CN118573468A - Authentication method, device, equipment, medium and industrial network of trusted switch - Google Patents
Authentication method, device, equipment, medium and industrial network of trusted switch Download PDFInfo
- Publication number
- CN118573468A CN118573468A CN202411020141.XA CN202411020141A CN118573468A CN 118573468 A CN118573468 A CN 118573468A CN 202411020141 A CN202411020141 A CN 202411020141A CN 118573468 A CN118573468 A CN 118573468A
- Authority
- CN
- China
- Prior art keywords
- trusted
- key
- switch
- authentication
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 114
- 230000004044 response Effects 0.000 claims abstract description 111
- 238000012795 verification Methods 0.000 claims abstract description 88
- 230000008569 process Effects 0.000 claims abstract description 44
- 238000004891 communication Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 17
- 230000006870 function Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 230000010365 information processing Effects 0.000 description 7
- 238000012546 transfer Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- OFMQLVRLOGHAJI-FGHAYEPSSA-N (4r,7s,10s,13r,16s,19r)-n-[(2s,3r)-1-amino-3-hydroxy-1-oxobutan-2-yl]-19-[[(2r)-2-amino-3-phenylpropanoyl]amino]-10-[3-(diaminomethylideneamino)propyl]-7-[(1r)-1-hydroxyethyl]-16-[(4-hydroxyphenyl)methyl]-13-(1h-indol-3-ylmethyl)-3,3-dimethyl-6,9,12,15,18 Chemical compound C([C@H]1C(=O)N[C@H](CC=2C3=CC=CC=C3NC=2)C(=O)N[C@@H](CCCNC(N)=N)C(=O)N[C@H](C(=O)N[C@@H](C(SSC[C@@H](C(=O)N1)NC(=O)[C@H](N)CC=1C=CC=CC=1)(C)C)C(=O)N[C@@H]([C@H](O)C)C(N)=O)[C@@H](C)O)C1=CC=C(O)C=C1 OFMQLVRLOGHAJI-FGHAYEPSSA-N 0.000 description 1
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001149 cognitive effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000003826 tablet Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/10—Packet switching elements characterised by the switching fabric construction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to the technical field of industrial network security, and provides an authentication method, an authentication device, authentication equipment, authentication media and an industrial network of a trusted switch. The method comprises the following steps: sending a user authentication request to a trusted switch and receiving authentication response information of the trusted switch; transmitting the authentication response information to the security key device, and receiving device signature information generated by the security key device based on a preset private key; and sending the equipment signature information to the trusted switch, and receiving a user authentication result returned after the trusted switch performs signature verification on the equipment signature information by using a preset public key. According to the embodiment of the application, the preset public key and the preset private key are respectively stored in the secure key device and the trusted switch through the trusted links among the secure key device, the trusted terminal, the trusted switch and the trusted management platform, the authentication process is carried out based on the secure trusted links, and the use of the preset public key and the preset private key improves the authentication security.
Description
Technical Field
The present application relates to the field of industrial network security technologies, and in particular, to a method, an apparatus, a device, a medium, and an industrial network for authenticating a trusted switch.
Background
In recent years, the industrial control system, the Internet of things and the Internet show a deep fusion situation, so that the intelligent and informatization degree of the industrial control system is greatly improved, and a series of new security challenges are brought at the same time. The industrial switch plays a core switching function in the industrial control system, and generally supports a management interface for convenient configuration and remote operation and maintenance, so that the industrial switch is very easy to be an attacked object. Login authentication of an industrial switch management port is the first important gateway for resisting switch attacks.
The login authentication of the traditional industrial switch is realized in the form of a user name-password. Because the user can hardly remember the user name and the password or directly use the default password or the password, once the password is cracked, the switch can be modified and configured or implanted with viruses, so that the whole industrial control network or the embedded back door is damaged, and a great potential safety hazard exists.
Therefore, how to provide a solution to the above technical problem is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, the embodiments of the present application provide a method, apparatus, device, medium and industrial network for authenticating a trusted switch, so as to solve the problems of difficult password memorizing and weak password security in the prior art.
In a first aspect of an embodiment of the present application, there is provided an authentication method of a trusted switch, applied to a trusted terminal, including:
Sending a user authentication request to a trusted switch, and receiving authentication response information generated by the trusted switch based on the user authentication request;
transmitting the authentication response information to the security key device, and receiving device signature information of the security key device, which corresponds to the authentication response information, based on the preset private key stored in the security key device;
The equipment signature information is sent to a trusted switch, and a user authentication result returned after the trusted switch performs signature verification on the equipment signature information by using a preset public key of a corresponding preset private key stored in the trusted switch is received;
the preset private key and the preset public key are generated in pairs inside the safety key equipment, and the preset public key is stored in the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with the trusted terminal through the trusted switch.
In a second aspect of the embodiment of the present application, there is provided an authentication apparatus of a trusted switch, including:
the first communication module is used for sending a user authentication request to the trusted switch and receiving authentication response information generated by the trusted switch based on the user authentication request;
the second communication module is used for sending the authentication response information to the security key equipment and receiving equipment signature information of the security key equipment, which corresponds to the authentication response information, based on the preset private key stored in the security key equipment;
The third communication module is used for sending the equipment signature information to the trusted switch and receiving a user authentication result returned after the trusted switch performs signature verification on the equipment signature information by using a preset public key corresponding to a preset private key stored in the trusted switch;
the preset private key and the preset public key are generated in pairs inside the safety key equipment, and the preset public key is stored in the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with the trusted terminal through the trusted switch.
In a third aspect of the embodiment of the present application, there is provided an authentication method of a trusted switch, applied to the trusted switch, including:
Receiving a user authentication request sent by a trusted terminal, generating authentication response information based on the user authentication request, and sending the authentication response information to the trusted terminal;
Receiving equipment signature information sent by a trusted terminal; the device signature information is the device signature information of the corresponding authentication response information, which is generated by the security key device based on the preset private key stored in the security key device and is sent to the trusted terminal after the trusted terminal sends the authentication response information to the security key device;
Signing the signature information of the equipment based on a preset public key corresponding to a preset private key stored in the equipment, and returning a user authentication result to the trusted terminal based on the signing verification result;
the preset private key and the preset public key are generated in pairs inside the safety key equipment, and the preset public key is stored in the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with the trusted terminal through the trusted switch.
In a fourth aspect of an embodiment of the present application, there is provided an industrial network comprising: the system comprises a trusted management platform, a trusted switch connected with the trusted management platform, a trusted terminal connected with the trusted switch and a security key device connected with the trusted terminal;
Each trusted switch for implementing the steps of the method as in any one of the above;
Each trusted terminal for implementing the steps of the method as claimed in any one of the preceding claims.
In a fifth aspect of the embodiments of the present application, there is provided an electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the above method when executing the computer program.
In a sixth aspect of the embodiments of the present application, there is provided a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the above method.
Compared with the prior art, the embodiment of the application has the beneficial effects that: the embodiment of the application stores the preset public key and the preset private key in the safety key device and the trusted switch respectively through the trusted links among the safety key device, the trusted terminal, the trusted switch and the trusted management platform, when the trusted terminal connected with the safety key device communicates with the trusted switch, the trusted terminal sends a user authentication request to the trusted switch, the trusted switch generates authentication response information based on the user authentication request and forwards the authentication response information to the safety key device through the trusted terminal, the safety key device generates device signature information corresponding to the authentication response information based on the internal preset private key and forwards the device signature information to the trusted switch through the trusted terminal, and the trusted switch carries out signature verification on the device signature information by using the internal preset public key and returns a user authentication result to the trusted terminal. All information transfer is carried out based on safe and trusted links in the scheme, a user does not need to memorize complex passwords, the complexity, storage position and use mode of the public and private key pair are preset, the safety of authentication is improved, and the safety risk of authentication in an industrial network is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of an authentication method of a trusted switch according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a scenario of an industrial control network according to an embodiment of the present application;
fig. 3 is a schematic diagram of an information processing procedure of an authentication procedure according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an information processing procedure of a registration procedure according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an information processing procedure of another registration procedure according to an embodiment of the present application;
Fig. 6 is a schematic structural diagram of an authentication device of a trusted switch according to an embodiment of the present application;
fig. 7 is a flowchart of an authentication method of another trusted switch according to an embodiment of the present application;
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as the particular system architecture, techniques, etc., in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
An authentication method, apparatus, device, medium and industrial network of a trusted switch according to embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Fig. 1 is a flow chart of an authentication method of a trusted switch according to an embodiment of the present application. The authentication method of fig. 1 is performed by a trusted terminal. As shown in fig. 1, the authentication method includes:
s101: sending a user authentication request to a trusted switch, and receiving authentication response information generated by the trusted switch based on the user authentication request;
s102: transmitting the authentication response information to the security key device, and receiving device signature information of the security key device, which corresponds to the authentication response information, based on the preset private key stored in the security key device;
s103: the equipment signature information is sent to a trusted switch, and a user authentication result returned after the trusted switch performs signature verification on the equipment signature information by using a preset public key of a corresponding preset private key stored in the trusted switch is received;
the preset private key and the preset public key are generated in pairs inside the safety key equipment, and the preset public key is stored in the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with the trusted terminal through the trusted switch.
It can be understood that the authentication method in this embodiment refers to a user authentication stage in the process of the user terminal logging into the industrial switch, that is, the login authentication process, where the industrial switch finally confirms whether the user terminal passes authentication and returns a user authentication result to the user terminal, in this embodiment, the user terminal is implemented by a trusted terminal, and the industrial switch is implemented by a trusted switch. In the industrial control network of this embodiment, the trusted switch is connected to the trusted terminal, the security key device is connected to the trusted terminal, and the trusted switch is connected to and managed by the trusted management platform. Specifically, fig. 2 is a schematic diagram of a scenario of an industrial control network according to an embodiment of the present application. The application scenario may include a trusted management platform, a trusted switch coupled to the trusted management platform, a trusted terminal coupled to the trusted switch, and a secure key device coupled to the trusted terminal.
The trusted management platform, the trusted switch and the trusted terminal are realized based on trusted computing (Trusted Computing, abbreviated as TC). One of the core goals of trusted computing is to guarantee the integrity of the system and applications, thereby determining the trusted state that the system or software is running in the design goals desire. The trusted link of the trusted management platform, the trusted switch and the trusted terminal built based on trusted computing can ensure the trusted state of the login authentication process, so that the trusted link is utilized for information processing and information transmission in the login authentication process, and the security of the login authentication can be improved.
On the other hand, another core goal of trusted computing is a trusted root, typically implemented by a trusted hardware chip, which is secured by algorithms and keys that the chip vendor implants into the trusted hardware chip, and by an integrated dedicated microcontroller measuring and validating the software stack. There are three main types of trusted computing standards currently prevailing in the industry, based on the classification of trusted hardware chips and trusted software bases (Trusted Software Stack) running thereon:
TPM (Trusted Platform Module ) is a chip planted inside computer to provide trusted root for computer. The specification of the chip is formulated by a trusted computing group (Trusted Computing Group).
TCM (trusted cryptography module ), which is a hardware module of a trusted computing platform, provides a cryptographic operation function for the trusted computing platform, has a protected storage space, is a domestic study in China, and corresponds to TPM.
TPCM (Trusted Platform Control Module ) to enable trusted platform modules to have the functionality to control platform resources.
Specifically, on the trusted link of this embodiment, the trusted management platform, the trusted switch and the trusted terminal may internally set corresponding trusted hardware chips according to requirements, build a trusted device link by using the trusted hardware chips, and implement corresponding functions of corresponding devices in this embodiment, for example, the trusted hardware chips with TPCM in the trusted switch are used to store key files such as a preset public key, a certificate, user information and the like in the hardware encryption entity, execute core functions such as experience labels and the like, do not pay attention to other information, and may cooperate with other functional modules in the trusted switch to respond to the method of this embodiment.
The trusted management platform is used for managing trusted devices of all trusted links in the industrial control network and performing trusted verification, and comprises the steps of performing trusted policy configuration on the trusted devices, performing signature verification on a trusted report sent by the trusted devices in the network, collecting information of all devices in the network, performing network security analysis, and displaying the trusted state of the network; the trusted switch is used for implementing the switch function on the premise of being trusted, and can support the trusted terminal to log in the trusted switch and perform configuration management besides finishing the basic function of the switch; the trusted terminal may be implemented by a variety of electronic devices that support communication with a trusted switch, secure key device, including, but not limited to, smartphones, tablet computers, laptop and desktop computers, and the like; the security key device is used for communication with a trusted terminal, and is also called an authenticator, and can only write authentication information, and no one or program can read data from it. Based on the write-only and read-less characteristics, the security key device is used to encrypt, replace passwords, or perform multi-factor authentication. The security key device may carry different encryption protocols at the same Time, such as the FIDO2 protocol of FIDO (FAST IDENTITY Online, fast Online authentication) adopted by the passkey, the PGP (Pretty Good Privacy, good security protocol) protocol for encrypting mail and files, the One-Time Password (OTP) protocol, the Universal two-step authentication U2F (Universal 2nd Factor) protocol, and the PIV (Personal Identity Verification, personal authentication) smart card, etc.
It may be understood that specific trusted computing standards of the trusted management platform, the trusted switch, and the trusted terminal may be set according to actual requirements of the application scenario, and specific types of protocols, numbers, and combinations of the trusted management platform, the trusted switch, the trusted terminal, and the security key device may be adjusted according to actual requirements of the application scenario, which is not limited by the embodiments of the present application.
It can be understood that, based on the trusted link, the information processing procedure of the authentication method in this embodiment is shown in fig. 3, and specifically:
the trusted terminal sends a user authentication request to the trusted switch;
the trusted switch generates authentication response information based on the user authentication request and sends the authentication response information to the trusted terminal;
The trusted terminal sends the authentication response information to the security key device;
the security key device generates device signature information corresponding to the authentication response information based on the preset private key stored in the security key device;
The security key device sends the device signature information to the trusted terminal;
the trusted terminal sends the device signature information to a trusted switch;
the trusted switch performs signature verification on the equipment signature information by using a preset public key corresponding to a preset private key stored in the trusted switch to obtain a user authentication result;
The trusted switch sends the user authentication result to the trusted terminal.
It can be understood that the authentication response information generated by the trusted switch based on the user authentication request is used for being sent to the secure key device to generate device signature information by a preset private key, when the trusted switch receives the device signature information, the device signature information is checked by the preset public key, and the checked signature result is used as a user authentication result and should correspond to the authentication response information, so that the whole process utilizes the preset public key and the preset private key respectively arranged in the trusted switch and the secure key device to realize the authentication of the trusted switch to the current secure key device, the user authentication result is used for indicating that the authentication is passed or not passed, the authorization management function module of the trusted switch can also determine the user authority of the current trusted terminal according to the authentication result, if the authentication is passed, the user authority is opened, the trusted terminal of the user authority is released to communicate in the current industrial control network, if the authentication is not passed, the user authority is not opened, and the corresponding trusted terminal is intercepted to communicate in the current industrial control network.
It can be understood that the preset private key and the preset public key related in the authentication process are generated in pairs by the security key device, so that the device signature information generated by encrypting based on the preset private key can be decrypted and checked by the preset public key, thereby effectively and safely realizing login authentication.
Further, after the preset public key is generated in the secure key equipment, the secure key equipment can be uploaded to the trusted management platform through the trusted terminal and the trusted switch, the trusted management platform performs trusted verification based on the trusted link, and the verified preset public key is stored in the trusted switch, so that the reliability and the security of the preset public key for signature verification of the trusted switch are ensured.
It can be understood that the secure key device generates the preset private key and the preset public key in pairs, and certain triggering conditions are required, and specifically, the preset private key and the preset public key are generated in pairs internally when the secure key device receives a preset key generation request; the preset key generation request is: the method comprises the steps that a trusted terminal connected with a secure key device at present sends a device registration request to a trusted management platform, and when a trusted verification result generated by the trusted management platform after performing trusted verification based on the device registration request is passing verification after receiving the device registration request, the trusted terminal sends a preset key generation request to the secure key device;
The public key is preset, sent to the trusted management platform by the secure key device, and sent and stored in the trusted switch after verification by the trusted management platform.
The trusted management platform performs a trusted verification process based on the device registration request, and the trusted management platform comprises the following steps:
the trusted management platform performs trusted verification of trusted link status and registration authority based on the device registration request.
It may be understood that the trusted link state refers to a connection state of a trusted link, and the registration authority refers to a registration authority of a trusted terminal or a secure key device.
It can be understood that the process of generating and storing the preset private key and the preset public key is essentially a registration process in the industrial control network, and based on a trusted link, the information processing process of the registration process can be shown in fig. 4, and the specific process is as follows:
the trusted terminal sends a device registration request to a trusted management platform;
the trusted management platform performs trusted verification based on the equipment registration request to generate a trusted verification result;
The trusted management platform sends the trusted verification result to the trusted terminal;
when the trusted verification result is that the trusted verification result passes, the trusted terminal sends a preset key generation request to the security key equipment;
the security key equipment generates a preset private key and a preset public key in pairs based on a preset key generation request;
the security key device sends the preset public key to the trusted management platform;
and after verification, the trusted management platform issues and stores the preset public key into the trusted switch.
It can be appreciated that the preset public key is stored in a trusted hardware chip of the trusted switch to ensure security.
It can be understood that, because the connection between the secure key device and the trusted terminal is usually in a pluggable connection mode, the trusted terminal connected to the secure key device in the registration process is not necessarily the trusted terminal connected to the secure key device in the subsequent login authentication, and the trusted terminals in the two stages are not necessarily the same, because the physical password is a preset private key stored in the secure key device, and the trusted terminal is taken as an access port of the secure key device into a trusted link of the industrial control network, and substantially only the trusted terminal connected to the secure key device can implement the registration process and the authentication method in the embodiment.
In addition, the trusted management platform can only be used when the public and private key pair is registered for the first time, and the trusted management platform is not required to be online in other times, so that the trusted management platform does not participate in authentication service, and the trusted management platform can be out of line when a subsequent trusted switch performs login authentication.
It will be understood that, in the above information transmission process, each device node returns a receipt acknowledgement after receiving the information to inform the information sender that the information has been received, and similarly, after processing the received information, returns a processing acknowledgement to inform the information sender that the information has been processed. Furthermore, each piece of information also carries corresponding identification contents such as equipment information, user information and the like, and is carried in a plaintext or encrypted in a signature according to the requirements of safety and privacy, so that the equipment can be specifically carried out according to actual conditions. Each public-private key pair will establish an association with identification content, which may be represented in hash or other form, based on device information, user information, etc.
It can be understood that the above registration process is one registration, and the registered public and private keys can be further divided into a device public and private key corresponding to the security key device and a user public and private key corresponding to a plurality of users, specifically:
The preset private key comprises a device private key and a user private key, and the preset public key comprises a device public key and a user public key;
The device private key and the device public key are internally generated in pairs when the security key device receives a device key generation request; the device key generation request is: the method comprises the steps that a trusted terminal connected with a secure key device at present sends a device registration request to a trusted management platform, and when a trusted verification result generated by the trusted management platform after performing trusted verification based on the device registration request is passing verification after receiving the device key generation request sent to the secure key device;
The device public key is sent to the trusted management platform by the security key device, and is sent and stored in the trusted switch after being verified by the trusted management platform;
the user private key and the user public key are internally generated in pairs when the security key equipment receives registration response information; the registration response information is: after a trusted terminal currently connected with the security key equipment sends a user registration request to a trusted switch, the trusted switch generates and sends registration response information to the security key equipment based on the user registration request;
the user public key is transmitted by the secure key device and stored in the trusted switch based on the device private key and the device public key.
It can be understood that the generation of the device private key and the device public key is triggered after the communication between the trusted terminal and the trusted management platform, and the device public key is also issued to the trusted switch by the trusted management platform; the generation of the user private key and the user public key occurs on the premise that the device public key is stored in the trusted switch, and at the moment, the trusted management platform is not needed to perform trusted verification, and the device public key has certain security verification capability, so that the communication between the communication terminal and the trusted switch triggers the generation of the user private key and the user public key, and the trusted switch stores the user public key after signing based on the device public key.
The process that the user public key is stored after the trusted switch performs security verification, the security verification is realized based on the verified device public key and the verified device private key, specifically, based on the device private key and the device public key, the security key device sends and stores the user public key to the trusted switch includes:
the security key equipment generates registration response information and public key signature information corresponding to the public key of the user based on the equipment private key and sends the registration response information and the public key signature information to the trusted switch;
the trusted switch performs signature verification on the public key signature information based on the internally stored device public key, and stores the corresponding user public key when the public key signature information passes the signature verification.
It can be understood that, based on the trusted link, the registration process of the device public-private key pair and the user public-private key pair in the industrial control network, the information processing process thereof can be as shown in fig. 5, and the specific steps are as follows:
public and private key pair of equipment the registration process includes:
the trusted terminal sends a device registration request to a trusted management platform;
the trusted management platform performs trusted verification based on the equipment registration request to generate a trusted verification result;
The trusted management platform sends the trusted verification result to the trusted terminal;
When the trusted verification result is that the trusted verification result is passed, the trusted terminal sends a device key generation request to the security key device;
The security key device generates a device private key and a device public key, namely a device public-private key pair, in pairs based on the device key generation request;
the security key device sends the device public key to the trusted management platform;
after verification by the trusted management platform, the public key of the equipment is issued and stored in the trusted switch;
Public and private key pair for user the registration process includes:
the trusted terminal sends a user registration request to the trusted switch;
The trusted switch generates registration response information based on the user registration request;
the trusted switch sends the registration response information to the security key device;
the security key equipment generates a user private key and a user public key in pairs internally based on the registration response information, namely a user public private key pair;
The security key equipment generates registration response information and public key signature information corresponding to a user public key based on the equipment private key;
The security key device sends public key signature information to the trusted switch;
the trusted switch performs signature verification on the public key signature information based on the internally stored device public key, and stores the corresponding user public key when the public key signature information passes the signature verification.
It can be understood that, because the connection between the secure key device and the trusted terminal is usually in a pluggable connection manner, the trusted terminal connected to the secure key device in the registration process of the public key pair and the trusted terminal connected to the secure key device in the login authentication process are not necessarily the same in these three stages, because the physical password is the device private key and the user private key stored in the secure key device, the trusted terminal is taken as an access port of the secure key device into the trusted link of the industrial control network, and essentially only the trusted terminal connected to the secure key device can implement the registration process and the authentication method in this embodiment.
In addition, the trusted management platform can only be used when registering the public and private key pair for the first time, and the trusted management platform is not required to be online in other times, the trusted management platform does not participate in authentication service, information of authenticated users is not reserved, the registration of the public and private key pair of the subsequent user and the login authentication of the trusted switch are carried out, and the trusted management platform can be out of online.
It will be appreciated that in the above information transfer process, each device node returns a receipt acknowledgement after receiving the information to inform the information sender that the information has been received, and similarly, returns a processing acknowledgement after processing the received information to inform the information sender that the information has been processed. Furthermore, each piece of information also carries corresponding identification content such as equipment information, user information and the like, is set to be carried in a plaintext or encrypted in a signature at the same time according to the requirements of safety and privacy, and can be specifically set according to actual conditions. Each public-private key pair will establish an association with identification content, which may be represented in hash or other form, based on device information, user information, etc.
Further, when the preset public-private key pair is divided into a device public-private key pair and a user public-private key pair, the device public-private key pair is used when registering the user public-private key pair, and the user public-private key pair is used in the subsequent login authentication process, at this time, the device public-private key pair comprises: the device signature information is generated by the security key device based on authentication response information corresponding to the internally stored user private key; the user authentication result is a signature verification result returned after the trusted switch performs signature verification on the equipment signature information by using the internally stored user public key, and whether the equipment signature information passes the signature verification.
Specifically, the contents of calculation, security, signature verification and decryption in the trusted switch can be realized through a built-in trusted hardware chip, namely a TPCM module, and sensitive information about calculation, security, signature verification, decryption and user equipment is stored in the trusted hardware chip, so that a switch functional module outside the trusted hardware chip cannot acquire any sensitive information, and the high security of an industrial control network is ensured. Meanwhile, the trusted hardware chip is hardware, so that the processing efficiency of hardware acceleration is realized in the actions of calculation, security, signature verification, decryption and the like, for example, in the login authentication process, the trusted hardware chip generates authentication response information corresponding to a user authentication request, the trusted hardware chip performs signature verification on equipment signature information, for example, in the registration process of a user public key pair, the trusted hardware chip generates registration response information corresponding to a user registration request, and the trusted hardware chip performs signature verification on public key signature information, because of the hardware characteristic, the processing speed is higher.
In addition, because the characteristics of the trusted hardware chip can generate the true random number, the authentication response information and the registration response information can be realized by the challenge value in the form of the true random number generated by the trusted hardware chip, and the security of the registration process and the login authentication process is improved by the characteristics of the true random number.
Specifically, communication between the trusted terminal and other devices can be realized through a browser of the trusted terminal, common browsers such as Chrome, firefox, edge and the like can provide JavaScript API service integration, support WebAuth protocol for communication with the trusted switch, and can realize communication with the trusted switch through the browser; the browser supports CTAP protocol for communication with the security key device without installing any driver for the security key device; the browser supports U2F universal cognitive framework, does not need to input a secret key in the authentication process, supports self-service registration of the security key equipment, supports configuration of modes such as non-secret key authentication, optional factor authentication and the like.
The U2F protocol allows a strong authentication factor to be added on the basis of an original set password when a user logs in and authenticates, the user logs in and authenticates or the password is original, the browser can prompt the user to select to provide the strong authentication factor for local authentication when logging in and authenticating or other operations, and if the strong authentication factor is correct, the browser can automatically perform subsequent logging in and authenticating.
Therefore, in this embodiment, before sending the authentication response information to the secure key device and receiving the device signature information corresponding to the authentication response information generated by the secure key device based on the preset private key stored in the secure key device, the method further includes:
receiving a user authentication instruction comprising a device password sent by an instruction input terminal;
Transmitting the device password to the secure key device;
When receiving first response information returned by the security key device based on the device password and indicating that the device password is correct, executing the step of sending authentication response information to the security key device and receiving device signature information of the security key device for generating corresponding authentication response information based on a preset private key stored in the security key device;
And when receiving second response information which is returned by the security key equipment based on the equipment password and indicates the equipment password error, outputting display information indicating the equipment password error to the display terminal.
It can be understood that the trusted terminal is further connected with an instruction input terminal and a display terminal, wherein the instruction input terminal is such as a mouse, a keyboard, a camera, a microphone and the like, the device password is a strong authentication factor, the device password is used as a working password of the security key device for local authentication, and when the device password is correct, the security key device inserted into the trusted terminal automatically cooperates with the trusted terminal, so that the trusted terminal can complete the authentication method in the embodiment.
The device password comprises a biological characteristic password, a character string password and the like, wherein the biological characteristic password is a password comprising at least one biological characteristic such as fingerprint characteristics, facial characteristics, iris characteristics, voiceprint characteristics and the like, and the character string password is a password comprising a custom character string, such as a PIN code.
Therefore, the security of the authentication method in the embodiment is further improved by setting the device password.
The method of the embodiment of the application stores the preset public key and the preset private key in the safety key device and the trusted switch respectively through the trusted links among the safety key device, the trusted terminal, the trusted switch and the trusted management platform, when the trusted terminal connected with the safety key device communicates with the trusted switch, the trusted terminal sends a user authentication request to the trusted switch, the trusted switch generates authentication response information based on the user authentication request and forwards the authentication response information to the safety key device through the trusted terminal, the safety key device generates device signature information corresponding to the authentication response information based on the internal preset private key and forwards the device signature information to the trusted switch through the trusted terminal, and the trusted switch carries out signature verification on the device signature information by using the internal preset public key and returns a user authentication result to the trusted terminal. All information transfer is carried out based on safe and trusted links in the scheme, a user does not need to memorize complex passwords, the complexity, storage position and use mode of the public and private key pair are preset, the safety of authentication is improved, and the safety risk of authentication in an industrial control network is reduced.
Any combination of the above optional solutions may be adopted to form an optional embodiment of the present application, which is not described herein. It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
The following are examples of the apparatus of the present application that may be used to perform the method embodiments of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the method of the present application.
Fig. 6 is a schematic diagram of an authentication device of a trusted switch according to an embodiment of the present application. As shown in fig. 6, the authentication apparatus includes:
A first communication module 601, configured to send a user authentication request to a trusted switch, and receive authentication response information generated by the trusted switch based on the user authentication request;
the second communication module 602 is configured to send the authentication response information to the secure key device, and receive device signature information of the secure key device corresponding to the authentication response information generated based on the preset private key stored in the secure key device;
The third communication module 603 is configured to send the device signature information to the trusted switch, and receive a user authentication result returned after the trusted switch performs signature verification on the device signature information by using a preset public key corresponding to a preset private key stored in the trusted switch;
the preset private key and the preset public key are generated in pairs inside the safety key equipment, and the preset public key is stored in the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with the trusted terminal through the trusted switch.
The device of the embodiment of the application stores the preset public key and the preset private key in the safety key device and the trusted switch respectively through the trusted links among the safety key device, the trusted terminal, the trusted switch and the trusted management platform, when the trusted terminal connected with the safety key device communicates with the trusted switch, the trusted terminal sends a user authentication request to the trusted switch, the trusted switch generates authentication response information based on the user authentication request and forwards the authentication response information to the safety key device through the trusted terminal, the safety key device generates device signature information corresponding to the authentication response information based on the internal preset private key and forwards the device signature information to the trusted switch through the trusted terminal, and the trusted switch carries out signature verification on the device signature information by using the internal preset public key and returns a user authentication result to the trusted terminal. All information transfer is carried out based on safe and trusted links in the scheme, a user does not need to memorize complex passwords, the complexity, storage position and use mode of the public and private key pair are preset, the safety of authentication is improved, and the safety risk of authentication in an industrial control network is reduced.
In an exemplary embodiment, the preset private key and the preset public key are internally generated in pairs when a preset key generation request is received by the secure key device; the preset key generation request is: the method comprises the steps that a trusted terminal connected with a secure key device at present sends a device registration request to a trusted management platform, and when a trusted verification result generated by the trusted management platform after performing trusted verification based on the device registration request is passing verification after receiving the device registration request, the trusted terminal sends a preset key generation request to the secure key device;
The public key is preset, sent to the trusted management platform by the secure key device, and sent and stored in the trusted switch after verification by the trusted management platform.
In an exemplary embodiment, the trusted management platform performs a process of trusted verification based on a device registration request, including:
the trusted management platform performs trusted verification of trusted link status and registration authority based on the device registration request.
In an exemplary embodiment, the preset private key includes a device private key and a user private key, and the preset public key includes a device public key and a user public key;
The device private key and the device public key are internally generated in pairs when the security key device receives a device key generation request; the device key generation request is: the method comprises the steps that a trusted terminal connected with a secure key device at present sends a device registration request to a trusted management platform, and when a trusted verification result generated by the trusted management platform after performing trusted verification based on the device registration request is passing verification after receiving the device key generation request sent to the secure key device;
The device public key is sent to the trusted management platform by the security key device, and is sent and stored in the trusted switch after being verified by the trusted management platform;
the user private key and the user public key are internally generated in pairs when the security key equipment receives registration response information; the registration response information is: after a trusted terminal currently connected with the security key equipment sends a user registration request to a trusted switch, the trusted switch generates and sends registration response information to the security key equipment based on the user registration request;
the user public key is transmitted by the secure key device and stored in the trusted switch based on the device private key and the device public key.
In an exemplary embodiment, based on the device private key and the device public key, the process by which the secure key device sends and stores the user public key to the trusted switch includes:
the security key equipment generates registration response information and public key signature information corresponding to the public key of the user based on the equipment private key and sends the registration response information and the public key signature information to the trusted switch;
the trusted switch performs signature verification on the public key signature information based on the internally stored device public key, and stores the corresponding user public key when the public key signature information passes the signature verification.
In an exemplary embodiment, the device signature information is generated by the secure key device based on the internally stored user private key corresponding authentication response information;
The user authentication result is a signature verification result returned after the trusted switch performs signature verification on the equipment signature information by using the internally stored user public key, and whether the equipment signature information passes the signature verification.
In an exemplary embodiment, the second communication module is specifically configured to:
receiving a user authentication instruction comprising a device password sent by an instruction input terminal;
Transmitting the device password to the secure key device;
When receiving first response information returned by the security key device based on the device password and indicating that the device password is correct, executing the step of sending authentication response information to the security key device and receiving device signature information of the security key device for generating corresponding authentication response information based on a preset private key stored in the security key device;
And when receiving second response information which is returned by the security key equipment based on the equipment password and indicates the equipment password error, outputting display information indicating the equipment password error to the display terminal.
Fig. 7 is a flowchart of an authentication method of a trusted switch according to an embodiment of the present application. The authentication method of fig. 7 is performed by the trusted switch of fig. 2. As shown in fig. 7, the authentication method includes:
S701: receiving a user authentication request sent by a trusted terminal, generating authentication response information based on the user authentication request, and sending the authentication response information to the trusted terminal;
S702: receiving equipment signature information sent by a trusted terminal; the device signature information is the device signature information of the corresponding authentication response information, which is generated by the security key device based on the preset private key stored in the security key device and is sent to the trusted terminal after the trusted terminal sends the authentication response information to the security key device;
S703: signing the signature information of the equipment based on a preset public key corresponding to a preset private key stored in the equipment, and returning a user authentication result to the trusted terminal based on the signing verification result;
the preset private key and the preset public key are generated in pairs inside the safety key equipment, and the preset public key is stored in the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with the trusted terminal through the trusted switch.
In an exemplary embodiment, the process of generating authentication response information based on a user authentication request and transmitting the authentication response information to a trusted terminal includes:
based on the user authentication request, generating authentication response information through a built-in trusted hardware chip and sending the authentication response information to a trusted terminal;
The process of signing the signature information of the device based on the preset public key of the corresponding preset private key stored internally and returning the user authentication result to the trusted terminal based on the signing verification result comprises the following steps:
and based on the preset public key of the corresponding preset private key stored in the device, checking the signature information of the device through the trusted hardware chip, and returning a user authentication result to the trusted terminal based on the checking result.
It can be understood that, since the trusted hardware chip is hardware, the speed of generating authentication response information and signing device signature information is faster.
In an exemplary embodiment, the process of generating authentication response information based on a user authentication request and transmitting the authentication response information to a trusted terminal includes:
And generating a challenge value of the true random number, and sending the challenge value to the trusted terminal as authentication response information corresponding to the user authentication request.
It can be appreciated that, due to randomness and unpredictability of the true random number, the challenge value of the true random number is used as authentication response information, so that the security of authentication in the scheme can be further improved.
The method of the embodiment of the application stores the preset public key and the preset private key in the safety key device and the trusted switch respectively through the trusted links among the safety key device, the trusted terminal, the trusted switch and the trusted management platform, when the trusted terminal connected with the safety key device communicates with the trusted switch, the trusted terminal sends a user authentication request to the trusted switch, the trusted switch generates authentication response information based on the user authentication request and forwards the authentication response information to the safety key device through the trusted terminal, the safety key device generates device signature information corresponding to the authentication response information based on the internal preset private key and forwards the device signature information to the trusted switch through the trusted terminal, and the trusted switch carries out signature verification on the device signature information by using the internal preset public key and returns a user authentication result to the trusted terminal. All information transfer is carried out based on safe and trusted links in the scheme, a user does not need to memorize complex passwords, the complexity, storage position and use mode of the public and private key pair are preset, the safety of authentication is improved, and the safety risk of authentication in an industrial control network is reduced.
Any combination of the above optional solutions may be adopted to form an optional embodiment of the present application, which is not described herein. It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
The embodiment of the application also discloses an industrial network, which comprises: the system comprises a trusted management platform, a trusted switch connected with the trusted management platform, a trusted terminal connected with the trusted switch and a security key device connected with the trusted terminal;
each trusted switch for implementing the steps of the authentication method of the trusted switch applied to the trusted switch as claimed in any one of the preceding claims;
each trusted terminal for implementing the steps of the authentication method of the trusted switch applied to the trusted terminal as claimed in any one of the preceding claims.
It is to be understood that the industrial network herein, i.e. the industrial control network in the above embodiments. The technical details of the authentication method of the trusted switch applied to the trusted switch and the authentication method of the trusted switch applied to the trusted terminal can be referred to the description in the above embodiments, and are not repeated here.
The device of the embodiment of the application stores the preset public key and the preset private key in the safety key device and the trusted switch respectively through the trusted links among the safety key device, the trusted terminal, the trusted switch and the trusted management platform, when the trusted terminal connected with the safety key device communicates with the trusted switch, the trusted terminal sends a user authentication request to the trusted switch, the trusted switch generates authentication response information based on the user authentication request and forwards the authentication response information to the safety key device through the trusted terminal, the safety key device generates device signature information corresponding to the authentication response information based on the internal preset private key and forwards the device signature information to the trusted switch through the trusted terminal, and the trusted switch carries out signature verification on the device signature information by using the internal preset public key and returns a user authentication result to the trusted terminal. All information transfer is carried out based on safe and trusted links in the scheme, a user does not need to memorize complex passwords, the complexity, storage position and use mode of the public and private key pair are preset, the safety of authentication is improved, and the safety risk of authentication in an industrial control network is reduced.
Fig. 8 is a schematic diagram of an electronic device 8 according to an embodiment of the present application. As shown in fig. 8, the electronic device 8 of this embodiment includes: a processor 801, a memory 802, and a computer program 803 stored in the memory 802 and executable on the processor 801. The steps of the various method embodiments described above are implemented by the processor 801 when executing the computer program 803. Or the processor 801 when executing the computer program 803 implements the functions of the modules/units in the above-described apparatus embodiments.
The electronic device 8 may be a desktop computer, a notebook computer, a palm computer, a cloud server, or the like. The electronic device 8 may include, but is not limited to, a processor 801 and a memory 802. It will be appreciated by those skilled in the art that fig. 8 is merely an example of the electronic device 8 and is not limiting of the electronic device 8 and may include more or fewer components than shown, or different components.
The Processor 801 may be a central processing unit (Central Processing Unit, CPU) or other general purpose Processor, digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.
The memory 802 may be an internal storage unit of the electronic device 8, for example, a hard disk or a memory of the electronic device 8. The memory 802 may also be an external storage device of the electronic device 8, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD) or the like, which are provided on the electronic device 8. Memory 802 may also include both internal storage units and external storage devices for electronic device 8. The memory 802 is used to store computer programs and other programs and data required by the electronic device.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, and the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of each of the method embodiments described above. The computer program may comprise computer program code, which may be in source code form, object code form, executable file or in some intermediate form, etc. The computer readable storage medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (14)
1. An authentication method for a trusted switch, applied to a trusted terminal, includes:
A user authentication request is sent to a trusted switch, and authentication response information generated by the trusted switch based on the user authentication request is received;
Transmitting the authentication response information to a security key device, and receiving device signature information corresponding to the authentication response information generated by the security key device based on a preset private key stored in the security key device;
The equipment signature information is sent to the trusted switch, and a user authentication result returned after the trusted switch performs signature verification on the equipment signature information by using a preset public key corresponding to the preset private key, which is stored in the trusted switch, is received;
The preset private key and the preset public key are generated in pairs by the inside of the safety key equipment, and the preset public key is stored into the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with the trusted terminal through the trusted switch.
2. The authentication method of claim 1, wherein,
The preset private key and the preset public key are internally generated in pairs when the safety key equipment receives a preset key generation request; the preset key generation request is: the trusted terminal currently connected with the secure key device sends a preset key generation request to the secure key device when a trusted verification result generated by the trusted management platform after receiving a device registration request from the trusted management platform and performing trusted verification based on the device registration request is verification passing;
and the preset public key is sent to the trusted management platform by the security key equipment, and is issued and stored in the trusted switch after being verified by the trusted management platform.
3. The authentication method of claim 2, wherein the trusted management platform performs a process of trusted verification based on the device registration request, comprising:
the trusted management platform performs trusted verification of the trusted link status and the registration authority based on the device registration request.
4. The authentication method of claim 1, wherein the preset private key comprises a device private key and a user private key, and the preset public key comprises a device public key and a user public key;
The device private key and the device public key are internally generated in pairs when the security key device receives a device key generation request; the device key generation request is: the trusted terminal currently connected with the secure key device sends a device key generation request to the secure key device when a trusted verification result generated by the trusted management platform after receiving a device registration request from the trusted management platform and performing trusted verification based on the device registration request is verification passing after sending the device registration request to the trusted management platform;
The device public key is sent to the trusted management platform by the security key device, and is issued and stored in the trusted switch after being verified by the trusted management platform;
The user private key and the user public key are internally generated in pairs when the security key equipment receives registration response information; the registration response information is: after the trusted terminal currently connected with the secure key device sends a user registration request to the trusted switch, the trusted switch generates and sends registration response information to the secure key device based on the user registration request;
the user public key is sent by the security key device and stored in the trusted switch based on the device private key and the device public key.
5. The authentication method of claim 4, wherein the process by which the secure key device sends and stores the user public key to the trusted switch based on the device private key and the device public key comprises:
the security key device generates the registration response information and public key signature information corresponding to the user public key based on the device private key and sends the registration response information and the public key signature information to the trusted switch;
And the trusted switch performs signature verification on the public key signature information based on the internally stored equipment public key, and stores the corresponding user public key when the public key signature information passes the signature verification.
6. The authentication method according to claim 4, wherein the device signature information is generated for the secure key device based on the authentication response information corresponding to the user private key stored internally;
And the user authentication result is a signature verification result which is returned after the trusted switch performs signature verification on the equipment signature information by using the internally stored user public key and is whether the equipment signature information passes the signature verification or not.
7. The authentication method according to any one of claims 1 to 6, characterized by further comprising, before transmitting the authentication response information to a secure key device and receiving device signature information corresponding to the authentication response information generated by the secure key device based on an internally stored preset private key:
receiving a user authentication instruction comprising a device password sent by an instruction input terminal;
Transmitting the device password to a secure key device;
When receiving first response information which is returned by the security key equipment based on the equipment password and indicates that the equipment password is correct, the steps of sending the authentication response information to the security key equipment and receiving equipment signature information which is generated by the security key equipment and corresponds to the authentication response information based on a preset private key stored in the security key equipment are executed;
And when receiving second response information which is returned by the security key equipment based on the equipment password and indicates the equipment password error, outputting display information which indicates the equipment password error to a display terminal.
8. An authentication apparatus for a trusted switch, comprising:
The first communication module is used for sending a user authentication request to the trusted switch and receiving authentication response information generated by the trusted switch based on the user authentication request;
The second communication module is used for sending the authentication response information to the security key equipment and receiving equipment signature information corresponding to the authentication response information generated by the security key equipment based on a preset private key stored in the security key equipment;
The third communication module is used for sending the equipment signature information to the trusted switch and receiving a user authentication result returned after the trusted switch performs signature verification on the equipment signature information by using a preset public key corresponding to the preset private key, which is stored in the trusted switch;
the preset private key and the preset public key are generated in pairs by the inside of the safety key equipment, and the preset public key is stored into the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with a trusted terminal through the trusted switch.
9. An authentication method for a trusted switch, applied to the trusted switch, comprising:
receiving a user authentication request sent by a trusted terminal, generating authentication response information based on the user authentication request, and sending the authentication response information to the trusted terminal;
Receiving equipment signature information sent by the trusted terminal; the device signature information is the device signature information corresponding to the authentication response information, which is generated by the security key device based on a preset private key stored in the security key device and sent to the trusted terminal after the trusted terminal sends the authentication response information to the security key device;
Signing the equipment signature information based on a preset public key corresponding to the preset private key which is stored internally, and returning a user authentication result to the trusted terminal based on a signing verification result;
The preset private key and the preset public key are generated in pairs by the inside of the safety key equipment, and the preset public key is stored into the trusted switch after being verified by the trusted management platform; the trusted management platform is connected with the trusted terminal through the trusted switch.
10. The authentication method according to claim 9, wherein the process of generating authentication response information based on the user authentication request and transmitting the authentication response information to the trusted terminal includes:
based on the user authentication request, generating authentication response information through a built-in trusted hardware chip and sending the authentication response information to the trusted terminal;
the signature verification is performed on the equipment signature information based on the preset public key corresponding to the preset private key, and a user authentication result is returned to the trusted terminal based on the signature verification result, and the method comprises the following steps:
And based on the preset public key corresponding to the preset private key, which is stored internally, the signature information of the equipment is checked by the trusted hardware chip, and a user authentication result is returned to the trusted terminal based on the signature checking result.
11. The authentication method according to claim 9, wherein the process of generating authentication response information based on the user authentication request and transmitting the authentication response information to the trusted terminal includes:
And generating a challenge value of the true random number, and sending the challenge value to the trusted terminal as authentication response information corresponding to the user authentication request.
12. An industrial network, comprising: a trusted management platform, a trusted switch connected with the trusted management platform, a trusted terminal connected with the trusted switch, and a secure key device connected with the trusted terminal;
each of said trusted switches for implementing the steps of the method of any one of claims 9 to 11;
each of said trusted terminals being adapted to implement the steps of the method according to any one of claims 1 to 7.
13. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 7 or the steps of the method according to any one of claims 9 to 11 when the computer program is executed.
14. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method according to any one of claims 1 to 7 or the steps of the method according to any one of claims 9 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411020141.XA CN118573468B (en) | 2024-07-29 | 2024-07-29 | Authentication method, device, equipment, medium and industrial network of trusted switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411020141.XA CN118573468B (en) | 2024-07-29 | 2024-07-29 | Authentication method, device, equipment, medium and industrial network of trusted switch |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118573468A true CN118573468A (en) | 2024-08-30 |
| CN118573468B CN118573468B (en) | 2024-11-01 |
Family
ID=92469603
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411020141.XA Active CN118573468B (en) | 2024-07-29 | 2024-07-29 | Authentication method, device, equipment, medium and industrial network of trusted switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118573468B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107343179A (en) * | 2017-08-14 | 2017-11-10 | 华北电力大学 | A kind of video information encryption and video terminal security certification system, authentication method and its application |
| US20180293373A1 (en) * | 2015-03-31 | 2018-10-11 | Paradigm, Inc. | Systems and methods for generating and validating certified electronic credentials |
| CN111401901A (en) * | 2020-03-23 | 2020-07-10 | 腾讯科技(深圳)有限公司 | Authentication method and device of biological payment device, computer device and storage medium |
| CN112953970A (en) * | 2021-04-01 | 2021-06-11 | 国民认证科技(北京)有限公司 | Identity authentication method and identity authentication system |
| CN113645024A (en) * | 2020-05-11 | 2021-11-12 | 华为技术有限公司 | Key distribution method, system, device and readable storage medium and chip |
| CN115021931A (en) * | 2022-05-30 | 2022-09-06 | 中控数科(陕西)信息科技有限公司 | Mobile digital certificate service method |
| CN115714678A (en) * | 2022-11-10 | 2023-02-24 | 北京北信源软件股份有限公司 | Authentication method and device of terminal equipment |
| US20230145936A1 (en) * | 2021-11-10 | 2023-05-11 | Samsung Electronics Co., Ltd. | Storage device, storage system having the same and method of operating the same |
| CN117155549A (en) * | 2023-06-28 | 2023-12-01 | 中国建设银行股份有限公司 | Key distribution method, key distribution device, computer equipment and storage medium |
-
2024
- 2024-07-29 CN CN202411020141.XA patent/CN118573468B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180293373A1 (en) * | 2015-03-31 | 2018-10-11 | Paradigm, Inc. | Systems and methods for generating and validating certified electronic credentials |
| CN107343179A (en) * | 2017-08-14 | 2017-11-10 | 华北电力大学 | A kind of video information encryption and video terminal security certification system, authentication method and its application |
| CN111401901A (en) * | 2020-03-23 | 2020-07-10 | 腾讯科技(深圳)有限公司 | Authentication method and device of biological payment device, computer device and storage medium |
| CN113645024A (en) * | 2020-05-11 | 2021-11-12 | 华为技术有限公司 | Key distribution method, system, device and readable storage medium and chip |
| CN112953970A (en) * | 2021-04-01 | 2021-06-11 | 国民认证科技(北京)有限公司 | Identity authentication method and identity authentication system |
| US20230145936A1 (en) * | 2021-11-10 | 2023-05-11 | Samsung Electronics Co., Ltd. | Storage device, storage system having the same and method of operating the same |
| CN115021931A (en) * | 2022-05-30 | 2022-09-06 | 中控数科(陕西)信息科技有限公司 | Mobile digital certificate service method |
| CN115714678A (en) * | 2022-11-10 | 2023-02-24 | 北京北信源软件股份有限公司 | Authentication method and device of terminal equipment |
| CN117155549A (en) * | 2023-06-28 | 2023-12-01 | 中国建设银行股份有限公司 | Key distribution method, key distribution device, computer equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| YANG, YONG-HUA,ET ALL: "All optical metropolitan quantum key distribution network with post-quantum cryptography authentication", OPTICS EXPRESS, 20 August 2021 (2021-08-20) * |
| 徐茹枝;郭健;李衍辉;: "智能电网中电力调度数字证书系统", 中国电力, no. 01, 5 January 2011 (2011-01-05) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118573468B (en) | 2024-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2936369B1 (en) | Verification of password using a keyboard with a secure password entry mode | |
| CN106575326B (en) | System and method for implementing one-time passwords using asymmetric encryption | |
| EP3175578B1 (en) | System and method for establishing trust using secure transmission protocols | |
| US10187373B1 (en) | Hierarchical, deterministic, one-time login tokens | |
| US10367797B2 (en) | Methods, systems, and media for authenticating users using multiple services | |
| US11050570B1 (en) | Interface authenticator | |
| Wang et al. | EIDM: A ethereum-based cloud user identity management protocol | |
| EP3213209A2 (en) | Systems and methods for detecting and reacting to malicious activity in computer networks | |
| EP2586174A1 (en) | Identity verification | |
| US10645077B2 (en) | System and method for securing offline usage of a certificate by OTP system | |
| KR101739203B1 (en) | Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption | |
| CN106063182A (en) | Electronic signing methods, systems and apparatus | |
| EP3133791B1 (en) | Double authentication system for electronically signed documents | |
| US11909734B2 (en) | Methods and systems for authenticating identity | |
| Li et al. | Practical threshold multi-factor authentication | |
| SG175860A1 (en) | Methods of robust multi-factor authentication and authorization and systems thereof | |
| US12107956B2 (en) | Information processing device, information processing method, and non-transitory computer readable storage medium | |
| US11750597B2 (en) | Unattended authentication in HTTP using time-based one-time passwords | |
| Reimair et al. | Emulating U2F authenticator devices | |
| CN118573468B (en) | Authentication method, device, equipment, medium and industrial network of trusted switch | |
| Kiennert et al. | Authentication systems | |
| Binu et al. | A mobile based remote user authentication scheme without verifier table for cloud based services | |
| CN117336092A (en) | Client login method and device, electronic equipment and storage medium | |
| US11528144B1 (en) | Optimized access in a service environment | |
| US12088699B2 (en) | Secure device pairing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |