CN112560077A - Access control method, device and system - Google Patents
Access control method, device and system Download PDFInfo
- Publication number
- CN112560077A CN112560077A CN201910850705.5A CN201910850705A CN112560077A CN 112560077 A CN112560077 A CN 112560077A CN 201910850705 A CN201910850705 A CN 201910850705A CN 112560077 A CN112560077 A CN 112560077A
- Authority
- CN
- China
- Prior art keywords
- access
- access control
- blockchain network
- equipment
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000004590 computer program Methods 0.000 claims description 26
- 238000013475 authorization Methods 0.000 claims description 25
- 238000004891 communication Methods 0.000 claims description 20
- 238000003860 storage Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 11
- 238000011217 control strategy Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6272—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides an access control method, device and system, relates to the technical field of network security, and aims to improve the security of an industrial internet. The method comprises the following steps: when second equipment in the industrial Internet needs to be accessed, the first equipment sends an access information acquisition request to the blockchain network, wherein the access information acquisition request is used for requesting to acquire an access token for accessing the second equipment; in the case that the blockchain network determines that the first device has the authority to access the second device, the first device receives an access token sent by the blockchain network; and the first equipment sends an access request carrying the access token to the second equipment. The embodiment of the invention is used for carrying out access control on equipment for accessing the industrial Internet.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, and a system for access control.
Background
With the rapid development of industrial automation control, more and more industrial enterprises use their internal networks to interconnect their production-specific devices or industrial Intelligent devices (IEDs) together to form a production control system network, and such industrial enterprises use the internal networks to be referred to as industrial internet.
In industrial production, industrial field data is closely related to production conditions, once the industrial field data is damaged, the whole production conditions are seriously threatened, and therefore, the safety problem of the industrial internet of things is the first problem to be solved by industrial internet of things developers. In the prior art, one of the methods for preventing the devices in the industrial internet from being illegally invaded is to establish a security database, which records and updates the access control policy of the devices in the industrial internet, and controls the access behavior of the devices in the industrial internet based on the access control policy. However, with the improvement of computer performance, the conventional isolated island security database is not sufficient for the network security protection of the industrial internet, and a hacker may intrude the security database to tamper with the access control policy of the device in the industrial internet and then intrude the device in the industrial internet, so that the improvement of the network security of the industrial internet is a problem to be urgently solved by those skilled in the art.
Disclosure of Invention
In view of this, embodiments of the present invention provide an access control method, apparatus, and system, which are used to improve security of an industrial internet.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
in a first aspect, an embodiment of the present invention provides an access control method, which is applied to a first device, and the method includes:
when second equipment in the industrial Internet needs to be accessed, sending an access information acquisition request to a blockchain network, wherein the access information acquisition request is used for requesting to acquire an access token for accessing the second equipment;
receiving an access token sent by the blockchain network in the case that the blockchain network determines that the first device has the authority to access the second device;
and sending an access request carrying the access token to the second equipment.
As an optional implementation manner of the embodiment of the present invention, the method further includes:
receiving indication information sent by the blockchain network under the condition that the blockchain network determines that the first device does not have the authority of accessing the second device;
wherein the indication information is used for indicating that the first device does not have the authority to access the second device.
As an optional implementation manner of the embodiment of the present invention, before receiving the access token sent by the blockchain network, the method further includes:
and sending an authorization request to a right management device, wherein the authorization request is used for requesting the right management device to determine whether the first device is authorized to access the second device, and in the case of authorizing the first device to access the second device, generating an access control policy and an access pass, and writing the access control policy and the access pass into a blockchain network.
As an optional implementation manner of the embodiment of the present invention, the access information obtaining request is further configured to request to obtain a network address of the second device;
in the event that the blockchain network determines that the first device has permission to access the second device, the method further comprises:
and receiving the network address of the second device sent by the blockchain network.
As an optional implementation manner of the embodiment of the present invention, the access token is a one-time access token.
In a second aspect, an embodiment of the present invention provides an access control method, which is applied to a rights management device, and the method includes:
receiving an authorization request sent by a first device, wherein the authorization request is used for requesting the authority management device to determine whether to authorize the first device to access a second device in the industrial internet; under the condition that the first equipment is authorized to access the second equipment, generating an access control policy and an access pass, and writing the access control policy and the access pass into a block chain network;
generating an access control policy and an access pass if it is determined that the first device has the right to access the second device;
and writing the access control policy and the access pass into a blockchain network.
As an optional implementation manner of the embodiment of the present invention, the writing the access control policy and the access pass into a blockchain network includes:
signing the access pass through a private key of the second device;
and writing the access control policy and the access pass signed by the private key of the second equipment into a blockchain network.
In a third aspect, an embodiment of the present invention provides an access control method, which is applied to a block chain network, and the method includes:
receiving an access information acquisition request sent by first equipment, wherein the access information acquisition request is used for requesting to acquire an access token for accessing second equipment in the industrial Internet;
determining whether the first device has a right to access the second device according to an access control policy;
if the first equipment is determined to have the authority of accessing the second equipment, acquiring a corresponding access communication certificate;
calling an intelligent contract to carry out access authentication on the first equipment by taking the public key of the second equipment and the access communication certificate as input parameters;
and if the access authentication is passed, sending the access token to the first equipment.
As an optional implementation manner of the embodiment of the present invention, the access token is a one-time access token.
In a fourth aspect, an embodiment of the present invention provides an access control apparatus, including:
the system comprises a sending unit, a receiving unit and a sending unit, wherein the sending unit is used for sending an access information acquisition request to a blockchain network when second equipment in the industrial internet needs to be accessed, and the access information acquisition request is used for requesting to acquire an access token for accessing the second equipment;
a receiving unit, configured to receive an access token sent by the blockchain network if the blockchain network determines that the access control apparatus has the right to access the second device;
the sending unit is further configured to send an access request carrying the access token to the second device.
As an optional implementation manner of the embodiment of the present invention, the receiving unit is further configured to receive, when the blockchain network determines that the access control apparatus does not have an authority to access the second device, indication information sent by the blockchain network;
wherein the indication information is used for indicating that the access control device does not have the right to access the second device.
As an optional implementation manner of the embodiment of the present invention, the sending unit is further configured to send, before receiving the access token sent by the blockchain network, an authorization request to a rights management device, where the authorization request is used to request the rights management device to determine whether to authorize the access control apparatus to access the second device, and in a case that the first device is authorized to access the second device, generate an access control policy and an access pass, and write the access control policy and the access pass into the blockchain network.
As an optional implementation manner of the embodiment of the present invention, the access information obtaining request is further configured to request to obtain a network address of the second device;
the receiving unit is further configured to receive the network address of the second device sent by the blockchain network, if the blockchain network determines that the access control apparatus has the right to access the second device.
As an optional implementation manner of the embodiment of the present invention, the access token is a one-time access token.
In a fifth aspect, an embodiment of the present invention provides an access control apparatus, including:
a receiving unit, configured to receive an authorization request sent by a first device, where the authorization request is used to request the access control apparatus to determine whether to authorize the first device to access a second device in the industrial internet; under the condition that the first equipment is authorized to access the second equipment, generating an access control policy and an access pass, and writing the access control policy and the access pass into a block chain network;
a processing unit, configured to generate an access control policy and an access pass if the first device is authorized to access the second device;
and the sending unit is used for writing the access control strategy and the access pass into a blockchain network.
As an optional implementation manner of the embodiment of the present invention, the processing unit is further configured to sign the access pass through a private key of the second device;
the sending unit is specifically configured to write the access control policy and the access pass signed by the private key of the second device into a block chain network.
In a sixth aspect, an embodiment of the present invention provides an access control apparatus, including:
the device comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving an access information acquisition request sent by a first device, and the access information acquisition request is used for requesting to acquire an access token for accessing a second device in the industrial internet;
the inquiring unit is used for determining whether the first equipment has the authority of accessing the second equipment according to the access control strategy;
the acquisition unit is used for acquiring a corresponding access communication certificate when the first equipment is determined to have the right of accessing the second equipment;
the authentication unit is used for calling an intelligent contract to carry out access authentication on the first equipment by taking the public key of the second equipment and the access communication certificate as input parameters;
and the sending unit is used for sending the access token to the first equipment when the access authentication is passed.
As an optional implementation manner of the embodiment of the present invention, the sending unit is further configured to send, to the first device, indication information when it is determined that the first device does not have the right to access the second device or when the access authentication fails;
wherein the indication information is used for indicating that the first device does not have the authority to access the second device.
As an optional implementation manner of the embodiment of the present invention, the access information obtaining request is further configured to request to obtain a network address of the second device;
the sending unit is further configured to send a network address of the second device to the first device, if it is determined that the first device has the right to access the second device.
As an optional implementation manner of the embodiment of the present invention, the access token is a one-time access token.
In a seventh aspect, an embodiment of the present invention provides a network device, including: a memory for storing a computer program and a processor; the processor is configured to execute the access control method provided by the first aspect or any embodiment of the first aspect when the computer program is called.
In an eighth aspect, an embodiment of the present invention provides a rights management device, including: a memory for storing a computer program and a processor; the processor is configured to execute the access control method according to the second aspect or any embodiment of the second aspect when the computer program is called.
In a ninth aspect, an embodiment of the present invention provides a block chain network, including: a memory for storing a computer program and a processor; the processor is configured to execute the access control method provided by the third aspect or any embodiment of the third aspect when the computer program is called.
In a tenth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the access control method provided in any one of the first aspect, the second aspect, the third aspect, the fourth aspect, the fifth aspect, the sixth aspect, and the seventh aspect.
In an eleventh aspect, an embodiment of the present invention provides an access control system, including: at least one of the access control device of the fourth aspect, the access control device of any one of the fourth aspects, the access control device of the fifth aspect, the access control device of any one of the fifth aspects, the access control device of the sixth aspect, the access control device of any one of the sixth aspects, the network device of the seventh aspect, the right management device of the eighth aspect, and the blockchain network of the ninth aspect.
In the access control method provided by the embodiment of the present invention, when a first device needs to access a second device in an industrial internet, first, an access information acquisition request for requesting to acquire an access token for accessing the second device is sent to a blockchain network, and then, when the blockchain network determines that the first device has a right to access the second device, the first device receives the access token sent by the blockchain network; finally, the first equipment sends an access request carrying the access token to the second equipment; the first device needs to request the blockchain network to determine whether the first device has the right to access the second device before accessing the second device, and only under the condition that the blockchain network determines that the first device has the right to access the second device, the first device can obtain the token to access the second device, and the blockchain network has the characteristics of verifiability, traceability, non-repudiation, non-counterfeiting and the like, and an illegal person cannot tamper the right of the first device to access the second device in the blockchain network, so that the embodiment of the invention can prevent the illegal person from accessing the device in the industrial internet, and further improve the safety of the industrial internet.
Drawings
Fig. 1 is a schematic structural diagram of an access control system provided in an embodiment of the present invention;
fig. 2 is an interaction flow diagram of an access control method according to an embodiment of the present invention;
fig. 3 is a second schematic interaction flow chart of the access control method according to the embodiment of the present invention;
fig. 4 is a third schematic interaction flow chart of the access control method according to the embodiment of the present invention;
fig. 5 is a structural diagram of an access control apparatus according to an embodiment of the present invention;
fig. 6 is a structural diagram of another access control device according to an embodiment of the present invention;
fig. 7 is a structural diagram of still another access control device according to an embodiment of the present invention;
fig. 8 is a schematic hardware structure diagram of a network device according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a hardware structure of a rights management device according to an embodiment of the invention;
fig. 10 is a schematic diagram of a hardware structure of a blockchain network according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship; in the formula, the character "/" indicates that the preceding and following related objects are in a relationship of "division". The term "plurality" herein means two or more, unless otherwise specified.
For the convenience of clearly describing the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the terms "first" and "second" are used to distinguish the same items or similar items with basically the same functions or actions, and those skilled in the art can understand that the terms "first" and "second" are not limited to the quantity and execution order.
In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion. In the embodiments of the present invention, the meaning of "a plurality" means two or more unless otherwise specified.
First, a system architecture to which the access control method provided by the embodiment of the present invention is applied is explained below.
Referring to fig. 1, an access control system according to an embodiment of the present invention includes: a first device 11, a rights management device 12, a second device 13 in the industrial internet 130, and a blockchain network 14.
The first device 11 may be a network device in the industrial internet to which the second device 13 belongs, or may not be a device in the industrial internet to which the second device 13 belongs. The first device 11 can be in wired or wireless communication with the right management device 12, the second device 13 in the industrial internet, and the blockchain network 14; the rights management device 12 may be in wired or wireless communication with the blockchain network 14.
The first device 11 in the embodiment of the present invention may be a mobile phone, a tablet computer, a notebook computer, a Personal Computer (PC), an ultra-mobile personal computer (UMPC), a netbook, a Personal Digital Assistant (PDA), a smart watch, a smart bracelet, or the like, or the terminal device may be other types of electronic devices, which is not limited in the embodiment of the present invention. To facilitate understanding by those skilled in the art, the first device 11 is illustrated as a PC in the drawings.
In the access control method provided in the embodiment of the present invention, if a first device wants to access a second device, an authorization management device is first required to authorize the first device to access the second device, and as shown in fig. 2, the devices in the access control system may respectively perform the following steps S11-S14 to authorize the first device to access the second device.
S11, the first device sends an authorization request to the rights management device.
Correspondingly, the authority management device receives an authorization request sent by the first device.
The authorization request is used for requesting the authority management device to determine whether the first device is authorized to access a second device in the industrial Internet, and in the case that the first device is authorized to access the second device, generating an access control policy and an access pass, and writing the access control policy and the access pass into a blockchain network.
Specifically, the authorization request may carry an identifier of the second device and an operation that the first device wants to perform when accessing the second device, so that the rights management device determines the second device according to the carried identifier of the second device, and determines whether to authorize the first device to access the second device according to the operation that the first device wants to perform on the second device.
And S12, the authority management device determines whether to authorize the first device to access a second device in the industrial Internet.
Specifically, the right management device may check the validity of the first device according to information carried in an authorization request submitted by the first device, so as to determine whether to authorize the first device to access the second device.
In the above step S12, if the rights management device authorizes the first device to access the second device, the following step S13 is performed.
S13, the authority management device generates an access control strategy and an access pass.
Specifically, the access control policy may be a file that records authorization information that the first device is authorized to access the second device, and the access communication certificate may be identification information of the access control policy.
And S14, the authority management device writes the access control strategy and the access pass into a blockchain network.
Correspondingly, the blockchain network receives the access control policy and the access pass written by the authority management device.
As an optional implementation manner of the embodiment of the present invention, the writing, by the rights management device in step S14, the access control policy and the access pass into the blockchain network may include:
s141, the access pass is signed by the authority management device through a private key of the second device;
s142, the access control strategy and the access pass signed by the private key of the second device are written into a block chain network by the authority management device.
Specifically, whenever a new device registers in the industrial internet, the rights management device generates a pair of public and private keys for the device, where the public key can be used as a unique identifier for the device and the private key is used to sign parameters of the device.
Through the above steps S11 to S14, the access control method provided by the embodiment of the present invention authorizes the first device to access the second device.
Further, referring to fig. 3, when the step S14 is implemented by the steps S141 and S142, that is, the access pass written by the right management device to the blockchain network is the access pass signed by the private key of the second device, the process of the first device accessing the second device may include the following steps S21 to S29.
And S21, when the first device needs to access the second device in the industrial Internet, sending an access information acquisition request to the blockchain network.
Correspondingly, the blockchain network receives an access information acquisition request sent by the first device.
Wherein the access information acquisition request is used for requesting acquisition of an access token for accessing the second device.
S22, the blockchain network determines whether the first device has the right to access the second device according to the access control strategy.
Specifically, the access control policy stored in the blockchain network records the access authority between the devices, and is written into the blockchain network.
In the embodiment of the present invention, the access control policy may record the access right between each device in the form of: for each device, recording the device with the access right; for example: device 1 has rights to access device 2, device 3 … …, device 2 has rights to access device 5, device 8 … …, device 3 has … …; the access control policy may record the access right between the devices in the form of: for each device, recording the device having the right to access the device; for example: device 2, device 3 … … have rights to access device 1, device 5, device 8 … … have rights to access device 2, and device 4, device 6 … … have rights to access device 3. In addition, the access control policy may also record the access right between each device in other forms, which is not limited in the embodiment of the present invention, and the access right between each device may be queried through the access control policy.
In the above step S12, if the blockchain network determines that the first device has the right to access the second device, the following step S23 and the following steps are performed.
S23, the blockchain network acquires the corresponding access communication certificate.
The corresponding access communication ticket is an access ticket corresponding to an access control policy in which the first device has the right to access the second device is recorded.
Illustratively, the access pass in the embodiment of the present invention may be an identifier of an access control policy stored on the blockchain network, such as: an Identity (ID) of an access control policy stored on the blockchain network.
And S24, the blockchain network takes the public key of the second device and the access communication certificate as input parameters and calls an intelligent contract to carry out access authentication on the first device.
In the above step S24, if the access authentication is passed, the following step S25 is executed, and if the access authentication is not passed, it indicates that a network attack may be applied to the industrial internet, at which time, the access of the first device may be denied, and the administrator may be notified to perform the processing.
S25, the blockchain network sends the access token to the first device.
Correspondingly, the first device receives the access token sent by the blockchain network.
The access communication certificate obtained by the access communication certificate of the blockchain network is the access communication certificate signed by the private key of the second device, and under the condition that the blockchain network determines that the first device has the right of accessing the second device, the public key of the second device and the access communication certificate are used as input parameters, the intelligent contract is called to carry out access authentication on the first device, and the access token is sent to the first device only when the access authentication is passed, so that the security of the industrial internet can be improved.
As an optional implementation manner of the embodiment of the present invention, the access token is a one-time access token.
That is, the access token is invalidated upon successful access of the second device by the first device using the access token.
S26, the first device sends the access request carrying the access token to the second device.
Correspondingly, the second device receives the access request carrying the access token sent by the first device.
And S27, the second equipment checks the access token.
In the above step S27, if the access token passes the verification, the following step S28 is executed, and if the access token passes the verification, the following step S29 is executed.
And S28, allowing the second device to access the first device.
And S29, the second equipment refuses the access of the first equipment.
In the access control method provided by the embodiment of the present invention, when a first device needs to access a second device in an industrial internet, first, an access information acquisition request for requesting to acquire an access token for accessing the second device is sent to a blockchain network, and then, when the blockchain network determines that the first device has a right to access the second device, the first device receives the access token sent by the blockchain network; finally, the first equipment sends an access request carrying the access token to the second equipment; the first device needs to request the blockchain network to determine whether the first device has the right to access the second device before accessing the second device, and only under the condition that the blockchain network determines that the first device has the right to access the second device, the first device can obtain the token to access the second device, and the blockchain network has the characteristics of verifiability, traceability, non-repudiation, non-counterfeiting and the like, and an illegal person cannot tamper the right of the first device to access the second device in the blockchain network, so that the embodiment of the invention can prevent the illegal person from accessing the device in the industrial internet, and further improve the safety of the industrial internet.
It should be noted that, in the embodiment of the present invention, if the right management device writes the access pass that is not signed by the private key of the second device into the blockchain network, the blockchain network may directly send the access token to the first device when determining, according to the access control policy, that the first device has the right to access the second device.
Referring to fig. 4, as an alternative embodiment of the present invention, in step S12, if the blockchain network determines that the first device does not have the right to access the second device, the following step S31 is performed.
S31, the blockchain network sends the indication information to the first device.
Correspondingly, the first device receives the indication information sent by the block chain network.
Wherein the indication information is used for indicating that the first device does not have the authority to access the second device.
That is, in the case where the first device does not have the right to access the second device, the blockchain network notifies the first device of the indication information.
As an optional implementation manner of the embodiment of the present invention, the access information acquisition request sent by the first device to the blockchain network is further used to request to acquire a network address of the second device;
in the event that the blockchain network determines that the first device has permission to access the second device, the method further comprises:
the blockchain network sends the network address of the second device to the first device.
Correspondingly, the first device receives the network address of the second device sent by the blockchain network.
Illustratively, the network address of the second device may specifically be an Internet Protocol (IP) address of the second device.
Of course, the network address of the second device may also be other information, such as: media Access Control (MAC) address, and the like, in an embodiment of the present invention, a type of a network address of the second device is not limited, so that information may be sent to the second device through the network address of the second device.
According to the method, the terminal device and the like can be divided into the functional modules. For example, the functional blocks may be divided for the respective functions, or two or more functions may be integrated into one block. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
In the case of an integrated unit, fig. 5 shows a schematic diagram of a possible structure of the access control device according to the above embodiment, where the access control device 500 includes:
a sending unit 51, configured to send an access information obtaining request to a blockchain network when a second device in the industrial internet needs to be accessed, where the access information obtaining request is used to request to obtain an access token for accessing the second device;
a receiving unit 52, configured to receive an access token sent by the blockchain network if the blockchain network determines that the access control apparatus has the authority to access the second device;
the sending unit 51 is further configured to send an access request carrying the access token to the second device.
As an optional implementation manner of the embodiment of the present invention, the receiving unit 52 is further configured to receive, when the blockchain network determines that the access control apparatus does not have an authority to access the second device, indication information sent by the blockchain network;
wherein the indication information is used for indicating that the access control device does not have the right to access the second device.
As an optional implementation manner of this embodiment of the present invention, the sending unit 51 is further configured to send, before receiving the access token sent by the blockchain network, an authorization request to a rights management device, where the authorization request is used to request the rights management device to determine whether to authorize the access control apparatus to access the second device, and in a case that the first device is authorized to access the second device, generate an access control policy and an access pass, and write the access control policy and the access pass into the blockchain network.
As an optional implementation manner of the embodiment of the present invention, the access information obtaining request is further configured to request to obtain a network address of the second device;
in a case that the blockchain network determines that the access control apparatus has the right to access the second device, the receiving unit 52 is further configured to receive the network address of the second device sent by the blockchain network.
As an optional implementation manner of the embodiment of the present invention, the access token is a one-time access token.
In the case of an integrated unit, fig. 6 shows a schematic diagram of a possible structure of the access control device according to the above embodiment, and the access control device 600 includes:
a receiving unit 61, configured to receive an authorization request sent by a first device, where the authorization request is used to request the access control apparatus to determine whether to authorize the first device to access a second device in the industrial internet; under the condition that the first equipment is authorized to access the second equipment, generating an access control policy and an access pass, and writing the access control policy and the access pass into a block chain network;
a processing unit 62, configured to generate an access control policy and an access pass if the first device is authorized to access the second device;
a sending unit 63, configured to write the access control policy and the access pass into a blockchain network.
As an optional implementation manner of the embodiment of the present invention, the processing unit 62 is further configured to sign the access pass through a private key of the second device;
the sending unit 63 is specifically configured to write the access control policy and the access pass signed by the private key of the second device into a blockchain network.
In the case of an integrated unit, fig. 7 shows a schematic diagram of a possible structure of the access control device according to the above embodiment, where the access control device 700 includes:
a receiving unit 71, configured to receive an access information obtaining request sent by a first device, where the access information obtaining request is used to request to obtain an access token for accessing a second device in the industrial internet;
a querying unit 72, configured to determine whether the first device has the right to access the second device according to an access control policy;
an obtaining unit 73, configured to obtain a corresponding access communication certificate when it is determined that the first device has the right to access the second device;
the authentication unit 74 is configured to invoke an intelligent contract to perform access authentication on the first device by using the public key of the second device and the access communication certificate as input parameters;
a sending unit 75, configured to send an access token to the first device when the access authentication is passed.
As an optional implementation manner of the embodiment of the present invention, the sending unit 75 is further configured to send indication information to the first device when it is determined that the first device does not have the right to access the second device or when the access authentication fails;
wherein the indication information is used for indicating that the first device does not have the authority to access the second device.
As an optional implementation manner of the embodiment of the present invention, the access information obtaining request is further configured to request to obtain a network address of the second device;
the sending unit 75 is further configured to send the network address of the second device to the first device, if it is determined that the first device has the right to access the second device.
As an optional implementation manner of the embodiment of the present invention, the access token is a one-time access token.
Since the access control device applied to the network device and the access control device applied to the rights management device provided in the embodiments of the present invention can execute the access control method provided in the above embodiments, technical effects similar to those of the above embodiments can be achieved, and details are not described here.
Based on the same inventive concept, the embodiment of the invention also provides network equipment. Fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present invention, and as shown in fig. 8, the network device according to the embodiment includes: a memory 81 and a processor 82, the memory 81 being for storing computer programs; the processor 82 is adapted to perform the steps performed by the first device in the access control method according to the above-described method embodiments when the computer program is invoked.
Based on the same inventive concept, the embodiment of the invention also provides the right management device. Fig. 9 is a schematic structural diagram of a rights management device according to an embodiment of the present invention, and as shown in fig. 9, the rights management device according to the embodiment includes: a memory 91 and a processor 92, the memory 91 being for storing a computer program; the processor 92 is adapted to perform the steps performed by the rights management device in the access control method according to the above-described method embodiments when invoking the computer program.
Based on the same inventive concept, the embodiment of the invention also provides a block chain network. Fig. 10 is a schematic structural diagram of a block chain network according to an embodiment of the present invention, and as shown in fig. 10, the block chain network according to the embodiment includes: a memory 101 and a processor 102, the memory 101 being for storing computer programs; the processor 102 is adapted to perform the steps performed by the blockchain network in the access control method according to the above-described method embodiments when the computer program is invoked.
The network device, the right management device and the blockchain network provided in this embodiment may execute the access control method provided in the foregoing method embodiment, and the implementation principle and the technical effect thereof are similar, and are not described herein again.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the access control method described in the above method embodiment.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied in the medium.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer readable media include both permanent and non-permanent, removable and non-removable storage media. Storage media may implement information storage by any method or technology, and the information may be computer-readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (16)
1. An access control method applied to a first device, the method comprising:
when second equipment in the industrial Internet needs to be accessed, sending an access information acquisition request to a blockchain network, wherein the access information acquisition request is used for requesting to acquire an access token for accessing the second equipment;
receiving an access token sent by the blockchain network in the case that the blockchain network determines that the first device has the authority to access the second device;
and sending an access request carrying the access token to the second equipment.
2. The method of claim 1, further comprising:
receiving indication information sent by the blockchain network under the condition that the blockchain network determines that the first device does not have the authority of accessing the second device;
wherein the indication information is used for indicating that the first device does not have the authority to access the second device.
3. The method of claim 1, wherein prior to receiving the access token sent by the blockchain network, the method further comprises:
and sending an authorization request to a right management device, wherein the authorization request is used for requesting the right management device to determine whether the first device is authorized to access the second device, and in the case of authorizing the first device to access the second device, generating an access control policy and an access pass, and writing the access control policy and the access pass into a blockchain network.
4. The method according to claim 1, wherein the access information acquisition request is further used for requesting to acquire a network address of the second device;
in the event that the blockchain network determines that the first device has permission to access the second device, the method further comprises:
and receiving the network address of the second device sent by the blockchain network.
5. The method of any of claims 1-4, wherein the access token is a one-time access token.
6. An access control method applied to a rights management device, the method comprising:
receiving an authorization request sent by a first device, wherein the authorization request is used for requesting the authority management device to determine whether the first device is authorized to access a second device in the industrial internet, and in the case of authorizing the first device to access the authority of the second device, generating an access control policy and an access pass, and writing the access control policy and the access pass into a blockchain network;
generating an access control policy and an access pass if it is determined that the first device has the right to access the second device;
and writing the access control policy and the access pass into a blockchain network.
7. The method of claim 6, wherein writing the access control policy and the access pass to a blockchain network comprises:
signing the access pass through a private key of the second device;
and writing the access control policy and the access pass signed by the private key of the second equipment into a blockchain network.
8. An access control method applied to a block chain network, the method comprising:
receiving an access information acquisition request sent by first equipment, wherein the access information acquisition request is used for requesting to acquire an access token for accessing second equipment in the industrial Internet;
determining whether the first device has a right to access the second device according to an access control policy;
if the first equipment is determined to have the authority of accessing the second equipment, acquiring a corresponding access communication certificate;
calling an intelligent contract to carry out access authentication on the first equipment by taking the public key of the second equipment and the access communication certificate as input parameters;
and if the access authentication is passed, sending the access token to the first equipment.
9. An access control device, comprising:
the system comprises a sending unit, a receiving unit and a sending unit, wherein the sending unit is used for sending an access information acquisition request to a blockchain network when second equipment in the industrial internet needs to be accessed, and the access information acquisition request is used for requesting to acquire an access token for accessing the second equipment;
a receiving unit, configured to receive an access token sent by the blockchain network if the blockchain network determines that the access control device has the right to access the second device;
the sending unit is further configured to send an access request carrying the access token to the second device.
10. An access control device, comprising:
a receiving unit, configured to receive an authorization request sent by a first device, where the authorization request is used to request the access control device to determine whether to authorize the first device to access a second device in the industrial internet, and in a case that the first device is authorized to access the second device, generate an access control policy and an access pass, and write the access control policy and the access pass into a blockchain network;
the processing unit is used for generating an access control strategy and an access pass under the condition that the first equipment is authorized to access the second equipment;
and the sending unit is used for writing the access control strategy and the access pass into a blockchain network.
11. An access control device, comprising:
the device comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving an access information acquisition request sent by a first device, and the access information acquisition request is used for requesting to acquire an access token for accessing a second device in the industrial internet;
the inquiring unit is used for determining whether the first equipment has the authority of accessing the second equipment according to the access control strategy;
the acquisition unit is used for acquiring a corresponding access communication certificate when the first equipment is determined to have the right of accessing the second equipment;
the authentication unit is used for calling an intelligent contract to carry out access authentication on the first equipment by taking the public key of the second equipment and the access communication certificate as input parameters;
and the sending unit is used for sending the access token to the first equipment when the access authentication is passed.
12. A network device, comprising: a memory for storing a computer program and a processor; the processor is adapted to execute the access control method of any of claims 1-5 when invoking the computer program.
13. A rights management device, comprising: a memory for storing a computer program and a processor; the processor is adapted to execute the access control method of claim 6 or 7 when invoking the computer program.
14. A blockchain network, comprising: a memory for storing a computer program and a processor; the processor is adapted to execute the access control method of claim 8 when invoking the computer program.
15. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the access control method according to any one of claims 1 to 8.
16. An access control system, comprising: at least one of the access control device of claim 9, the access control device of claim 10, the access control device of claim 11, the network device of claim 12, the rights management device of claim 13, and the blockchain network of claim 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910850705.5A CN112560077A (en) | 2019-09-10 | 2019-09-10 | Access control method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910850705.5A CN112560077A (en) | 2019-09-10 | 2019-09-10 | Access control method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112560077A true CN112560077A (en) | 2021-03-26 |
Family
ID=75028712
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910850705.5A Pending CN112560077A (en) | 2019-09-10 | 2019-09-10 | Access control method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112560077A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124428A (en) * | 2021-07-21 | 2022-03-01 | 远光软件股份有限公司 | Access method and device of Internet of things equipment based on block chain |
| CN115622721A (en) * | 2021-07-13 | 2023-01-17 | 中移物联网有限公司 | Information processing method and device, block chain equipment, user equipment and network equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108206760A (en) * | 2016-12-16 | 2018-06-26 | 南京联成科技发展股份有限公司 | A kind of safe O&M framework of industrial control system |
| CN108650182A (en) * | 2018-04-20 | 2018-10-12 | 腾讯科技(深圳)有限公司 | Network communication method, system, device, equipment and storage medium |
| CN108810073A (en) * | 2018-04-05 | 2018-11-13 | 西安电子科技大学 | A kind of Internet of Things multiple domain access control system and method based on block chain |
| CN109617896A (en) * | 2018-12-28 | 2019-04-12 | 浙江省公众信息产业有限公司 | A kind of Internet of Things access control method and system based on intelligent contract |
| US20190141026A1 (en) * | 2017-11-07 | 2019-05-09 | General Electric Company | Blockchain based device authentication |
| CN109768867A (en) * | 2019-03-08 | 2019-05-17 | 上海一健事信息科技有限公司 | A method of the data access control based on block chain technology |
-
2019
- 2019-09-10 CN CN201910850705.5A patent/CN112560077A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108206760A (en) * | 2016-12-16 | 2018-06-26 | 南京联成科技发展股份有限公司 | A kind of safe O&M framework of industrial control system |
| US20190141026A1 (en) * | 2017-11-07 | 2019-05-09 | General Electric Company | Blockchain based device authentication |
| CN108810073A (en) * | 2018-04-05 | 2018-11-13 | 西安电子科技大学 | A kind of Internet of Things multiple domain access control system and method based on block chain |
| CN108650182A (en) * | 2018-04-20 | 2018-10-12 | 腾讯科技(深圳)有限公司 | Network communication method, system, device, equipment and storage medium |
| CN109617896A (en) * | 2018-12-28 | 2019-04-12 | 浙江省公众信息产业有限公司 | A kind of Internet of Things access control method and system based on intelligent contract |
| CN109768867A (en) * | 2019-03-08 | 2019-05-17 | 上海一健事信息科技有限公司 | A method of the data access control based on block chain technology |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115622721A (en) * | 2021-07-13 | 2023-01-17 | 中移物联网有限公司 | Information processing method and device, block chain equipment, user equipment and network equipment |
| CN114124428A (en) * | 2021-07-21 | 2022-03-01 | 远光软件股份有限公司 | Access method and device of Internet of things equipment based on block chain |
| CN114124428B (en) * | 2021-07-21 | 2024-01-12 | 远光软件股份有限公司 | Block chain-based access method and device for Internet of things equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109190410B (en) | Log behavior auditing method based on block chain in cloud storage environment | |
| US10671733B2 (en) | Policy enforcement via peer devices using a blockchain | |
| US11153092B2 (en) | Dynamic access control on blockchain | |
| US20230239284A1 (en) | Federated identity management with decentralized computing platforms | |
| CN110060162B (en) | Data authorization and query method and device based on block chain | |
| CN107862215B (en) | Data storage method, data query method and device | |
| CN112333198B (en) | Secure cross-domain login method, system and server | |
| CN113012008B (en) | Identity management method, device and equipment based on trusted hardware | |
| TWI782255B (en) | Unlocking method, device for realizing unlocking, and computer-readable medium | |
| CN103124261B (en) | Wireless Telecom Equipment and the Subscriber Identity Module of extension used in WTRU | |
| CN110246039B (en) | Transaction monitoring method and device based on alliance chain and electronic equipment | |
| CN111401902A (en) | Service processing method, device and equipment based on block chain | |
| CN106897586B (en) | Application Programming Interface (API) authority management method and device | |
| CN112398799A (en) | Single sign-on method, device and system | |
| CN111814172A (en) | Method, device and equipment for acquiring data authorization information | |
| CN113704775A (en) | Service processing method based on distributed digital identity and related device | |
| US20240078551A1 (en) | Blockchain-based user element authorization methods and apparatuses | |
| CN112560077A (en) | Access control method, device and system | |
| CN113704211B (en) | Data query method and device, electronic equipment and storage medium | |
| Xu et al. | Blockchain-based transparency framework for privacy preserving third-party services | |
| CN113901498B (en) | Data sharing method, device, equipment and storage medium | |
| CN115048672A (en) | Data auditing method and device based on block chain, processor and electronic equipment | |
| CN111461884A (en) | Trusted computing service sharing method, device and system based on block chain | |
| iang Tian et al. | A Blockchain-Based Access Control Scheme for Reputation Value Attributes of the Internet of Things. | |
| US20210209589A1 (en) | Blockchain session key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |