[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118353634A - Cloud edge end integrated identity authentication method and system for distributed energy storage system - Google Patents

Cloud edge end integrated identity authentication method and system for distributed energy storage system Download PDF

Info

Publication number
CN118353634A
CN118353634A CN202410470348.0A CN202410470348A CN118353634A CN 118353634 A CN118353634 A CN 118353634A CN 202410470348 A CN202410470348 A CN 202410470348A CN 118353634 A CN118353634 A CN 118353634A
Authority
CN
China
Prior art keywords
key
identity
energy storage
terminal
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410470348.0A
Other languages
Chinese (zh)
Inventor
张慧翔
岳浩
廖凯华
朱新峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwestern Polytechnical University
Original Assignee
Northwestern Polytechnical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwestern Polytechnical University filed Critical Northwestern Polytechnical University
Priority to CN202410470348.0A priority Critical patent/CN118353634A/en
Publication of CN118353634A publication Critical patent/CN118353634A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloud edge end integrated identity authentication method and a cloud edge end integrated identity authentication system for a distributed energy storage system, wherein an edge gateway carries a certificate file and establishes connection with a cloud end; initializing a key generation center KGC to generate a signature master key pair and an encryption master key pair; the edge gateway and the energy storage terminal firstly register the identity of KGC, the MAC address of the equipment is used as the identity, and after the identity is obtained, the KGC generates a corresponding public-private key pair; generating a marginal key according to the body mark, and distributing the generated marginal key to the energy storage terminal; and the energy storage terminal accesses authentication and session key negotiation to complete cloud end integrated identity authentication. The cloud side end integrated identity authentication method for the distributed energy storage system has the advantages of privacy protection, safety communication, identity authentication, centralized management, system reliability enhancement and the like, and can provide a safe and credible identity authentication mechanism for the distributed energy storage system.

Description

Cloud edge end integrated identity authentication method and system for distributed energy storage system
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a cloud edge end integrated identity authentication method and system for a distributed energy storage system.
Background
The distributed energy storage system often uses the Modbus protocol as a communication protocol, which has the advantages of high efficiency, easy realization, high reliability and the like, but has a plurality of safety problems in the communication process. Although the protocol includes some inherent message error detection methods such as parity check and CRC check, the method can only ensure the preliminary accuracy of the communication data content, which is far from enough for the complex network communication environment nowadays. Therefore, implementing secure communications based on the Modbus protocol is particularly important for enhancing the security of distributed energy storage systems. The safety problem of Modbus protocol is mainly as follows:
(1) Lack of identity authentication
The electric energy data information is ensured to be obtained from legal users, which is the aim of identity authentication. And for a user who does not perform identity authentication, if the user sends an instruction to the terminal device, the instruction cannot be executed by the terminal device. However, there is no specific means for identity authentication for the Modbus protocol employed herein. Therefore, a third party in the communication network, namely a malicious attacker, can start the communication process by utilizing the related function code of the Modbus protocol, so as to destroy the communication process of the electric energy data information.
(2) Plaintext transmission
When the Modbus protocol is utilized to carry out electric energy information communication, corresponding instructions and destination addresses are transmitted in a plaintext mode, and malicious attackers can conveniently steal and analyze important electric energy data, so that the difficulty of illegal operation of the malicious attackers is reduced. Therefore, in order to avoid plaintext transmission and prevent malicious attackers from stealing and illegally utilizing important electric energy data, reasonable encryption processing is required to be carried out on the transmitted electric energy data by utilizing a modern encryption algorithm.
Meanwhile, with the wide application of the distributed energy storage technology, the number of energy storage terminals and the generated data volume are larger and larger, a great challenge is provided for the existing cloud-end-based internet of things architecture, and the traditional cloud-end network architecture based on cloud computing is gradually transformed into the cloud-side-end integrated network architecture based on the edge gateway by utilizing the computing and storage capacity of the edge gateway. Under the network architecture, the existing industrial internet of things safety solution has a certain limitation on the distributed energy storage system. Traditional "cloud-end" authentication schemes are implemented based on public key infrastructure PKI, but suffer from the following problems: in the distributed energy storage system environment, the number of terminals is huge, and great pressure is brought to maintenance and storage of certificates and backup and recovery of user key pairs. Meanwhile, the expenditure of the verification process of the certificate is large, and the method is not applicable to the distributed energy storage terminal with limited resources.
Therefore, the research on the identity authentication method of the distributed energy storage system has important practical application significance.
Disclosure of Invention
The invention aims to solve the technical problems of the prior art, and provides a cloud edge end integrated identity authentication method and system for a distributed energy storage system, which are used for solving the technical problems of large quantity of certificate maintenance and high certificate verification cost in the distributed energy storage system.
The invention adopts the following technical scheme:
A cloud edge end integrated identity authentication method for a distributed energy storage system comprises the following steps:
S1, burning a certificate file by an edge gateway;
S2, establishing connection between the edge gateway and the cloud with the certificate file;
S3, initializing a key generation center KGC to generate a signature master key pair and an encryption master key pair;
s4, firstly, the edge gateway and the energy storage terminal register the identity of the KGC, the MAC address of the equipment is adopted as the identity, and after the identity is obtained, the KGC generates a corresponding public-private key pair; generating a marginal key according to the body mark, and distributing the generated marginal key to the energy storage terminal;
s5, the energy storage terminal accesses authentication and session key negotiation to complete cloud edge end integrated identity authentication.
Preferably, in step S1, the certificate file includes a root certificate, a device-side certificate private key, and a device-side certificate.
Preferably, in step S3, the key generation center KGC is deployed at an edge gateway, and performs initialization of the SM9 cryptographic algorithm, so as to complete selection of a system parameter set of the SM9 cryptographic algorithm, generation of a system signature master public key and a system signature master private key, and generation of a system encryption master public key and an encryption master private key.
More preferably, the random number s epsilon [1, N-1] is randomly generated and used as a system signature main private key, and the random number e epsilon [1, N-1] is randomly generated and used as a system encryption main private key;
Calculating elements Ppub-s= [ s ] P2 in G2 as a signature master public key, the signature master key pair being (s, ppub); calculating an element Ppub-e= [ e ] P1 in G1 as an encryption master public key, the encryption master key pair being (e, ppub-e);
the key generation center KGC secretly holds a signing master private key s and an encrypting master private key e, and public signing master public key Ppub-e and encrypting master public key Ppub-s.
More preferably, the SM9 identification cryptographic algorithm is implemented using an open source cryptographic tool GMSSL.
Preferably, in step S4, when a node in the distributed energy storage system accesses the network, firstly, identity registration is performed to a key generation center KGC; after the identity is acquired, a corresponding public and private key pair is generated by a key generation center KGC; the terminal obtains a signature private key from the key generation center KGC according to the identity identification of the terminal for identity verification.
More preferably, the private key generation process of the terminal is as follows:
The key generation center KGC selects and discloses a private key generation function identifier his expressed in one byte, the identity of user a is ID A, and the key generation center KGC calculates t 1 over the finite field F N; if t 1 =0, regenerating the master private key, calculating and disclosing the master public key, and updating the existing private key; otherwise, according to the master private key s, the multiple point of the base point P 1 of the identification computing group G 1 is used as a signature private key d A of the terminal, the terminal signature private key d A is issued to the device in an off-line encryption mode, and the terminal secret is saved for authentication when the subsequent equipment is safely accessed to the network.
More preferably, when a terminal exits the network and becomes an untrusted device, the identity of the terminal is revoked, the key generation center KGC adds the identity of the revoked terminal to the revocation list, and the key generation center KGC periodically sends the revocation list to the edge gateway; when the terminal and the edge gateway perform identity authentication, the edge gateway can verify the identity of the user only according to the identification.
Preferably, in step S5, the energy storage terminal access authentication specifically includes:
S501, an edge gateway ID A sends an authentication request to a mounted energy storage terminal ID B, wherein the authentication request comprises an authentication request identifier AuthReq and identity identifiers of the self and the terminal;
S502, after receiving an authentication request, the energy storage terminal replies the authentication request to the affiliated edge gateway, wherein the reply request comprises an authentication reply identifier AuthRsp, identity identifiers of the energy storage terminal and the edge gateway, and a digital signature (h, S) calculated by using a private key of the energy storage terminal through an SM9 digital signature algorithm, M is a message to be signed, r is a random number, and r epsilon [1, N-1];
S503, after receiving a response request of the energy storage terminal, the edge gateway verifies the digital signature (h, S) by using an SM9 signature verification algorithm, and after the signature verification is passed, the edge gateway adds the identity mark into an authentication list of the edge gateway and encrypts a session key with a bit length of klen to send to the energy storage terminal;
S504, after receiving the response packet from the edge gateway, the energy storage terminal performs identity verification through the digital signature of the edge gateway, and after the identity verification is passed, the received encapsulation ciphertext is decapsulated to obtain a corresponding session Key Key.
In a second aspect, an embodiment of the present invention provides a cloud edge end integrated identity authentication system for a distributed energy storage system, including:
the burning module is used for burning the certificate file by the edge gateway;
The edge gateway carries the certificate file and establishes connection with the cloud;
The initialization module, the edge gateway and the energy storage terminal register the identity to KGC, adopt the MAC address of the equipment as the identity, after obtaining the identity, the KGC generates the corresponding public and private key pair;
the distribution module generates an edge key according to the edge identifier and distributes the generated edge key to the energy storage terminal;
and the authentication module is used for connecting the energy storage terminal to authentication and session key negotiation to complete cloud edge end integrated identity authentication.
In a third aspect, a chip includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the cloud end integrated identity authentication method for a distributed energy storage system described above when the computer program is executed.
In a fourth aspect, an embodiment of the present invention provides an electronic device, including a computer program, where the computer program when executed by the electronic device implements the steps of the cloud edge end integrated identity authentication method for a distributed energy storage system.
Compared with the prior art, the invention has at least the following beneficial effects:
The cloud edge end integrated avatar authentication method for the distributed energy storage system aims at realizing the cloud edge end integrated avatar authentication for the distributed energy storage system, and has the following purposes and benefits:
1. Ensuring identity authentication: through the identity registration and the generation of the public and private key pair in the step S4, the system can verify the identities of the edge gateway and the energy storage terminal. The use of the MAC address of the device as an identity can ensure uniqueness. This prevents unauthorized devices or individuals from accessing the system, enhancing the security of the system.
2. Data integrity verification: by using the signing master key pair generated in step S3, the energy storage terminal can digitally sign the transmitted message, and the edge gateway can verify using the corresponding public key. This ensures the integrity of the message during communication and prevents tampering or modification of the message.
3. Confidentiality protection: by using the encryption master key pair generated in step S3, the energy storage terminal can encrypt the sensitive information using the public key, and only the edge gateway can decrypt using the corresponding private key. Therefore, the data transmitted in the communication process can be ensured to be decrypted only by a legal edge gateway, and the confidentiality of the data is protected.
4. Two-way identity authentication: the whole authentication method allows bidirectional identity authentication between the edge gateway and the energy storage terminal, i.e. mutual authentication of the identity of the other party. This ensures that both parties to the communication are legitimate and reduces the risk of man-in-the-middle attacks.
S1: the edge gateway burning certificate file is used for initializing the authentication certificate of the edge gateway for subsequent use in establishing secure connection with the cloud.
S2: the edge gateway establishes connection with the cloud with the certificate file to perform subsequent identity authentication and key exchange on the secure communication pipeline.
S3: the key generation center KGC is initialized to generate a signature master key pair and an encryption master key pair, which are used for generating a safe key pair for subsequent identity authentication and communication encryption and decryption processes.
S4: the edge gateway and the energy storage terminal register the identities of the KGC and acquire public and private key pairs so as to ensure the credibility of the identities of the edge gateway and the terminal and provide the key pairs required for subsequent authentication and communication.
S5: the energy storage terminal completes cloud side end integrated identity authentication with the edge gateway through access authentication and session key negotiation, and communication safety and identity credibility are ensured.
The whole method is based on Public Key Infrastructure (PKI) and SM9 identification cryptographic algorithm, and combines digital signature and encryption technology to realize identity authentication, data integrity verification and confidentiality protection. By using the key pair to carry out identity verification and communication encryption and decryption, the communication safety in the system, the data protection and the authentication problem solving can be ensured. Therefore, cloud edge end integrated identity authentication of the distributed energy storage system can be realized, and the safety and reliability of the system are improved.
Further, root certificates: a root certificate is a trust anchor that issues other certificates for verifying and establishing a chain of trust. The purpose of this is to ensure that the parties in the communication can mutually verify the authenticity and trustworthiness of the certificate of the other party. Root certificates are typically issued and publicly distributed by a trusted Certificate Authority (CA). The root certificate can avoid man-in-the-middle attacks and disguised attacks, and provides a trust basis required for secure communication.
1. Device side certificate private key: the device-side certificate private key is a private key generated by the device and stored locally for digitally signing and encrypting the identity of the device. The private key of the equipment side certificate aims at protecting private information of equipment and simultaneously providing digital signature and encryption functions so as to ensure the safety of identity authentication and communication.
2. Device side certificate: the equipment end certificate is a digital certificate formed by packaging the identity information of the equipment and the corresponding public key thereof, and is used for exchanging and verifying in the identity authentication process. The purpose of the device-side certificate is to prove the identity, integrity and authenticity of the device in order to ensure secure interaction with other entities in the establishment of secure connections and communications.
Principle analysis and description:
Root certificate: the purpose of the root certificate is to establish a trust chain to verify the trust and validity of the device-side certificate. The root certificate is typically issued by an authoritative Certificate Authority (CA), whose public key is embedded in the device and cloud system. In the certificate verification process, the device-side certificate needs to trace back to the trusted root certificate through the trusted root certificate chain so as to ensure the validity and the credibility of the certificate.
Device side certificate private key: the certificate private key generated by the equipment side is used for carrying out digital signature and encrypted communication on the identity information of the equipment. The private key is typically stored in a secure store of the device, and only the device itself has access to the private key. By using the certificate private key, the device may digitally sign the transmitted data, thereby verifying the identity of the device and the integrity of the data. In addition, the private key may also be used to decrypt and encrypt communications to ensure confidentiality of the communications.
Device side certificate: the equipment-side certificate comprises identity information of equipment and a corresponding public key, and the authenticity of the certificate is ensured through a digital signature mechanism. Device-side credentials play an important role in device registration and communication. It is used to verify the identity of the device to prevent unauthorized devices from accessing the system. Meanwhile, the cloud system can encrypt data by using the public key of the equipment, so that confidentiality of communication is ensured. In addition, the device-side certificate can also be used for establishing a secure communication link to ensure the communication security and data integrity between the two parties.
By using the root certificate, the device-side certificate private key, and the device-side certificate, the system can ensure the trusted identity of the edge gateway, verify the integrity of data during communication, and protect the confidentiality of communication. Therefore, the safe reliability of cloud edge end integrated identity authentication facing the distributed energy storage system can be ensured.
Further, kgc is deployed at edge gateway: the deployment of Key Generation Centers (KGCs) at edge gateways may provide the following benefits:
(1) Data localization: the edge gateway is located at the edge of the network and can directly communicate and exchange data with the terminal equipment. By deploying KGC on the edge gateway, the key generation process can be moved to the location closest to the end device. Therefore, the transmission delay and the bandwidth consumption of the data can be reduced, the key generation efficiency is improved, and the required key can be quickly generated on the edge equipment, so that the localization processing and the safety protection of the data are realized.
(2) The safety is enhanced: the KGC may be deployed at the edge gateway to provide higher security. The edge gateway is used as a front edge of data transmission and processing, and has strong boundary defense and security monitoring capability. By placing KGC in the edge gateway, security measures including access control, authentication, auditing, etc. may be enhanced during key generation in the edge environment. This prevents unauthorized access and potential attacks, providing a more reliable key generation and protection mechanism.
(3) Simplified management: by deploying KGC at edge gateways, system management and maintenance may be simplified. The edge gateway typically integrates a large number of devices and services, and integrating KGC with the edge gateway can reduce the complexity of independent deployment and management. An administrator can perform centralized management and configuration on KGC through a centralized edge management system, so that the cost and the workload of system management are reduced.
(4) Response speed is improved: the edge gateway is located closest to the terminal device, and can implement rapid response and processing. By deploying KGC at edge gateways, latency and response time for key generation may be reduced. This is very important for scenarios requiring fast key generation, such as large-scale terminal device registration, device authentication, etc. The key generation center is deployed on the edge gateway to better meet the requirements of instantaneity and responsiveness.
2. Selecting a system parameter set: in the SM9 cryptographic algorithm, the system parameter set includes a set of curve parameters and other security parameters. KGC is responsible for selecting the appropriate set of system parameters to build the basis of the SM9 cryptographic algorithm. The selection of the appropriate set of system parameters may ensure the security and performance of the algorithm. Different sets of system parameters may be selected according to specific requirements, such as key length, computational complexity, etc.
3. Generating and setting a system signature main public key and a system signature main private key: in the SM9 cryptographic algorithm, a system signature master public key is used for verifying a signature, and a system signature master private key is used for generating the signature. KGC is responsible for generating system-level signed master public and private keys. The system-level key is used for signing operation of the whole system, and authenticity and integrity of data are ensured. The signing keys at the system level are generated and managed by KGC to ensure consistency and security of the signing operations of the various entities within the system.
4. Generating and setting a system encryption main public key and an encryption main private key: in the SM9 cryptographic algorithm, the system encrypts the master public key for encrypting data and the system encrypts the master private key for decrypting data. KGC is responsible for generating system-level encrypted master public and private keys. The system-level key is used for encrypting the whole system, and ensures confidentiality of data. The encryption key at the system level is generated and managed by KGC to ensure the security and consistency of the encrypted communication between the entities within the system.
Principle analysis and description:
1. Selecting a system parameter set: the selection of the proper system parameter set is the basis for guaranteeing the security and performance of the SM9 cryptographic algorithm. The selection of the system parameter set should take into account the suitability of curve selection, the safety and efficiency requirements of parameter setting. By reasonably selecting the system parameter sets, the system can reach the optimal balance point in the aspects of interoperability, safety and performance.
2. Generating and setting a system signature main public key and a system signature main private key: the generation of the system-level signature master public and private keys is critical to ensure the consistency and security of the overall system signature. The KGC generated system level keys may be used to verify and generate signature operations for various entities throughout the system, ensuring the authenticity and integrity of the data. The signature key at the system level is generated, so that the consistency of signature operation in the whole system is ensured, and meanwhile, the safety of the private key can be protected, and the private key is prevented from being leaked or maliciously used.
3. Generating and setting a system encryption main public key and an encryption main private key: the generation of the encrypted main public key and the private key at the system level is a key for ensuring the security of the encrypted communication of the whole system. The system level key generated by KGC can be used for encrypting communication among all entities in the whole system, so that the confidentiality of data is ensured. The encryption key at the system level is generated to ensure the consistency of the encrypted communication in the whole system, and meanwhile, the security of the private key can be protected to prevent the private key from being leaked or maliciously used.
Further, the purpose of implementing the SM9 identification cryptographic algorithm using the open source cryptographic tool GMSSL is to use the SM9 cryptographic algorithm as an encryption tool in practical applications and enjoy the following benefits:
1. Powerful security: SM9 is a cryptographic algorithm based on elliptic curve cryptography proposed by China national institutes of ciphers, and has high security. The algorithm adopts advanced cryptography algorithm and mathematical principle, and can ensure confidentiality, integrity and reliability of data. By implementing the SM9 algorithm using GMSSL tools, the strong security of the algorithm can be exploited to protect sensitive data and communications content.
2. Standardization and interoperability: GMSSL is an open source cryptographic tool that supports various international cryptographic standards and algorithms, including SM9. Implementation of the SM9 algorithm by using GMSSL can make implementation of SM9 on different systems and platforms more standardized and unified. Therefore, the SM9 algorithm realized by GMSSL can be ensured to be compatible and interoperable in different application environments, and the flexibility and the expandability of the system are improved.
3. Transparency of open source: GMSSL is an open source cryptographic tool that a user can view and review to gain transparency of the algorithm. By using an open source tool to realize the SM9 algorithm, a user can independently verify the correctness and safety of the algorithm, and trust of the algorithm is enhanced. Meanwhile, the open source also promotes the evaluation and improvement of the algorithm by security specialists and researchers, and is beneficial to continuously improving the security and reliability of the algorithm.
4. Simplified development and deployment: GMSSL provides a complete set of cryptographic tools and interfaces, including implementation of SM9 algorithm and related functional modules. By using GMSSL, the user can simplify the development and integration process of the SM9 algorithm, and reduce the workload and development cycle. The tool also provides rich documents and example code that facilitate the user's understanding and use of the SM9 algorithm.
Principle analysis and description: SM9 is a cryptographic algorithm based on elliptic curve cryptography. The key principle is that the secure key exchange, digital signature and encryption functions are realized by adopting the operation on elliptic curve groups. The SM9 algorithm ensures the security of the secret key by utilizing the complexity of the discrete logarithm problem of the elliptic curve, and enhances the reliability of the algorithm by adopting a mechanism capable of verifying encryption and identity authentication.
Implementing the SM9 algorithm using GMSSL tools, various functions of SM9, such as key generation, signing, encryption and decryption, etc., can be implemented by calling the API functions provided by GMSSL. GMSSL provide the necessary algorithm support and functional implementation using elliptic curve arithmetic operation libraries and cryptographic algorithm libraries. Through GMSSL's encapsulation, the user can conveniently invoke various functions of the SM9 algorithm and perform related security operations.
In summary, implementing the SM9 algorithm using the open source cryptographic tool GMSSL can provide the benefits of strong security, standardization and interoperability, open source transparency, and simplified development and deployment. Thus, the SM9 algorithm can be more convenient and reliable in practical application, and the security of sensitive data and communication content is protected.
Further, the setting in step S4 aims at realizing the identity authentication of the nodes in the distributed energy storage system and ensuring safe communication and data access. The following is the purpose and the advantages set by the step S4 and the analysis explanation of the relevant principle:
The purpose is as follows:
1. Identity registration: by registering the identity with a Key Generation Center (KGC), a node in the distributed energy storage system may obtain a unique identity. Thus, each node can be ensured to have unique identity, and the impersonation and counterfeiting of the identity are prevented.
2. Public and private key generation: and the Key Generation Center (KGC) generates a corresponding public-private key pair according to the identity of the node. In this way, each node has its own public and private keys for subsequent authentication and encrypted communications. The generation of public and private key pairs can ensure confidentiality and integrity of data.
3. Signature private key acquisition: the terminal obtains a signature private key from a Key Generation Center (KGC) according to the identity of the terminal, and the signature private key is used for identity verification. The acquisition of the private key of the signature may ensure that the identity of the node is confirmed and the signature may be used to verify the origin and integrity of the data.
Benefits are:
1. Identity verification and protection against counterfeiting: by means of identity registration and generation of unique identity identification, the true identity of each node in the system can be ensured, and impersonation and counterfeiting of the identity can be prevented.
2. Data security and integrity: by generating the public and private key pair, the encryption and decryption operation of the data can be realized, and the confidentiality and the integrity of the data in the transmission and storage processes are ensured.
3. Authentication and authorization: by acquiring the signature private key, identity verification and authorization judgment can be performed, only legal nodes can be ensured to access and operate, and the safety and stability of the system are enhanced.
Principle analysis:
The Key Generating Center (KGC) acts as a trusted third party authority responsible for generating and distributing keys. When a node accesses a network, the node firstly performs identity registration so as to acquire unique identity identification. Then, a Key Generation Center (KGC) generates a corresponding public-private key pair according to the identity of the node, wherein the public key is used for encrypting data, and the private key is used for decrypting the data and the digital signature.
The terminal can obtain the corresponding signature private key by providing its own identity to a Key Generation Center (KGC). In this way, the terminal can digitally sign the data using the private key to ensure the origin and integrity of the data. After receiving the signed data, other nodes can verify the validity and integrity of the data by verifying the signature.
In a word, the step S4 is set to realize the protection of the identity authentication and the data security of the nodes in the distributed energy storage system through the steps of identity registration, public and private key generation, signature private key acquisition and the like. The method can ensure the true identity of the node, prevent counterfeiting and impersonation, and ensure confidentiality, integrity and access control security of data in the transmission and storage processes.
Further, the purpose of the private key generation setting of the terminal is to ensure that the terminal equipment uses a safe and unique private key in the network access process so as to perform identity authentication and data protection. The following are the benefits of the terminal private key generation setup and the associated principle analysis description:
The purpose is as follows:
1. Safety: the security of the private key is ensured as far as possible by generating the private key of the terminal. The private key is a key element for identity verification and data signing, so that the terminal device needs to generate the private key and store the private key securely to prevent disclosure and unauthorized use of the private key.
2. Uniqueness: each terminal device needs to have a unique private key so that the identity between different devices and the uniqueness of the signing private key can be ensured. The unique private key can prevent identity impersonation and counterfeiting, and improves the security of the system.
Benefits are:
1. and (3) identity authentication: the terminal uses the generated private key to carry out digital signature so as to verify the authenticity and legitimacy of the identity of the terminal. When the private key is generated, the signature private key of the terminal is calculated by using the identification of the terminal and the main private key, so that the generation of the private key is associated with the unique identification of the terminal.
2. Data integrity: the signature private key of the terminal is related to the unique identifier of the terminal equipment and the main private key, so that the integrity of data is ensured by generating the private key. The terminal signs the data by using the signature private key, and other devices can verify by using the public key, so that the source and the integrity of the data are ensured.
3. Secure access network: after the private key is generated, the terminal transmits the signature private key to the device in an off-line encryption mode, and the terminal secrets and saves the signature private key. Therefore, confidentiality of the private key can be guaranteed, risks of the private key in the transmission process are reduced, and the terminal equipment can safely access the network to perform identity authentication and access control.
Principle analysis:
the Key Generation Center (KGC) selects a private key generation function identifier represented by one byte and calculates t1 on the finite field FN based on the identity of user a. If t1 is equal to 0, it means that the primary private key needs to be regenerated, the primary public key is calculated and published, and the existing private key is updated. This is to ensure security and uniqueness of the master private key.
If t1 is not equal to 0, the identity and the master private key s are used to calculate the multiple of the base point P1 of group G1 as the signature private key of the terminal. The private key is associated with the unique identification of the terminal equipment, so that the uniqueness of the private key and the consistency with the terminal identity are ensured. The signature private key is issued to the terminal equipment in an off-line encryption mode and is stored by the terminal to ensure confidentiality of the private key.
In summary, the private key generation setting of the terminal aims at ensuring the security and the uniqueness of the private key so as to realize the identity authentication and the data integrity of the terminal equipment. The generated private key is associated with the identification of the terminal equipment and the main private key, and is distributed and stored in an off-line encryption mode, so that confidentiality and use safety of the private key are guaranteed.
Further, when a terminal exits the network and becomes an untrusted device, the identity of the terminal is revoked, the key generation center KGC adds the identity of the revoked terminal into a revocation list, and the key generation center KGC periodically sends the revocation list to an edge gateway; when the terminal and the edge gateway carry out identity authentication, the edge gateway can verify the identity of the user only according to the identity, 1. The security: by revoking the identity of the terminal, the device which has exited the network can be prevented from continuing to access system resources or attempting identity impersonation. Updating and sending the revocation list ensures that the network system is more secure and reliable in the process of identifying and authenticating the trusted device. 2. Access control: by revoking the identity of the terminal, the edge gateway can quickly verify the identity of the terminal device according to the identity and decide whether to allow it to re-access the network or access the system resources. Thus, the prevention and effective access control management of the non-trusted equipment can be realized, and the overall security of the system is improved. Preventing access by non-trusted devices: after the identity of the terminal is revoked, the edge gateway can match the identity with the revocation list when performing identity authentication. If the identity of the terminal appears in the revocation list, the edge gateway will deny access to the terminal device, thereby preventing non-trusted devices from entering the network and reducing security threats.
When a terminal device exits the network, a Key Generation Center (KGC) will revoke the identity of the terminal and add it to the revocation list. This ensures that the terminal device is considered to be an untrusted device and prevents unauthorized access to the network resources. The key generation center periodically sends the revocation list to the edge gateway. When the edge gateway performs identity authentication, the credibility of the terminal equipment is only verified according to the identification. The method can compare the identification of the terminal with the revocation list, and if the identification is matched with the revocation list, the terminal can be judged to be an untrusted device, and access is denied or access authority is limited. The revocation identification is transmitted to the edge gateway, and the control of the non-trusted device is realized by centralized management of the revocation list. The edge gateway can rapidly perform identity verification based on the revocation list, effectively prevent the access of the revoked equipment, and improve the security of the network system and the reasonable allocation of resources. In a word, the identity revocation setting of the terminal equipment aims at preventing the non-trusted equipment from being approved and accessing network resources, and the quick identification and access control of the revoked equipment are realized through the management of a revocation list and the verification of an edge gateway, so that the effects of network security and resource management are improved.
Further, the following is a description of the purpose or the advantage of each step in the cloud edge end integrated identity authentication method facing the distributed energy storage system and the principle analysis:
1. Authentication initiation: by sending the authentication request, the edge gateway ensures that the energy storage terminal is in an authenticated state.
2. Identity transfer: the authentication request carries an identity so that the energy storage terminal can identify and respond to the correct edge gateway.
1. Identity confirmation: and the energy storage terminal confirms the identity of the energy storage terminal by replying the authentication request and provides the identity.
2. Digital signature: the integrity and the authenticity of the replied information are ensured by using the private key of the user to carry out digital signature.
1. Verifying the digital signature: and the edge gateway verifies the digital signature sent by the energy storage terminal by using a corresponding signature verification algorithm so as to ensure the integrity and authenticity of the message.
2. Authentication list update: after verification, the edge gateway adds the identity of the energy storage terminal to an authentication list for subsequent identity verification and access control.
3. Session key negotiation: the edge gateway encrypts a session key and sends it to the energy storage terminal. This session key may be used for subsequent secure communications and data transmissions.
1. And (3) identity authentication: and the energy storage terminal verifies the received response by using the digital signature of the edge gateway, so that the safety of the communication link is ensured.
2. Session key acquisition: the energy storage terminal unpacks the received ciphertext to obtain an encrypted session key for subsequent secure communication and data transmission.
In summary, the cloud edge end integrated identity authentication method for the distributed energy storage system can achieve the following purposes and benefits: the validity and the authenticity of the identity are ensured, and the identity is prevented from being faked and counterfeited. And establishing authentication states of the two parties, establishing a mutual trust relationship, and realizing safe communication and data transmission. And updating an authentication list of the edge gateway for access control and management. And the confidentiality of data transmission is enhanced, and the security of sensitive information is protected. The identity authentication method realizes the purposes of identity authentication and secure communication of the energy storage terminal through the steps of authentication request, digital signature, signature verification algorithm, identity verification, session key negotiation and the like, and improves the security and the credibility of the system.
It will be appreciated that the advantages of the second aspect may be found in the relevant description of the first aspect, and will not be described in detail herein.
In summary, the cloud edge end integrated identity authentication method for the distributed energy storage system has the advantages of privacy protection, safety communication, identity authentication, centralized management, system reliability enhancement and the like, and can provide a safe and credible identity authentication mechanism for the distributed energy storage system.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
FIG. 1 is a schematic diagram of a method of the present invention;
FIG. 2 is a side communication flow chart of the method of the present invention;
FIG. 3 is a communication flow chart after the authentication and key agreement between the edge gateway and the energy storage terminal is successful;
FIG. 4 is a schematic diagram of a computer device according to an embodiment of the present invention;
FIG. 5 is a block diagram of a chip according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of authentication success;
FIG. 7 is a schematic diagram of authentication failure;
FIG. 8 is an Internet of things platform device page;
FIG. 9 is an energy storage terminal access authentication;
fig. 10 is an edge gateway response to a terminal authentication request.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it will be understood that the terms "comprises" and "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In the present invention, the character "/" generally indicates that the front and rear related objects are an or relationship.
It should be understood that although the terms first, second, third, etc. may be used to describe the preset ranges, etc. in the embodiments of the present invention, these preset ranges should not be limited to these terms. These terms are only used to distinguish one preset range from another. For example, a first preset range may also be referred to as a second preset range, and similarly, a second preset range may also be referred to as a first preset range without departing from the scope of embodiments of the present invention.
Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
Various structural schematic diagrams according to the disclosed embodiments of the present invention are shown in the accompanying drawings. The figures are not drawn to scale, wherein certain details are exaggerated for clarity of presentation and may have been omitted. The shapes of the various regions, layers and their relative sizes, positional relationships shown in the drawings are merely exemplary, may in practice deviate due to manufacturing tolerances or technical limitations, and one skilled in the art may additionally design regions/layers having different shapes, sizes, relative positions as actually required.
The invention provides a cloud edge end integrated identity authentication method for a distributed energy storage system, which comprises three entities, a cloud end, an edge gateway and a distributed energy storage system terminal, wherein the cloud end is an application layer of the distributed energy storage system and is mainly used for providing services such as monitoring operation and maintenance, equipment management, data storage and the like, receiving data uploaded by terminal equipment at a lower layer, analyzing and processing the data, and providing PKI authentication access service for the edge gateway. The edge gateway is a computing device deployed in the field energy storage cabinet, provides edge intelligent service for terminal equipment, and the SM9 identity authentication system is deployed in the edge gateway and is responsible for generating and distributing keys of the perception layer terminal and authenticating the identity of the terminal.
Referring to fig. 1, the cloud edge end integrated identity authentication method for the distributed energy storage system of the invention comprises the following steps:
s1, burning certificate files (a root certificate, a device-side certificate private key and a device-side certificate) by an edge gateway;
s2, establishing connection between the edge gateway and the cloud with a certificate;
s3, initializing KGC to generate a signature master key pair and an encryption master key pair;
Preferably, the key generation center KGC is deployed at an edge gateway to initialize the SM9 cryptographic algorithm, mainly to complete the selection of the parameter set of the SM9 cryptographic algorithm system, the generation of the system signature main public key and the system signature main private key, and the generation of the system encryption main public key and the encryption main private key, and to implement the SM9 identification cryptographic algorithm, an open source cryptographic tool GMSSL may be used; the specific process is as follows:
S301, randomly generating a random number S epsilon [1, N-1] as a system signature main private key, and taking the random number e epsilon [1, N-1] as a system encryption main private key;
s302, calculating elements Ppub-s= [ S ] P2 in G2 as a signature master public key, wherein the signature master key pair is (S, ppub); calculating an element Ppub-e= [ e ] P1 in G1 as an encryption master public key, the encryption master key pair being (e, ppub-e);
S303, the key generation center KGC secretly stores a signature main private key S and an encryption main private key e, and discloses a signature main public key Ppub-e and an encryption main public key Ppub-S.
S4, generating a side key and distributing the key;
when a node (a distributed energy storage terminal) in the distributed energy storage system is accessed to a network, firstly, identity registration is carried out on a key generation center KGC, and the MAC address of equipment is used as the identity of the terminal;
after the identity is obtained, a corresponding public and private key pair is generated by KGC; the terminal obtains a signature private key from the key generation center according to the identity of the terminal for identity verification.
The private key generation process of the terminal is as follows:
The key generation center KGC selects and discloses a private key generation function identifier his expressed in one byte, the identity of user a is ID A, the key generation center KGC first calculates t 1 over the finite field F N; if t 1 =0, regenerating the master private key, calculating and disclosing the master public key, and updating the existing private key; otherwise, according to the main private key s, the multiple point of the base point P 1 of the identification computing group G 1 is used as a signature private key d A of the terminal, the terminal signature private key d A is issued to the device in an off-line encryption mode, and the terminal secret is saved for authentication when the subsequent equipment is safely accessed to the network;
t 1 is calculated as follows:
t1=H1(IDA||hid,N)+s
IDA=MACA
The terminal signature private key d A is:
t2=s·t1 -1
dA=[t2]P1
the terminal public key Q A is:
QA=[H1(IDA||hid)]P+Ppub
the key generation center KGC needs to maintain an identity revocation list, and when a terminal exits the network and becomes an untrusted device, the KGC needs to revoke its identity, and the KGC needs to add the identity of the revoked terminal to the revocation list.
The key generation center KGC needs to send the list to the edge gateway periodically, and the distributed energy storage terminal does not need to maintain the list. When the terminal and the edge gateway perform identity authentication, the edge gateway can verify the identity of the user only according to the identity, so that KGC does not need to store public and private keys of the user, and compared with a traditional PKI authentication system, the key management is more convenient because a certificate library and a key library do not need to be maintained.
S5, the energy storage terminal accesses authentication and session key negotiation.
Referring to fig. 2, the flow of the energy storage terminal access authentication is specifically as follows:
S501, an edge gateway ID A sends an authentication request to a mounted energy storage terminal ID B, wherein the authentication request comprises an authentication request identifier AuthReq and identity identifiers of the self and the terminal;
IDA→IDB:AuthReq||IDA||IDB
s502, after receiving an authentication request, the energy storage terminal needs to reply the authentication request to the affiliated edge gateway, wherein the reply request comprises an authentication reply identifier AuthRsp, identity identifiers of the energy storage terminal and the edge gateway, and a digital signature (h, S) calculated by using a private key of the energy storage terminal through an SM9 digital signature algorithm, M is a message to be signed, r is a random number, and r epsilon [1, N-1];
H=H2(M||e(P1,Ppub)r,N)
S=[(r-h)modN]dA
IDB→IDA:AuthRsp||IDB||IDA||h||s
S503, after receiving a response request of the energy storage terminal, the edge gateway verifies the digital signature (h, S) by using an SM9 signature verification algorithm, and after the signature verification is passed, the edge gateway adds the identity mark into an authentication list of the edge gateway and encrypts a session key with a bit length of klen to send to the energy storage terminal;
Firstly, calculating an element Q B in a group G 1, generating a random number r E [1, N-1], calculating an element C in a group G 1, calculating a session Key Key between an edge gateway and a terminal through a Key derivation function KDF, if the Key is 0, indicating that the Key packaging fails, and needing to regenerate the random number r and calculate a packaged ciphertext C; the successfully generated session Key Key is stored locally by the edge gateway; the edge gateway returns the self identity signature and the encapsulation ciphertext to the energy storage terminal;
QB=[H1(IDB||hid,N)]P1+Ppub
C=[r]QB
Key=KDF(C||e(Ppub,P2)r||IDB,klen)
IDA→IDB:AuthACK||IDA||IDB||C||h||s
S504, after receiving the response packet from the edge gateway, the terminal performs identity verification on the response packet through the digital signature of the edge gateway, and after the identity verification is passed, the terminal de-encapsulates the received encapsulation ciphertext to obtain a corresponding session Key Key.
Firstly, verifying whether C belongs to G 1, if not, reporting error and exiting, otherwise, calculating an element w 2 in a group G T, converting the data type of w 2 into a bit string, calculating a session Key Key, and storing the session Key in a local place by a terminal for subsequent data transmission encryption; if the calculated Key is an all 0 bit string, outputting error information and requesting the edge gateway for Key encapsulation again.
w2=e(C,dB)
Key=KDF(C||w2||IDB,klen)
IDB→IDA:AccessACK||Key(IDB||IDA)
Referring to fig. 3, for a communication flow after the identity authentication and key negotiation between the edge gateway and the energy storage terminal are successful, the edge gateway and the terminal can encrypt and decrypt communication data between them by using a session key, and the communication data is transmitted by a modbus protocol, but the communication data is encrypted and decrypted before and after transmission by using the session key, so as to ensure confidentiality and integrity of communication.
In still another embodiment of the present invention, a cloud edge end integrated identity authentication system for a distributed energy storage system is provided, where the system can be used to implement the above cloud edge end integrated identity authentication method for a distributed energy storage system, and in particular, the cloud edge end integrated identity authentication system for a distributed energy storage system includes a burning module, a connection module, an initialization module, a distribution module, and an authentication module.
The edge gateway burns the certificate file;
The edge gateway carries the certificate file and establishes connection with the cloud;
The initialization module, the edge gateway and the energy storage terminal register the identity to KGC, adopt the MAC address of the equipment as the identity, after obtaining the identity, the KGC generates the corresponding public and private key pair;
the distribution module generates an edge key according to the edge identifier and distributes the generated edge key to the energy storage terminal;
and the authentication module is used for connecting the energy storage terminal to authentication and session key negotiation to complete cloud edge end integrated identity authentication.
In yet another embodiment of the present invention, a terminal device is provided, the terminal device including a processor and a memory, the memory for storing a computer program, the computer program including program instructions, the processor for executing the program instructions stored by the computer storage medium. The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processor, digital signal processor (DIGITAL SIGNAL Processor, DSP), application Specific Integrated Circuit (ASIC), off-the-shelf Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic, discrete hardware components, etc., which are a computational core and a control core of the terminal adapted to implement one or more instructions, in particular adapted to load and execute one or more instructions to implement a corresponding method flow or a corresponding function; the processor of the embodiment of the invention can be used for the operation of the cloud edge end integrated identity authentication method facing the distributed energy storage system, and comprises the following steps:
The edge gateway burns the certificate file; the edge gateway carries the certificate file and establishes connection with the cloud; initializing a key generation center KGC to generate a signature master key pair and an encryption master key pair; the edge gateway and the energy storage terminal firstly register the identity of KGC, the MAC address of the equipment is used as the identity, and after the identity is obtained, the KGC generates a corresponding public-private key pair; generating a marginal key according to the body mark, and distributing the generated marginal key to the energy storage terminal; and the energy storage terminal accesses authentication and session key negotiation to complete cloud end integrated identity authentication.
In a further embodiment of the present invention, the present invention also provides a storage medium, in particular, a computer readable storage medium (Memory), which is a Memory device in a terminal device, for storing programs and data. It will be appreciated that the computer readable storage medium herein may include both a built-in storage medium in the terminal device and an extended storage medium supported by the terminal device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also stored in the memory space are one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by the processor. The computer readable storage medium may be a high-speed RAM Memory or a Non-Volatile Memory (Non-Volatile Memory), such as at least one magnetic disk Memory.
One or more instructions stored in a computer-readable storage medium may be loaded and executed by a processor to implement the steps corresponding to the cloud-side end integrated identity authentication method for a distributed energy storage system in the above embodiments; one or more instructions in a computer-readable storage medium are loaded by a processor and perform the steps of:
The edge gateway burns the certificate file; the edge gateway carries the certificate file and establishes connection with the cloud; initializing a key generation center KGC to generate a signature master key pair and an encryption master key pair; the edge gateway and the energy storage terminal firstly register the identity of KGC, the MAC address of the equipment is used as the identity, and after the identity is obtained, the KGC generates a corresponding public-private key pair; generating a marginal key according to the body mark, and distributing the generated marginal key to the energy storage terminal; and the energy storage terminal accesses authentication and session key negotiation to complete cloud end integrated identity authentication.
Referring to fig. 4, the terminal device is a computer device, and the computer device 60 of this embodiment includes: a processor 61, a memory 62, and a computer program 63 stored in the memory 62 and executable on the processor 61, the computer program 63 when executed by the processor 61 implements the reservoir inversion wellbore fluid composition calculation method of the embodiment, and is not described in detail herein to avoid repetition. Or the computer program 63 when executed by the processor 61 performs the functions of the various models/units in the fluid composition calculation system in the reservoir reformation wellbore of the embodiment, and is not described in detail herein to avoid redundancy.
The computer device 60 may be a desktop computer, a notebook computer, a palm computer, an industrial personal computer, a cloud server, or the like. Computer device 60 may include, but is not limited to, a processor 61, a memory 62. It will be appreciated by those skilled in the art that fig. 4 is merely an example of a computer device 60 and is not intended to limit the computer device 60, and may include more or fewer components than shown, or may combine certain components, or different components, e.g., a computer device may also include an input-output device, a network access device, a bus, etc.
The Processor 61 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 62 may be an internal storage unit of the computer device 60, such as a hard disk or memory of the computer device 60. The memory 62 may also be an external storage device of the computer device 60, such as a plug-in hard disk provided on the computer device 60, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD), or the like.
Further, the memory 62 may also include both internal storage units and external storage devices of the computer device 60. The memory 62 is used to store computer programs and other programs and data required by the computer device. The memory 62 may also be used to temporarily store data that has been output or is to be output.
Referring to fig. 5, the terminal device is a chip, and the chip 600 of this embodiment includes a processor 622, which may be one or more in number, and a memory 632 for storing a computer program executable by the processor 622. The computer program stored in memory 632 may include one or more modules each corresponding to a set of instructions. Further, the processor 622 may be configured to execute the computer program to perform the generalizable universal monocular absolute depth map estimation method described above.
In addition, chip 600 may further include a power supply component 626 and a communication component 650, where power supply component 626 may be configured to perform power management of chip 600, and communication component 650 may be configured to enable communication of chip 600, e.g., wired or wireless communication. In addition, the chip 600 may also include an input/output interface 658. Chip 600 may operate based on an operating system stored in memory 632.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The flow of the cloud-edge authentication is as follows:
The internet of things platform generates unique device certificates (ProductKey, deviceName and DEVICESECRET) for edge gateway EM-500, and the experimental results are shown in table 1.
Table 1 edge gateway device certificate
(1) When the edge gateway establishes connection with the ali cloud internet of things platform, the internet of things platform verifies the equipment certificate information, wherein fig. 6 is a successful authentication condition, and fig. 7 is a failure authentication condition when the equipment key is wrong. When the edge gateway is successfully authenticated, connection is established with the internet of things platform, and the edge gateway can be managed on the internet of things platform, as shown in fig. 8.
Side-end authentication function experiment
(1) Key generation
Elliptic curve parameters selected for the SM9 identification cryptographic algorithm of the present invention are shown in Table 2.
TABLE 2 elliptic curve parameters
When the key generation center KGC starts, a system signature master key pair and a key exchange master key pair are first generated as shown in table 3. The signature main public key is P pub1=s1·P2, the encryption main public key is P pub2=s2·P1, and the signature main private key s1 and the key exchange main private key s2 are random numbers in the range of [1, N-1 ].
TABLE 3 Master Key pair
And then, waiting for the edge gateway to register with the terminal, taking the MAC address of the corresponding device as the identity of the device, and generating a signature private key and an encryption private key of the key generation center according to the device identity by the key generation center, as shown in tables 4 and 5.
Table 4 edge gateway private key
Table 5 raspberry group private key
(2) Identity authentication
The edge gateway performs identity authentication on the energy storage terminal, when a new energy storage terminal requests access, such as when the terminal identifier B8:27:EB:4C:12:70 requests access to the network from the edge gateway identified as 00:14:97:53:13:90, the edge gateway verifies the terminal identity and calculates and encapsulates the session key for the terminal, and only the encrypted private key with B8:27:EB:4C:12:70 can decapsulate the session key. The flow of the authentication request initiated by the terminal is shown in fig. 9. The terminal calculates the signature 0.0409s, verifies the edge gateway identity 0.215s, decapsulates the key 0.3369s.
The edge gateway responds to the terminal authentication information as shown in fig. 10. As can be seen from the figure, the edge gateway verifies the identity of the terminal for 0.2136s, and the received signature is the same as the terminal; 0.0489s is used for receiving the session key and the encapsulation ciphertext, and the session key is the same as the terminal side; the edge gateway signature takes 0.0409s. Because the process omits the cost of calculating information such as key negotiation parameters, the total time is less than the key negotiation time, and after the authentication is successful, the edge gateway saves the identity of the energy storage terminal and the session key to a local database.
In summary, the cloud edge end integrated identity authentication method and system for the distributed energy storage system have the following characteristics:
1. privacy protection: by using the certificate file and public-private key pair, and the MAC address of the device as the identity, the method can protect the user's private information and prevent unauthorized devices from accessing the system.
2. Secure communication: and generating a side key by using the encryption master key pair, so as to ensure the communication security between the edge gateway and the energy storage terminal. By negotiating the session key, the energy storage terminal can establish a secure communication channel with the edge gateway, preventing information leakage and tampering.
3. Identity authentication: the method uses the unique equipment MAC address as the identity mark by registering the identity to the KGC, and the KGC generates the corresponding public-private key pair, thereby realizing the identity authentication of the equipment. Thus, only authenticated equipment can be ensured to be accessed into the system, and the security of the system is improved.
4. And (3) centralized management: by initializing the key generation center KGC, a signature master key pair and an encryption master key pair are generated, and the security and centralized management of the keys are ensured. This helps simplify the key management flow and improves the reliability of the overall system.
5. Enhancing system reliability: by means of the integrated identity authentication method, the system can reduce the access risk of unauthorized equipment and ensure the safe communication of legal equipment. This helps to improve the reliability and stability of the distributed energy storage system.
The effects are summarized as follows:
1. And (5) body building authentication: the method uses the unique MAC address of the equipment as an identity, and generates a corresponding public and private key pair through a key generation center KGC, thereby realizing the body-building authentication of the equipment. Thus, only authenticated equipment can be ensured to be accessed into the system, and the security of the system is improved.
2. Preventing unauthorized device access: the edge gateway burns the certificate file and establishes connection with the cloud through the edge gateway carrying the certificate file, so that unauthorized equipment can be effectively prevented from accessing the system. Only devices carrying valid credentials can communicate with the cloud, protecting the system from the threat of unauthorized devices.
3. And the data transmission is safe: and the encryption master key pair is used for generating the edge key, so that the communication security between the edge gateway and the energy storage terminal is ensured. The energy storage terminal can establish a safe communication channel with the edge gateway by negotiating the session key to carry out authentication and session key negotiation, thereby preventing information leakage and tampering.
4. Centralized management and key security: and initializing a key generation center KGC to generate a signature master key pair and an encryption master key pair, so as to realize the safe generation and centralized management of the keys. This helps to simplify the key management flow, protect the security of the key, and improve the reliability of the whole system.
5. The reliability and stability of the system are improved: the integrated identity authentication method reduces the risk of unauthorized equipment access and ensures the safe communication of legal equipment. This helps to improve the reliability and stability of the distributed energy storage system, preventing damage to the system by malicious devices.
In summary, the cloud end integrated identity authentication method for the distributed energy storage system has the effects of strengthening identity authentication, preventing unauthorized equipment from accessing, protecting data transmission, centrally managing and protecting keys, and improving system reliability and stability. These effects help to improve the security, reliability and performance of the system.
The above is only for illustrating the technical idea of the present invention, and the protection scope of the present invention is not limited by this, and any modification made on the basis of the technical scheme according to the technical idea of the present invention falls within the protection scope of the claims of the present invention.

Claims (10)

1. The cloud edge end integrated identity authentication method for the distributed energy storage system is characterized by comprising the following steps of:
S1, burning a certificate file by an edge gateway;
S2, establishing connection between the edge gateway and the cloud with the certificate file;
S3, initializing a key generation center KGC to generate a signature master key pair and an encryption master key pair;
s4, firstly, the edge gateway and the energy storage terminal register the identity of the KGC, the MAC address of the equipment is adopted as the identity, and after the identity is obtained, the KGC generates a corresponding public-private key pair; generating a marginal key according to the body mark, and distributing the generated marginal key to the energy storage terminal;
s5, the energy storage terminal accesses authentication and session key negotiation to complete cloud edge end integrated identity authentication.
2. The cloud-side integrated identity authentication method for a distributed energy storage system according to claim 1, wherein in step S1, the certificate file includes a root certificate, a device-side certificate private key, and a device-side certificate.
3. The cloud end integrated identity authentication method for the distributed energy storage system according to claim 1, wherein in step S3, a key generation center KGC is deployed at an edge gateway, and an SM9 cryptographic algorithm is initialized, so as to complete the selection of a system parameter set of the SM9 cryptographic algorithm, the generation of a system signature master public key and a system signature master private key, and the generation of a system encryption master public key and an encryption master private key.
4. The cloud end integrated identity authentication method for the distributed energy storage system according to claim 3, wherein a random number s epsilon [1, N-1] is randomly generated as a system signature main private key, and the random number e epsilon [1, N-1] is used as a system encryption main private key;
Calculating elements Ppub-s= [ s ] P2 in G2 as a signature master public key, the signature master key pair being (s, ppub); calculating an element Ppub-e= [ e ] P1 in G1 as an encryption master public key, the encryption master key pair being (e, ppub-e);
the key generation center KGC secretly holds a signing master private key s and an encrypting master private key e, and public signing master public key Ppub-e and encrypting master public key Ppub-s.
5. The cloud-edge end integrated identity authentication method for the distributed energy storage system of claim 3, wherein the SM9 identity cryptographic algorithm is implemented using an open source cryptographic tool GMSSL.
6. The cloud end integrated identity authentication method for the distributed energy storage system according to claim 1, wherein in step S4, when a node in the distributed energy storage system is connected to a network, identity registration is performed to a key generation center KGC; after the identity is acquired, a corresponding public and private key pair is generated by a key generation center KGC; the terminal obtains a signature private key from the key generation center KGC according to the identity identification of the terminal for identity verification.
7. The cloud end integrated identity authentication method for the distributed energy storage system according to claim 6, wherein the private key generation process of the terminal is as follows:
The key generation center KGC selects and discloses a private key generation function identifier his expressed in one byte, the identity of user a is ID A, and the key generation center KGC calculates t 1 over the finite field F N; if t 1 =0, regenerating the master private key, calculating and disclosing the master public key, and updating the existing private key; otherwise, according to the master private key s, the multiple point of the base point P 1 of the identification computing group G 1 is used as a signature private key d A of the terminal, the terminal signature private key d A is issued to the device in an off-line encryption mode, and the terminal secret is saved for authentication when the subsequent equipment is safely accessed to the network.
8. The cloud end integrated identity authentication method for the distributed energy storage system according to claim 7, wherein when a terminal exits the network and becomes an untrusted device, the identity of the terminal is revoked, the key generation center KGC adds the identity of the revoked terminal to a revocation list, and the key generation center KGC periodically sends the revocation list to the edge gateway; when the terminal and the edge gateway perform identity authentication, the edge gateway can verify the identity of the user only according to the identification.
9. The cloud end integrated identity authentication method for a distributed energy storage system according to claim 1, wherein in step S5, the energy storage terminal access authentication specifically includes:
S501, an edge gateway ID A sends an authentication request to a mounted energy storage terminal ID B, wherein the authentication request comprises an authentication request identifier AuthReq and identity identifiers of the self and the terminal;
S502, after receiving an authentication request, the energy storage terminal replies the authentication request to the affiliated edge gateway, wherein the reply request comprises an authentication reply identifier AuthRsp, identity identifiers of the energy storage terminal and the edge gateway, and a digital signature (h, S) calculated by using a private key of the energy storage terminal through an SM9 digital signature algorithm, M is a message to be signed, r is a random number, and r epsilon [1, N-1];
S503, after receiving a response request of the energy storage terminal, the edge gateway verifies the digital signature (h, S) by using an SM9 signature verification algorithm, and after the signature verification is passed, the edge gateway adds the identity mark into an authentication list of the edge gateway and encrypts a session key with a bit length of klen to send to the energy storage terminal;
S504, after receiving the response packet from the edge gateway, the energy storage terminal performs identity verification through the digital signature of the edge gateway, and after the identity verification is passed, the received encapsulation ciphertext is decapsulated to obtain a corresponding session Key Key.
10. Cloud edge end integrated identity authentication system for distributed energy storage system, which is characterized by comprising:
the burning module is used for burning the certificate file by the edge gateway;
The edge gateway carries the certificate file and establishes connection with the cloud;
The initialization module, the edge gateway and the energy storage terminal register the identity to KGC, adopt the MAC address of the equipment as the identity, after obtaining the identity, the KGC generates the corresponding public and private key pair;
the distribution module generates an edge key according to the edge identifier and distributes the generated edge key to the energy storage terminal;
and the authentication module is used for connecting the energy storage terminal to authentication and session key negotiation to complete cloud edge end integrated identity authentication.
CN202410470348.0A 2024-04-18 2024-04-18 Cloud edge end integrated identity authentication method and system for distributed energy storage system Pending CN118353634A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410470348.0A CN118353634A (en) 2024-04-18 2024-04-18 Cloud edge end integrated identity authentication method and system for distributed energy storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410470348.0A CN118353634A (en) 2024-04-18 2024-04-18 Cloud edge end integrated identity authentication method and system for distributed energy storage system

Publications (1)

Publication Number Publication Date
CN118353634A true CN118353634A (en) 2024-07-16

Family

ID=91813685

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410470348.0A Pending CN118353634A (en) 2024-04-18 2024-04-18 Cloud edge end integrated identity authentication method and system for distributed energy storage system

Country Status (1)

Country Link
CN (1) CN118353634A (en)

Similar Documents

Publication Publication Date Title
CN108111301B (en) Method and system for realizing SSH protocol based on post-quantum key exchange
Choudhury et al. A strong user authentication framework for cloud computing
Xue et al. A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks
JP6896940B2 (en) Symmetrical mutual authentication method between the first application and the second application
EP2905719B1 (en) Device and method certificate generation
Jeong et al. Integrated OTP-based user authentication scheme using smart cards in home networks
CN103532713B (en) Sensor authentication and shared key production method and system and sensor
US20030081774A1 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
CN113301022B (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
WO2009065356A1 (en) A method, system and network device for mutual authentication
CN110020524B (en) Bidirectional authentication method based on smart card
US12132839B2 (en) Decentralised authentication
CN110505055B (en) External network access identity authentication method and system based on asymmetric key pool pair and key fob
WO2023151427A1 (en) Quantum key transmission method, device and system
Ullah et al. An access control scheme using heterogeneous signcryption for IoT environments
Vangala et al. Blockchain-Based Robust Data Security Scheme in IoT-Enabled Smart Home.
CN114091009A (en) Method for establishing secure link by using distributed identity
JP2005175992A (en) Certificate distribution system and certificate distribution method
CN118353634A (en) Cloud edge end integrated identity authentication method and system for distributed energy storage system
Yoon et al. Security enhancement scheme for mobile device using H/W cryptographic module
Chatterjee et al. A novel multi-server authentication scheme for e-commerce applications using smart card
Buhari et al. Web applications login authentication scheme using hybrid cryptography with user anonymity
CN114095229A (en) Method, device and system for constructing data transmission protocol of energy Internet
CN102647273B (en) Generation methods and devices of user root key and user key for trusted computing platform
WO2022135404A1 (en) Identity authentication method and device, storage medium, program, and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination