algorithm and the first key, and the encrypted authentication message is transmitted to the data link layer of the network switching device. Decrypt the encrypted authentication message at the data link layer to obtain the first key. Verify whether the first key and the second key are the same. The second key may pre-store a local key for the network switching device.
在本申请实施例中,可以通过预设算法,将第一密钥加入到认证报文头部,或认证报文中间,或认证报文尾部。In this embodiment of the present application, the first key can be added to the header of the authentication message, the middle of the authentication message, or the tail of the authentication message through a preset algorithm.
S204:响应于所述第一密钥与第二密钥相同,反馈认证成功,确定所述新设备准入控制系统。S204: In response to the fact that the first key and the second key are the same, feedback authentication is successful, and it is determined that the new device has entered the access control system.
当网络交换机比对验证第一密钥与第二密钥相同,则表示反馈认证成功,并将该报文发送给局域网通信,确定新设备准入控制系统。When the network switch compares and verifies that the first key and the second key are the same, it indicates that the feedback authentication is successful, and the message is sent to the LAN communication to determine the new device's admission to the control system.
在本申请实施例中,如果第一密钥与第二密钥通过比对发现,两者不相同,则表示反馈认证失败。新设备不满足准入条件,新设备的端口变为非授权端口。其中,非授权端口为不允许用户访问的端口。其与授权端口对应。In this embodiment of the present application, if the first key and the second key are compared and found to be different, it means that the feedback authentication fails. The new device does not meet the admission conditions, and the port of the new device becomes an unauthorized port. Among them, unauthorized ports are ports that users are not allowed to access. It corresponds to the authorization port.
在本申请实施例中,网络交换设备还可以对需要接入局域网的客户端执行认证,并根据认证结果对受控端口的授权状态/非授权状态进行控制。In this embodiment of the present application, the network switching device can also perform authentication on clients that need to access the local area network, and control the authorized status/non-authorized status of the controlled port based on the authentication results.
具体的:当新设备认证不成功时,新设备端口变为非授权端口。当其余用户通过拔掉授权端口网线的方式,将其余主机通过网线接入到授权端口,从而进入到局域网中时,此时其余用户的密钥比对不成功,将锁死授权端口,变为非授权端口。在本申请实施例中,当其余用户通过HUB设备接入到授权端口时,此时其余用户的密钥比对不成功,将锁死授权端口,变为非授权端口。Specific: When the new device authentication fails, the new device port becomes an unauthorized port. When other users unplug the authorized port network cable, connect other hosts to the authorized port through the network cable, and then enter the LAN. At this time, the key comparison of other users fails, and the authorized port will be locked. Unauthorized port. In the embodiment of this application, when other users access the authorized port through the HUB device, and the key comparison of the other users fails, the authorized port will be locked and become an unauthorized port.
本申请提供了一种控制设备准入的方法,首先当检测到新设备接入控制系统局域网时,根据预设协议进行初步准入判断。当新设备满足初步准入条件之后,为新设备分配第一密钥,并利用该第一密钥对认证报文进行加密。当加密后的认证报文传输至设备端时,对加密后的认证报文含有的第一密钥与第二密钥进行比对验证。如果两者相同,表示认证成功,反馈认证成功结果。即表示新设备的端口为授权端口,运行用户访问。即通过预设协议初步准入判断和密钥加密方式进行二次判断,避免了只采用802.1X协议产生的适应性差的问题,从而提高认证设备准入网络的准确度,从而提升控制设备的网络安全性。This application provides a method for controlling device access. First, when a new device is detected to be connected to the control system LAN, a preliminary access judgment is made based on a preset protocol. After the new device meets the preliminary access conditions, a first key is assigned to the new device, and the first key is used to encrypt the authentication message. When the encrypted authentication message is transmitted to the device, the first key and the second key contained in the encrypted authentication message are compared and verified. If the two are the same, it means the authentication is successful and the authentication success result will be fed back. This means that the port of the new device is an authorized port for user access. That is, the preliminary access judgment of the preset protocol and the secondary judgment of the key encryption method are used to avoid the problem of poor adaptability caused by only using the 802.1X protocol, thereby improving the accuracy of the authentication device's access to the network, thereby improving the network control equipment safety.
参见图3,为本申请实施例提供的另一种控制设备准入的方法流程图,应用于分布式控制系统,该方法至少包括以下步骤:Referring to Figure 3, there is a flow chart of another method for controlling device access provided by the embodiment of the present application, which is applied to a distributed control system. The method at least includes the following steps:
S301:符合可拓展认证协议EAPoL的客户端发出接入网络交换设备的请求。S301: The client that complies with the extensible authentication protocol EAPoL issues a request to access the network switching device.
S302:判断接入设备是否为首次登录的准入设备。若满足,则进入步骤S303。否则进入步骤S310。S302: Determine whether the access device is the access device for first login. If satisfied, proceed to step S303. Otherwise, proceed to step S310.
S303:服务器为新设备分配一个第三密钥,根据第三密钥对认证报文进行初次加密,并将加密后的认证报文传输至网络交换设备进行比对验证。S303: The server allocates a third key to the new device, initially encrypts the authentication message based on the third key, and transmits the encrypted authentication message to the network switching device for comparison and verification.
在本申请实施例中,第三密钥为端口专属密钥。服务器增加了一个密钥分发判断系统,该系统判断新设备是否为首次登录的准入设备,如果是,则随机为其分配一个端口专属密钥,即第三密钥。网络交换设备记录此端口密钥。在后续使用时,通过报文加密和解密的方式,进行第三密钥和网络交换设备记录的第四密钥的比较。In this embodiment of the present application, the third key is a port-specific key. The server has added a key distribution judgment system, which judges whether the new device is an access device for the first login. If so, it will randomly assign a port-specific key, that is, a third key. The network switching device records this port key. During subsequent use, the third key is compared with the fourth key recorded by the network switching device through message encryption and decryption.
S304:响应于所述第三密钥与第四密钥相同,确定新设备满足身份要求。S304: In response to the third key being the same as the fourth key, determine that the new device meets the identity requirement.
当第三密钥与第四密钥相同时,表示新设备满足身份要求。即该设备不属于非法登录。When the third key and the fourth key are the same, it means that the new device meets the identity requirements. That is, the device is not illegally logged in.
S305:判断接入设备是否满足802.1X准入协议。若满足,则进入步骤S306。否则,进入步骤S310。S305: Determine whether the access device meets the 802.1X access protocol. If satisfied, proceed to step S306. Otherwise, proceed to step S310.
S306:判断接入设备是否满足第二预设协议,若是,满足初步准入条件,进入步骤S307,否则进入步骤S310。S306: Determine whether the access device meets the second preset protocol. If so, it meets the preliminary access conditions and proceeds to step S307. Otherwise, proceeds to step S310.
S307:响应于所述新设备满足初步准入条件,为所述新设备分配第一密钥。S307: In response to the new device meeting the preliminary admission conditions, allocate a first key to the new device.
S308:根据所述第一密钥加密认证报文,并使加密后的所述认证报文传输至设备端进行比对验证。S308: Encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification.
S309:响应于所述第一密钥与第二密钥相同,反馈认证通过成功。S309: In response to the fact that the first key and the second key are the same, feedback that the authentication is successful.
S310:新设备准入认证通过失败。S310: The new device access authentication failed.
在本申请实施例中S307~S310与图2中S202~S204相同,这里不再论述。在本申请实施例中,S302的身份识别判断与S305的准入协议判断执行动作可以同时进行,也可以先执行S302,再执行S305。也可以先执行S305,再执行S302。In the embodiment of the present application, S307 to S310 are the same as S202 to S204 in Figure 2 and will not be discussed here. In this embodiment of the present application, the identity recognition judgment in S302 and the access protocol judgment in S305 can be performed at the same time, or S302 can be performed first and then S305. You can also execute S305 first and then execute S302.
本申请实施例提供的控制设备准入方法,通过端口专属密钥的方式对新设备的身份进行鉴别,避免了现有技术采用用户名加口令的方式进行鉴别产生的方案容易导致地址盗用,非法设备接入和同一账户多人使用的问题。进一步提升了控制设备的网络安全性。The control device access method provided by the embodiment of the present application authenticates the identity of the new device through a port-specific key, which avoids the solution generated by the existing technology of using a user name and password for identification, which can easily lead to address theft and illegal Problems with device access and multiple people using the same account. The network security of control equipment is further improved.
参见图4,为本申请实施例提供的另一种控制设备准入方法流程图,该方法应用于分布式控制系统,该方法至少包括以下步骤:Refer to Figure 4, which is a flow chart of another control device admission method provided by an embodiment of the present application. This method is applied to a distributed control system. The method at least includes the following steps:
S401:检测到客户端发出接入网络交换设备的请求时,通过802.1X协议和MAC旁路认证,对新设备进行初步准入判断。若满足,则进入步骤S402。否则进入步骤S407S401: When it is detected that the client sends a request to access the network switching device, a preliminary admission judgment is made on the new device through the 802.1X protocol and MAC bypass authentication. If satisfied, proceed to step S402. Otherwise, go to step S407
S402:为新设备分配RSA密钥,并根据RSA密钥加密认证报文。将加密后的认证报文传输至网络交换设备进行解密和比对验证。S402: Assign an RSA key to the new device and encrypt the authentication message based on the RSA key. Transmit the encrypted authentication message to the network switching device for decryption and comparison verification.
S403:RSA密钥与网络交换设备预先记录的本地密钥相同,则表示认证通过成功,反馈认证成功。否则进入步骤S407S403: The RSA key is the same as the local key pre-recorded by the network switching device, which means the authentication is successful and the feedback is that the authentication is successful. Otherwise, go to step S407
S404:利用端口定时器,对RSA密钥以及网络交换设备预先记录的本地密钥进行定时更新。S404: Use the port timer to regularly update the RSA key and the local key pre-recorded by the network switching device.
在本申请实施例中,为端口定时器定时,定时器当时,则随机更新RSA密钥和网络交换设备预先记录的本地密钥。In this embodiment of the present application, the port timer is timed. When the timer expires, the RSA key and the local key pre-recorded by the network switching device are randomly updated.
S405:利用更新后的RSA密钥加密认证报文。将加密后的认证报文传输至网络交换设备进行解密和比对验证。S405: Use the updated RSA key to encrypt the authentication message. Transmit the encrypted authentication message to the network switching device for decryption and comparison verification.
S406:当更新后的RSA密钥与网络交换设备预先记录的本地密钥相同,则表示认证通过成功,反馈认证成功。S406: When the updated RSA key is the same as the local key pre-recorded by the network switching device, it means that the authentication is successful and feedback that the authentication is successful.
S407:认证通过失败,反馈认证失败。S407: Authentication failed, feedback authentication failure.
在本申请实施例提供的控制设备准入的方法中,通过定时器对密钥进行定时更新,进一步提升密钥安全性,提高认证设备准入网络的准确度,从而提升控制设备的网络安全性。In the method for controlling device access provided by the embodiments of this application, the key is regularly updated through a timer to further enhance the security of the key and improve the accuracy of the authentication device accessing the network, thereby improving the network security of the control device. .
参见图5,为本申请实施例提供的一种控制设备准入的装置结构示意图500。该装置至少包括以下单元:Refer to Figure 5, which is a schematic structural diagram 500 of a device for controlling device access provided by an embodiment of the present application. The device includes at least the following units:
第一判断单元501,用于当检测到新设备接入控制系统局域网时,根据预设协议对所述新设备进行初步准入判断。The first judgment unit 501 is configured to make a preliminary admission judgment on the new device according to a preset protocol when it is detected that a new device has accessed the control system local area network.
分配单元502,用于响应于所述新设备满足初步准入条件,为所述新设备分配第一密钥。The allocation unit 502 is configured to allocate a first key to the new device in response to the new device meeting the preliminary access conditions.
第二判断单元503,用于根据所述第一密钥加密认证报文,并将加密后的所述认证报文传输至设备端进行比对验证。The second judgment unit 503 is configured to encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification.
响应单元504,用于响应于所述第一密钥与第二密钥相同,反馈认证成功,确定所述新设备的端口为授权端口;所述授权端口允许用户访问的端口。The response unit 504 is configured to respond to the fact that the first key and the second key are the same, feedback that the authentication is successful, and determine that the port of the new device is an authorized port; the authorized port allows the user to access the port.
本申请提供了一种控制设备准入的装置,第一判断单元501当检测到新设备计入控制系统局域网时,根据预设协议进行初步准入判断。分配单元502当新设备满足初入准入条件之后,为新设备分配第一密钥。第二判断单元503利用该第一密钥对认证报文进行加密,当加密后的认证报文传输至设备端时,对加密后的认证报文含有的第一密钥与第二密钥进行比对验证。响应单元503响应于两者相同,表示认证成功,反馈认证成功结果。即表示新设备的端口为授权端口,运行用户访问。即通过预设协议初步准入判断和密钥加密方式进行二次判断,避免了只采用802.1X协议产生的适应性差的问题,从而提高认证设备准入网络的准确度,从而提升控制设备的网络安全性。This application provides a device for controlling equipment access. When the first judgment unit 501 detects that a new device is included in the control system local area network, it makes a preliminary admission judgment according to a preset protocol. The allocation unit 502 allocates the first key to the new device after the new device meets the initial admission conditions. The second judgment unit 503 uses the first key to encrypt the authentication message. When the encrypted authentication message is transmitted to the device, the first key and the second key contained in the encrypted authentication message are processed. Comparison verification. The response unit 503 responds that the two are the same, indicating that the authentication is successful, and feeds back the authentication success result. This means that the port of the new device is an authorized port for user access. That is, the preliminary access judgment of the preset protocol and the secondary judgment of the key encryption method are used to avoid the problem of poor adaptability caused by only using the 802.1X protocol, thereby improving the accuracy of the authentication device's access to the network, thereby improving the network control equipment safety.
本申请实施例还提供了一种电子设备。该设备包括:存储器和处理器。An embodiment of the present application also provides an electronic device. The device includes: memory and processor.
存储器用于用于存储程序代码,并将程序代码传输给处理器。Memory is used to store and transfer program code to the processor.
处理器:用于根据程序代码中的指令执行上述一种控制设备准入的方法的步骤。Processor: used to execute the steps of one of the above methods for controlling device admission according to instructions in the program code.
本申请实施例提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现本申请实施例的一种控制设备准入的方法。An embodiment of the present application provides a computer-readable storage medium on which a computer program is stored. When the program is executed by a processor, a method for controlling device access according to the embodiment of the present application is implemented.
在实际应用中,所述计算机可读存储介质可以采用一个或多个计算机可读的介质的任意组合。计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质。计算机可读存储介质例如可以是但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本实施例中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装 置或者器件使用或者与其结合使用。In practical applications, the computer-readable storage medium may be any combination of one or more computer-readable media. The computer-readable medium may be a computer-readable signal medium or a computer-readable storage medium. The computer-readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof. More specific examples (non-exhaustive list) of computer readable storage media include: electrical connections having one or more conductors, portable computer disks, hard drives, random access memory (RAM), read only memory (ROM), Erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In this embodiment, a computer-readable storage medium may be any tangible medium that contains or stores a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.
计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。A computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying computer-readable program code therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device .
计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、电线、光缆、RF等等,或者上述的任意合适的组合。Program code embodied on a computer-readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wire, optical cable, RF, etc., or any suitable combination of the foregoing.
可以以一种或多种程序设计语言或其组合来编写用于执行本发明操作的计算机程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、Smalltalk、C++,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。Computer program code for performing the operations of the present invention may be written in one or more programming languages, including object-oriented programming languages such as Java, Smalltalk, C++, and conventional Procedural programming language—such as "C" or a similar programming language. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In situations involving remote computers, the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (such as an Internet service provider through Internet connection).
以上所述仅是本申请示例性的实施方式,并非用于限定本申请的保护范围。The above descriptions are only exemplary embodiments of the present application and are not intended to limit the protection scope of the present application.

Claims (10)

  1. 一种控制设备准入的方法,其特征在于,所述方法包括:A method for controlling device access, characterized in that the method includes:
    当检测到新设备接入控制系统局域网时,根据预设协议对所述新设备进行初步准入判断;When a new device is detected to be connected to the control system LAN, a preliminary access judgment is made for the new device according to the preset protocol;
    响应于所述新设备满足初步准入条件,为所述新设备分配第一密钥;Responsive to the new device meeting preliminary admission conditions, assigning a first key to the new device;
    根据所述第一密钥加密认证报文,并使加密后的所述认证报文传输至网络交换设备进行比对验证;Encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the network switching device for comparison and verification;
    响应于所述第一密钥与第二密钥相同,反馈认证成功,确定所述新设备准入控制系统局域网。In response to the first key and the second key being the same, it is fed back that the authentication is successful, and it is determined that the new device is admitted to the local area network of the control system.
  2. 根据权利要求1所述方法,其特征在于,所述根据所述第一密钥加密认证报文,并使加密后的所述认证报文传输至网络交换设备进行比对验证,包括:The method according to claim 1, characterized in that encrypting the authentication message according to the first key and transmitting the encrypted authentication message to a network switching device for comparison and verification includes:
    根据预设加密算法和所述第一密钥加密所述认证报文;Encrypt the authentication message according to the preset encryption algorithm and the first key;
    将加密后的所述认证报文传输至交换设备的数据链路层;Transmit the encrypted authentication message to the data link layer of the switching device;
    解密加密后的所述认证报文获取所述第一密钥,并比对所述第一密钥与所述第二密钥是否相同进行验证。Decrypt the encrypted authentication message to obtain the first key, and verify whether the first key and the second key are the same.
  3. 根据权利要求1所述方法,其特征在于,所述为所述新设备分配第一密钥之后,所述方法还包括:The method according to claim 1, characterized in that after allocating the first key to the new device, the method further includes:
    启动端口定时器;所述端口定时器用于获取预设时间,以对所述第一密钥进行定时更新;Start a port timer; the port timer is used to obtain a preset time to regularly update the first key;
    根据所述端口定时器的所述预设时间对所述第一密钥和所述第二密钥进行定时更新;Regularly update the first key and the second key according to the preset time of the port timer;
    所述响应于所述第一密钥与第二密钥相同,反馈认证成功,包括:The response that the first key is the same as the second key and feedback that the authentication is successful includes:
    响应于定时更新后的所述第一密钥和所述第二密钥相同,反馈认证成功。In response to the regularly updated first key and the second key being the same, it is fed back that the authentication is successful.
  4. 根据权利要求1所述方法,其特征在于,所述方法还包括:The method according to claim 1, characterized in that, the method further includes:
    响应于所述第一密钥与所述第二密钥不相同,反馈认证失败,确定所述新设备的端口为非授权端口;所述非授权端口为不允许用户访问的端口。In response to the fact that the first key and the second key are different, feedback authentication fails, and it is determined that the port of the new device is an unauthorized port; the unauthorized port is a port that the user is not allowed to access.
  5. 根据权利要求1所述方法,其特征在于,所述根据预设协议对所述新设备进行初步准入判断,包括:The method according to claim 1, characterized in that the preliminary admission judgment of the new device according to a preset protocol includes:
    判断所述新设备是否满足第一预设协议;Determine whether the new device meets the first preset protocol;
    若是,则确定所述新设备满足初步准入条件;If so, it is determined that the new equipment meets the preliminary access conditions;
    如否,响应于所述新设备满足第二预设协议,确定所述新设备满足初步准入条件;所述第二预设协议为通过身份标识进行认证的协议。If not, in response to the new device meeting the second preset protocol, it is determined that the new device meets the preliminary access condition; the second preset protocol is a protocol for authentication through identity identification.
  6. 根据权利要求5所述方法,其特征在于,所述方法还包括:The method according to claim 5, characterized in that, the method further includes:
    响应于新设备为首次登录的设备,为所述新设备分配第三密钥;所述第三密钥为端口专属密钥;In response to the new device being a device that logs in for the first time, assign a third key to the new device; the third key is a port-specific key;
    根据所述第三密钥对所述认证报文进行初次加密,并将加密后的认证报文传输至网络交换设备进行比对验证;Perform initial encryption on the authentication message according to the third key, and transmit the encrypted authentication message to the network switching device for comparison and verification;
    响应于所述第三密钥与第四密钥相同,确定所述新设备满足身份要求;In response to the third key being the same as the fourth key, determining that the new device meets the identity requirement;
    根据所述身份要求和所述预设协议确定所述新设备满足初步准入条件。It is determined that the new device meets preliminary access conditions based on the identity requirements and the preset protocol.
  7. 根据权利要求1所述方法,其特征在于,所述方法还包括:The method according to claim 1, characterized in that, the method further includes:
    当用户通过设备端接入授权端口时,响应于用户的密钥比对不相同,锁死所述授权端口,使得所述授权端口变成非授权端口。When the user accesses the authorized port through the device, in response to the user's key comparison being different, the authorized port is locked, causing the authorized port to become an unauthorized port.
  8. 一种控制设备准入的装置,其特征在于,所述装置包括:A device for controlling equipment access, characterized in that the device includes:
    第一判断单元,用于当检测到新设备接入控制系统局域网时,根据预设协议对所述新设备进行初步准入判断;The first judgment unit is used to make a preliminary access judgment on the new device according to the preset protocol when it is detected that the new device has accessed the control system local area network;
    分配单元,用于响应于所述新设备满足初步准入条件,为所述新设备分配第一密钥;an allocation unit configured to allocate a first key to the new device in response to the new device meeting the preliminary access condition;
    第二判断单元,用于根据所述第一密钥加密认证报文,并将加密后的所述认证报文传输至设备端进行比对验证;The second judgment unit is configured to encrypt the authentication message according to the first key, and transmit the encrypted authentication message to the device for comparison and verification;
    响应单元,用于响应于所述第一密钥与第二密钥相同,反馈认证成功,确定所述新设备准入控制系统局域网。A response unit, configured to respond to the fact that the first key and the second key are the same, feedback that the authentication is successful, and determine that the new device is admitted to the local area network of the control system.
  9. 一种电子设备。该设备包括:存储器和处理器。An electronic device. The device includes: memory and processor.
    存储器用于用于存储程序代码,并将程序代码传输给处理器。Memory is used to store and transfer program code to the processor.
    处理器:用于根据程序代码中的指令执行如权利要求1-7中任一项所述控制设备准入的方法步骤。Processor: configured to execute the method steps of controlling device access according to any one of claims 1-7 according to instructions in the program code.
  10. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储代码,所述代码被处理器执行时实现如权利要求1-7中任一项所述控制设备准入的方法步骤。A computer-readable storage medium, characterized in that the computer-readable storage medium stores code, and when the code is executed by a processor, the method for controlling device access according to any one of claims 1-7 is implemented. step.
PCT/CN2022/135139 2022-07-26 2022-11-29 Control device admission method and apparatus, and related product WO2024021408A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210885577.XA CN115250203A (en) 2022-07-26 2022-07-26 Method and device for controlling equipment access and related products
CN202210885577.X 2022-07-26

Publications (1)

Publication Number Publication Date
WO2024021408A1 true WO2024021408A1 (en) 2024-02-01

Family

ID=83699822

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/135139 WO2024021408A1 (en) 2022-07-26 2022-11-29 Control device admission method and apparatus, and related product

Country Status (2)

Country Link
CN (1) CN115250203A (en)
WO (1) WO2024021408A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115250203A (en) * 2022-07-26 2022-10-28 浙江中控技术股份有限公司 Method and device for controlling equipment access and related products
CN115879895B (en) * 2023-02-01 2023-07-07 安徽有活科技有限公司 Protocol admittance method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1595894A (en) * 2003-09-10 2005-03-16 华为技术有限公司 A method for implementing access authentication of wireless local area network
US20050273843A1 (en) * 2004-06-02 2005-12-08 Canon Kabushiki Kaisha Encrypted communication method and system
CN102244863A (en) * 2010-05-13 2011-11-16 华为技术有限公司 802.1x-based access authentication method, access equipment and aggregation equipment
CN107294952A (en) * 2017-05-18 2017-10-24 四川新网银行股份有限公司 A kind of method and system for realizing zero terminal network access
CN115250203A (en) * 2022-07-26 2022-10-28 浙江中控技术股份有限公司 Method and device for controlling equipment access and related products

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1595894A (en) * 2003-09-10 2005-03-16 华为技术有限公司 A method for implementing access authentication of wireless local area network
US20050273843A1 (en) * 2004-06-02 2005-12-08 Canon Kabushiki Kaisha Encrypted communication method and system
CN102244863A (en) * 2010-05-13 2011-11-16 华为技术有限公司 802.1x-based access authentication method, access equipment and aggregation equipment
CN107294952A (en) * 2017-05-18 2017-10-24 四川新网银行股份有限公司 A kind of method and system for realizing zero terminal network access
CN115250203A (en) * 2022-07-26 2022-10-28 浙江中控技术股份有限公司 Method and device for controlling equipment access and related products

Also Published As

Publication number Publication date
CN115250203A (en) 2022-10-28

Similar Documents

Publication Publication Date Title
WO2024021408A1 (en) Control device admission method and apparatus, and related product
US10110571B2 (en) Securing internet of things communications across multiple vendors
JP6656157B2 (en) Network connection automation
EP1498800B1 (en) Security link management in dynamic networks
US10049225B2 (en) Data access control systems and methods
US8910255B2 (en) Authentication for distributed secure content management system
US20080052755A1 (en) Secure, real-time application execution control system and methods
US7707417B2 (en) Secure transmission of data between clients over communications network
KR100789123B1 (en) Preventing unauthorized access of computer network resources
US20110179267A1 (en) Method, system and server for implementing security access control
US9547756B2 (en) Registration of devices in a digital rights management environment
US20050283619A1 (en) Managing access permission to and authentication between devices in a network
US20050283618A1 (en) Managing access permission to and authentication between devices in a network
MXPA04004143A (en) Dynamic substitution of usb data for on-the-fly encryption/decryption.
KR102020178B1 (en) Fire wall system for dynamic control of security policy
WO2017021687A1 (en) Security device for securely connecting peripheral bus devices
CN114125027B (en) Communication establishment method and device, electronic equipment and storage medium
CN115001770A (en) Zero-trust-based service access control system and control method
KR20180131765A (en) access management systems for management-mode and accessing methods
KR102371181B1 (en) Communication Security Method Performed in the User Devices installed Agent-Application and the Server-System that Communicated with the User Devices
JP2000354056A (en) Computer network system and method for controlling access to the same
CN114006739A (en) Resource request processing method, device, equipment and storage medium
CN116366344A (en) Network security system based on separation of internal network and external network
CN115906196A (en) Mobile storage method, device, equipment and storage medium
CN117896725A (en) Wireless communication method, system, electronic device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22952842

Country of ref document: EP

Kind code of ref document: A1