CN112804356A - Block chain-based networking equipment supervision authentication method and system - Google Patents

Block chain-based networking equipment supervision authentication method and system Download PDF

Info

Publication number
CN112804356A
CN112804356A CN202110337101.8A CN202110337101A CN112804356A CN 112804356 A CN112804356 A CN 112804356A CN 202110337101 A CN202110337101 A CN 202110337101A CN 112804356 A CN112804356 A CN 112804356A
Authority
CN
China
Prior art keywords
block chain
equipment
manufacturer
supervision
ibc
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110337101.8A
Other languages
Chinese (zh)
Other versions
CN112804356B (en
Inventor
栗静文
张胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xinlian Technology Nanjing Co ltd
Original Assignee
Xinlian Technology Nanjing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinlian Technology Nanjing Co ltd filed Critical Xinlian Technology Nanjing Co ltd
Priority to CN202110337101.8A priority Critical patent/CN112804356B/en
Publication of CN112804356A publication Critical patent/CN112804356A/en
Application granted granted Critical
Publication of CN112804356B publication Critical patent/CN112804356B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a block chain technology-based networking equipment supervision and authentication method and system, wherein a block chain is introduced as storage, distributed user registration IBC key infrastructure service is realized by a shared negotiation mechanism, the uniqueness of an identity can be more efficiently ensured, the stability and the openness of the system are improved, the safety guarantee of equipment full life cycle management such as registration and identity authentication is provided for equipment manufacturers, supervision mechanisms and using mechanisms in all links of production, sale and use of large-scale intelligent terminals and networking equipment, the whole design scheme does not depend on a single mechanism, each party of data can check, trace and is difficult to tamper, and the safety of practical application work of the networking equipment is effectively ensured.

Description

Block chain-based networking equipment supervision authentication method and system
Technical Field
The invention relates to a block chain-based networking equipment supervision and authentication method and system, and belongs to the technical field of networking equipment supervision and authentication.
Background
To reduce the complexity of key and certificate management in public key systems, the idea of identifying a password (Identity-Based Cryptography) was proposed by israel scientists, one of the RSA algorithm inventors, Adi Shamir, in 1984. The identification password takes the identification (such as a mail address, a mobile phone number, a QQ number and the like) of a user as a public key, and omits the process of exchanging a digital certificate and the public key, so that the security system becomes easy to deploy and manage, and is very suitable for various occasions of end-to-end off-line security communication, cloud data encryption, attribute-based encryption and policy-based encryption. The 2008 identification cipher algorithm formally obtains a commercial cipher algorithm model issued by the national cipher administration: SM9 (algorithm of Shangmi nine) lays a solid foundation for the application of the identification cryptographic technology in China. The SM9 algorithm does not need to apply for a digital certificate, and is suitable for security guarantee of various emerging applications of Internet applications. Such as password service based on cloud technology, e-mail security, intelligent terminal protection, internet of things security, cloud storage security, and the like. The security applications can adopt a mobile phone number or a mail address as a public key to realize security applications such as data encryption, identity authentication, call encryption, channel encryption and the like, and have the characteristics of convenient use and easy deployment, thereby opening the door for popularizing a cryptographic algorithm.
To ensure the secure management and service of SM9, it is necessary to build IBC key infrastructure including 6 functions, such as key generation service (PKG/KGC), user registration/home agent (RA/LA), Public Parameter Service (PPS), end entity, key and its bearer distribution, and system security management and protection.
The national password administration defines the key infrastructure specification based on the identification password of the information security technology, although the functions of each component are defined, on one hand, a technical implementation mode is not given; on the other hand, the object issued by the identifier is a person, namely, public key and password application authentication service is provided for the user, and the method is not suitable for the safety requirements of full-life-cycle management of equipment such as registration and identity authentication for equipment manufacturers, supervision agencies and operation and use agencies in production, sales and use links of intelligent equipment or IT/OT equipment.
In the prior art, a set of complete supervision and authentication processes are not formed for the networking equipment, so that the application of the existing networking equipment in each link is in an independent state, the cost paid in actual implementation is higher, the popularization rate of safety authentication is directly reduced, and potential safety hazards exist for the actual application of the networking equipment.
The IBC key infrastructure service platform which takes the block chain as storage and realizes distributed user registration by a shared negotiation mechanism is provided, the uniqueness of the identity can be ensured more efficiently, the stability and the openness of the system are improved, and the safety guarantee of the whole life cycle management of equipment such as registration, identity authentication and the like for equipment manufacturers, supervision agencies and operation and use mechanisms in the production, sale and use links of large-scale intelligent terminals and Internet of things equipment is met. .
Disclosure of Invention
The technical problem to be solved by the invention is to provide a block chain-based networking equipment supervision and authentication method, and a block chain consensus sharing technology is introduced, so that series supervision and authentication can be realized aiming at each link of actual production, sale and use of networking equipment, and the safety of the actual application work of the networking equipment is effectively ensured.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a block chain-based networking equipment supervision authentication method, which is used for realizing supervision authentication on networking equipment aiming at intelligent equipment or IT/OT equipment serving as the networking equipment; based on an equipment manufacturer of the networking equipment and a block chain which accords with an IBC key management specification and a data consensus sharing protocol, executing the following steps A1 to A4 to realize a method for constructing the production link identification private key; based on the consensus sharing of data on the block chain, the supervision and authentication of the network equipment by a supervision mechanism and a use mechanism are realized;
step A1, the equipment manufacturer obtains the unique identification information of the networking equipment, and the manufacturer block chain nodes of the block chain corresponding to the equipment manufacturer check the uniqueness and the legality of the identification information based on the data on the block chain, if the check result fails, the construction of the networking equipment identification private key fails, and if the check result succeeds, the step A2 is entered;
step A2, the IBC service of the equipment manufacturer generates an identification private key corresponding to the identification information according to the public parameters of the adopted encryption service and the private key managed by the corresponding IBC key, and the step A3 is carried out;
step A3, the equipment manufacturer obtains the key hash of the identification private key, the equipment manufacturer constructs the corresponding relation between the identification information and the key hash, and stores the corresponding relation to the block chain through the manufacturer block chain node, so as to realize the consensus synchronization of the supervision organization and the use organization corresponding to the supervision block chain node and the use block chain node of the block chain aiming at the data stored on the block chain, and then the step A4 is carried out;
and step A4, adding the identification private key into the networking equipment by the equipment manufacturer, and realizing the construction of the identification private key in the production link of the networking equipment.
As a preferred technical scheme of the invention: the equipment manufacturer realizes the access registration application according to the following process;
the method comprises the steps that an equipment manufacturer submits manufacturer information and public parameters of encryption service adopted by IBC service of the equipment manufacturer to a monitoring mechanism, the access registration application of the equipment manufacturer is realized, the monitoring mechanism checks the uniqueness and the legality of the manufacturer information, and if the check result fails, the access registration application of the equipment manufacturer fails; and if the check result is successful, completing the access registration application of the equipment manufacturer, storing the manufacturer registration information and the public parameters of the encryption service adopted by the IBC service of the equipment manufacturer to the block chain through the manufacturer block chain node of the block chain corresponding to the equipment manufacturer, and acquiring the consensus synchronization of the monitoring area block chain node and the use block chain node of the block chain corresponding to the supervision mechanism and the use mechanism respectively aiming at the stored data.
As a preferred technical scheme of the invention: in step a4, the device manufacturer encrypts and transmits the identification private key, sends the encrypted identification private key to the networking device, receives and decrypts the identification private key by the networking device, and adds the identification private key to the networking device.
As a preferred technical scheme of the invention: based on the consensus sharing of the data on the block chain, the following steps B1 to B4 are executed by a monitoring mechanism to realize the monitoring and authentication method of the sales link;
b1, the supervising authority applies for identification information from the networked device, the networked device uses the identification private key in the networked device to sign the identification information, the identification information and the signature are obtained and returned to the supervising authority, and then the step B2 is carried out;
b2, the supervising organization uses the supervising block chain node of the corresponding block chain to judge whether the block chain has the identification information, if yes, the step B3 is executed; otherwise, the supervision authentication for the networking equipment fails;
b3, the supervising organization obtains the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the block chain inquiry, and then enters the step B4;
step B4., the supervision authority verifies the signature according to the public parameters, if the verification is successful, the networking device passes the supervision authentication; if the verification is unsuccessful, the networking device is indicated to fail the supervision authentication.
As a preferred technical scheme of the invention: based on the consensus sharing of the data on the block chain, the using mechanism executes the following steps C1 to C4 to realize the using link authentication method;
step C1, the networking equipment is electrified to be connected with the access gateway of the using mechanism, the identification private key in the networking equipment is used for signing aiming at the identification information, the identification information and the signature are sent to the access gateway of the using mechanism, and then the step C2 is carried out;
step C2, the using mechanism uses the using block chain node of the corresponding block chain to judge whether the block chain has the identification information, if yes, the step C3 is entered; otherwise, the authentication fails for the use of the networked device;
step C3, the mechanism is used to obtain the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the block chain inquiry, and then the step C4 is carried out;
c4, verifying the signature by using the mechanism according to the public parameters, and if the verification is successful, indicating that the networking equipment passes the use authentication and feeding back the networking equipment; if the verification is unsuccessful, the network-connected equipment is indicated to fail to use the authentication, and feedback is carried out to the network-connected equipment.
As a preferred technical scheme of the invention: based on the using mechanism executing the steps C1 to C4, after the using link authentication method is realized, the method further comprises the following steps D1 to D2;
d1, the networking device applies for service interaction to the access gateway of the using mechanism, the access gateway executes access control aiming at the application, and the step D2 is entered;
and D2, the access gateway applies for the service interaction from the networking equipment, forwards the application to the corresponding service application, responds by the service application, and forwards the application to the networking equipment through the access gateway.
The technical problem to be solved by the invention is to provide a system for executing a block chain-based networking equipment supervision authentication method, and by combining the supervision authentication method application of a block chain consensus sharing technology, serial supervision authentication can be realized aiming at each link of actual production, sale and use of networking equipment, so that the safety of the actual application work of the networking equipment is effectively ensured.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a system for executing a block chain-based networking equipment supervision authentication method, wherein an equipment manufacturer comprises an IBC key management infrastructure and an encryption and decryption module corresponding to the equipment manufacturer besides a manufacturer block chain link point of a corresponding block chain; the IBC key management infrastructure contains public parameter service of encryption service adopted by equipment manufacturers, and manufacturer block chain nodes are respectively connected and communicated with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption modules; the method for constructing the production link identification private key comprises the following steps:
a1, acquiring unique identification information of the networking equipment by an equipment manufacturer, and applying for a key from the corresponding IBC key management infrastructure based on the identification information; then applying for checking the uniqueness and the legality of the identification information to a manufacturer block chain node of a block chain corresponding to an equipment manufacturer by using a public parameter service in the IBC key management infrastructure, checking and returning a checking result to the corresponding IBC key management infrastructure by using the manufacturer block chain node based on data on the block chain, wherein if the checking result fails, the construction of the networking equipment identification private key fails, and if the checking result succeeds, entering the step A2;
step A2, the IBC key management infrastructure inquires and acquires the public parameters of the encryption service adopted by the equipment manufacturer through the public parameter service in the IBC key management infrastructure, generates an identification private key corresponding to the identification information by combining the private key of the corresponding IBC key management infrastructure, and enters step A3;
step A3, the IBC key management infrastructure obtains the key hash of the identification private key, the IBC key management infrastructure constructs the corresponding relation between the identification information and the key hash and stores the corresponding relation on the block chain through the manufacturer block chain node, the monitoring block chain node and the using block chain node of the block chain corresponding to the monitoring organization and the using organization respectively realize the common identification synchronization aiming at the data stored on the block chain, and then the step A4 is carried out;
and A4, encrypting the identification private key by the IBC key management infrastructure, sending the encrypted identification private key to the networking equipment, receiving and decrypting the encrypted identification private key by the networking equipment to obtain the identification private key, and adding the identification private key to the networking equipment to realize construction of the identification private key in the production link of the networking equipment.
As a preferred technical scheme of the invention: the supervision mechanism comprises an IBC key management infrastructure and an encryption and decryption module corresponding to the supervision mechanism besides a supervision block chain node of a corresponding block chain; the IBC key management infrastructure contains public parameter service, and the monitoring block chain nodes are respectively connected and communicated with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption module; the sales link supervision and authentication method comprises the following steps:
in the step B3, the monitoring authority obtains the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the blockchain query through the public parameter service in the corresponding IBC key management infrastructure.
As a preferred technical scheme of the invention: the using mechanism comprises an IBC key management infrastructure and an encryption and decryption module corresponding to the using mechanism besides using block chain link points of a corresponding block chain; the IBC key management infrastructure contains public parameter service, and the monitoring block chain nodes are respectively connected and communicated with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption module; the use link authentication method comprises the following steps:
in the step C3, the mechanism obtains the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the block chain query through the public parameter service in the corresponding IBC key management infrastructure.
As a preferred technical scheme of the invention: the networking device comprises a device and a password module, wherein the password module is used for storing the identification private key.
Compared with the prior art, the networking equipment supervision authentication method and system based on the block chain have the following technical effects:
(1) the invention designs a networking equipment supervision and authentication method and system based on a block chain, which introduces the block chain as storage, realizes IBC key infrastructure service of distributed user registration by a shared negotiation mechanism, can more efficiently ensure the uniqueness of an identity, improve the stability and the openness of the system, meet the safety guarantee of equipment full life cycle management such as registration and identity authentication aiming at equipment manufacturers, supervision mechanisms and using mechanisms in each link of production, sale and use of large-scale intelligent terminals and networking equipment, and the whole design scheme does not depend on a single mechanism, each party of data can check, trace and is difficult to tamper, thereby effectively ensuring the safety of practical application work of the networking equipment;
(2) compared with certificate authentication, the networking equipment supervision authentication method and system based on the block chain are not dependent on a single-party organization or directly trusting a manufacturer PKI, can establish trusted and searchable shared information of all parties, meet the requirement on equipment authentication, reduce the possibility of equipment counterfeiting and realize the traceability of the equipment;
(3) the invention designs a block chain-based networking equipment supervision and authentication method and system, which realize storage of related information by establishing an identifier-based IBC key management infrastructure and by using a block chain consensus algorithm and non-falsification, meet the credible infrastructure of manufacturers, supervision authorities and users, realize credible authentication of equipment identifiers, and meet the requirements of safe access authentication of equipment in each link.
Drawings
FIG. 1 is a schematic diagram of a system architecture designed to implement a block chain based method of supervised authentication of networked devices;
FIG. 2 is a functional block diagram of a system configured to perform a block chain based method of networked device supervisory authentication in accordance with the present invention;
FIG. 3 is a schematic diagram of the construction of a production link identification private key in the block chain-based networking device supervision authentication method of the present invention;
FIG. 4 is a schematic diagram of a sales step supervision authentication in the block chain-based networking device supervision authentication method of the present invention;
fig. 5 is a schematic diagram of using link authentication in the block chain-based networking device supervision authentication method of the present invention.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
The invention designs a block chain-based networking equipment supervision authentication method and system, which are used for realizing supervision authentication on networking equipment aiming at intelligent equipment or IT/OT equipment serving as the networking equipment; in practical application, as shown in fig. 1, for an equipment manufacturer, a supervisory organization and a use organization of a networked device, the equipment manufacturer is specifically designed to include a manufacturer block chain node of a corresponding block chain, and an IBC key management infrastructure and an encryption and decryption module corresponding to the equipment manufacturer; the IBC key management infrastructure contains public parameter service of encryption service adopted by equipment manufacturers, and manufacturer block chain nodes are respectively connected and communicated with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption modules.
The design supervision mechanism comprises a supervision block chain node of a corresponding block chain, IBC key management infrastructure and an encryption and decryption module which correspond to the supervision mechanism; the IBC key management infrastructure contains public parameter service, and the monitoring block chain nodes are respectively connected and communicated with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption module; the design using mechanism comprises a using block chain node of a corresponding block chain, IBC key management infrastructure corresponding to the using mechanism and an encryption and decryption module; the IBC key management infrastructure contains public parameter service, and the monitoring block chain nodes are respectively connected with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption module for communication.
In addition, in practical application, the device and the cryptographic module are further specifically designed for the networking device, and the cryptographic module is used for storing the identification private key.
In practical application, the present invention further combines a block chain conforming to the IBC key management specification and the data consensus sharing protocol, and performs practical application as shown in fig. 2, wherein the overall system function includes a data consensus layer, a service layer, a public parameter service, security management and security protection, and an application layer.
A data consensus layer: the method realizes node registration and selection, identification data uplink storage, data consensus synchronization, quick retrieval and basic encryption and decryption services.
And (4) a service layer: IBC key management infrastructure functions: realizing the management functions related to the key such as manufacturer management, identification registration, logout, update, key random number generation, SM9 key generation and the like
The public parameter service: providing identification inquiry, SM9 public parameter inquiry function
Safety management and safety protection: authorization management, access control, log audit, monitoring services
An application layer: the service functions of equipment identification management, equipment authentication, equipment detection, equipment tracing and the like are realized, and the actual service requirements are met.
In practical application, for the access of the equipment manufacturer in the whole designed system, the specific design is executed according to the following process, and the access registration application of the equipment manufacturer is realized.
The method comprises the steps that an equipment manufacturer submits manufacturer information and public parameters of encryption service adopted by IBC service of the equipment manufacturer to a monitoring mechanism, the access registration application of the equipment manufacturer is realized, the monitoring mechanism checks the uniqueness and the legality of the manufacturer information, and if the check result fails, the access registration application of the equipment manufacturer fails; and if the check result is successful, completing the access registration application of the equipment manufacturer, storing the manufacturer registration information and the public parameters of the encryption service adopted by the IBC service of the equipment manufacturer to the block chain through the manufacturer block chain node of the block chain corresponding to the equipment manufacturer, and acquiring the consensus synchronization of the monitoring area block chain node and the use block chain node of the block chain corresponding to the supervision mechanism and the use mechanism respectively aiming at the stored data.
Along with the specific design of equipment manufacturers, regulatory agencies and using mechanisms and the actual access of the equipment manufacturers in the whole designed system, in the practical application, as shown in fig. 3, the following steps a1 to a step a4 are executed to realize the construction method of the identification private key in the production link; and then, based on the consensus sharing of data on the block chain, the supervision and authentication of the network equipment by a supervision mechanism and a using mechanism are realized.
A1, acquiring unique identification information of the networking equipment by an equipment manufacturer, and applying for a key from the corresponding IBC key management infrastructure based on the identification information; and then applying for checking the uniqueness and the legality of the identification information from a manufacturer block chain node of a block chain corresponding to the equipment manufacturer by using a public parameter service in the IBC key management infrastructure, checking and returning a checking result to the corresponding IBC key management infrastructure by using the manufacturer block chain node based on data on the block chain, wherein if the checking result fails, the construction of the networking equipment identification private key fails, and if the checking result succeeds, the step A2 is entered.
And A2, the IBC key management infrastructure inquires and acquires the public parameters of the encryption service adopted by the equipment manufacturer through the public parameter service in the IBC key management infrastructure, generates an identification private key corresponding to the identification information by combining the private key of the corresponding IBC key management infrastructure, and enters the step A3. In practical application, the SM9 key generation algorithm may be specifically applied to generate an identification private key corresponding to the identification information.
And step A3, the IBC key management infrastructure obtains the key hash of the identification private key, establishes the corresponding relation between the identification information and the key hash and stores the corresponding relation to the block chain through the manufacturer block chain node, so that the monitoring organization and the using organization respectively correspond to the monitoring area block chain node and the using block chain node of the block chain and share identification synchronization aiming at the data stored on the block chain, and then the step A4 is carried out.
And A4, encrypting the identification private key by the IBC key management infrastructure, sending the encrypted identification private key to the networking equipment, receiving and decrypting the encrypted identification private key by the networking equipment to obtain the identification private key, and adding the identification private key to a password module of the networking equipment to realize construction of the identification private key in the production link of the networking equipment.
In practical implementation, in the step a4, the device manufacturer is further designed to encrypt and transmit the identification private key, send the encrypted identification private key to the networking device, receive and decrypt the identification private key by the networking device, and add the encrypted identification private key to the networking device; the design is that encryption implementation operation is added aiming at the communication process between the equipment manufacturer and the networking equipment, so that the safety of data transmission in the link is ensured.
In the actual application, after the production link identification private key construction method realized based on steps a1 to a4 is implemented, the intervention operation of the production link of the networked device is completed, and then the sales link of the networked device is entered, in this link, namely, as shown in fig. 4, based on the consensus sharing of data on the block chain, the following steps B1 to B4 are executed by the supervision agency, so as to implement the sales link supervision authentication method.
And B1, the supervision mechanism applies for the identification information from the networked equipment, the networked equipment applies the identification private key in the networked equipment to sign the identification information, the identification information and the signature are obtained and returned to the supervision mechanism, and then the step B2 is carried out.
B2, the supervising organization uses the supervising block chain node of the corresponding block chain to judge whether the block chain has the identification information, if yes, the step B3 is executed; otherwise, the administrative authentication for the networked device fails.
And B3, the supervision mechanism acquires the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information through the public parameter service in the corresponding IBC key management infrastructure based on the block chain inquiry, and then the step B4 is carried out.
Step B4., the supervision authority verifies the signature according to the public parameters, if the verification is successful, the networking device passes the supervision authentication; if the verification is unsuccessful, the networking device is indicated to fail the supervision authentication.
In practice, the encryption/decryption device in the regulatory body includes, but is not limited to, encryption/decryption for performing vendor registration or uplink block chain data functions.
After the supervision certification is implemented for the sales link of the networked devices, the use link of the networked devices is entered, that is, for this link, the specific design is as shown in fig. 5, based on the consensus sharing of data on the block chain, the following steps C1 to C4 are executed by the use organization, and the use link certification method is implemented.
And C1, the networking equipment is electrified to be connected with the access gateway of the using mechanism, signs aiming at the identification information by using the identification private key in the networking equipment, sends the identification information and the signature to the access gateway of the using mechanism, and then enters the step C2.
Step C2, the using mechanism uses the using block chain node of the corresponding block chain to judge whether the block chain has the identification information, if yes, the step C3 is entered; otherwise the authentication of use for the networked device fails.
And C3, using the public parameter service in the corresponding IBC key management infrastructure by the mechanism, inquiring and obtaining the public parameter of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the block chain, and then entering the step C4.
C4, verifying the signature by using the mechanism according to the public parameters, and if the verification is successful, indicating that the networking equipment passes the use authentication and feeding back the networking equipment; if the verification is unsuccessful, the network-connected equipment is indicated to fail to use the authentication, and feedback is carried out to the network-connected equipment.
In practical applications, the encryption and decryption device in the use mechanism includes, but is not limited to, executing the updating of the device use environment key.
After the authenticated access operation is implemented for the actual usage of the networked device based on the usage organization according to steps C1 to C4, the following steps D1 to D2 are further executed, that is, the service interaction application in the security state of the networked device is implemented.
And D1, the networking equipment applies for service interaction to the access gateway of the using mechanism, the access gateway executes access control aiming at the application, and the step D2 is carried out.
And D2, the access gateway applies for the service interaction from the networking equipment, forwards the application to the corresponding service application, responds by the service application, and forwards the application to the networking equipment through the access gateway.
According to the networking equipment supervision and authentication method and system based on the block chain, the block chain is introduced as storage, distributed user registration IBC key infrastructure service is realized by a shared negotiation mechanism, the uniqueness of an identity can be more efficiently ensured, the stability and the openness of the system are improved, the safety guarantee of equipment full life cycle management such as registration and identity authentication is provided for equipment manufacturers, supervision mechanisms and using mechanisms in all links of production, sale and use of large-scale intelligent terminals and networking equipment, the whole design scheme does not depend on a single mechanism, each party of data can check, trace and is difficult to tamper, and the safety of actual application work of the networking equipment is effectively ensured;
compared with certificate authentication, the method does not rely on a single-party organization or directly trusting a manufacturer PKI, can establish trusted and searchable shared information of all parties, meets the requirement on equipment authentication, reduces the possibility of equipment counterfeiting, and realizes the traceability of the equipment; in addition, by establishing an identifier-based IBC key management infrastructure and realizing the storage of related information through a block chain consensus algorithm and non-falsification, the trusted infrastructure of manufacturers, supervision authorities and users is met, the trusted authentication of equipment identifiers is realized, and the requirements of the equipment on the safe access authentication in each link are met.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (10)

1. A network equipment supervision authentication method based on block chain technology is used for realizing supervision authentication of network equipment aiming at intelligent equipment or IT/OT equipment serving as the network equipment; the method is characterized in that: based on an equipment manufacturer of the networking equipment and a block chain which accords with an IBC key management specification and a data consensus sharing protocol, executing the following steps A1 to A4 to realize a method for constructing the production link identification private key; based on the consensus sharing of data on the block chain, the supervision and authentication of the network equipment by a supervision mechanism and a use mechanism are realized;
step A1, the equipment manufacturer obtains the unique identification information of the networking equipment, and the manufacturer block chain nodes of the block chain corresponding to the equipment manufacturer check the uniqueness and the legality of the identification information based on the data on the block chain, if the check result fails, the construction of the networking equipment identification private key fails, and if the check result succeeds, the step A2 is entered;
step A2, the IBC service of the equipment manufacturer generates an identification private key corresponding to the identification information according to the public parameters of the adopted encryption service and the private key managed by the corresponding IBC key, and the step A3 is carried out;
step A3, the equipment manufacturer obtains the key hash of the identification private key, the equipment manufacturer constructs the corresponding relation between the identification information and the key hash, and stores the corresponding relation to the block chain through the manufacturer block chain node, so as to realize the consensus synchronization of the supervision organization and the use organization corresponding to the supervision block chain node and the use block chain node of the block chain aiming at the data stored on the block chain, and then the step A4 is carried out;
and step A4, adding the identification private key into the networking equipment by the equipment manufacturer, and realizing the construction of the identification private key in the production link of the networking equipment.
2. The block chain based networking device supervision authentication method according to claim 1, characterized by: the equipment manufacturer realizes the access registration application according to the following process;
the method comprises the steps that an equipment manufacturer submits manufacturer information and public parameters of encryption service adopted by IBC service of the equipment manufacturer to a monitoring mechanism, the access registration application of the equipment manufacturer is realized, the monitoring mechanism checks the uniqueness and the legality of the manufacturer information, and if the check result fails, the access registration application of the equipment manufacturer fails; and if the check result is successful, completing the access registration application of the equipment manufacturer, storing the manufacturer registration information and the public parameters of the encryption service adopted by the IBC service of the equipment manufacturer to the block chain through the manufacturer block chain node of the block chain corresponding to the equipment manufacturer, and acquiring the consensus synchronization of the monitoring area block chain node and the use block chain node of the block chain corresponding to the supervision mechanism and the use mechanism respectively aiming at the stored data.
3. The block chain based networking device supervision authentication method according to claim 1, characterized by: in step a4, the device manufacturer encrypts and transmits the identification private key, sends the encrypted identification private key to the networking device, receives and decrypts the identification private key by the networking device, and adds the identification private key to the networking device.
4. A block chain based networking device supervision authentication method according to claim 2 or 3, characterized by: based on the consensus sharing of the data on the block chain, the following steps B1 to B4 are executed by a monitoring mechanism to realize the monitoring and authentication method of the sales link;
b1, the supervising authority applies for identification information from the networked device, the networked device uses the identification private key in the networked device to sign the identification information, the identification information and the signature are obtained and returned to the supervising authority, and then the step B2 is carried out;
b2, the supervising organization uses the supervising block chain node of the corresponding block chain to judge whether the block chain has the identification information, if yes, the step B3 is executed; otherwise, the supervision authentication for the networking equipment fails;
b3, the supervising organization obtains the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the block chain inquiry, and then enters the step B4;
step B4., the supervision authority verifies the signature according to the public parameters, if the verification is successful, the networking device passes the supervision authentication; if the verification is unsuccessful, the networking device is indicated to fail the supervision authentication.
5. A block chain based networking device supervision authentication method according to claim 2 or 3, characterized by: based on the consensus sharing of the data on the block chain, the using mechanism executes the following steps C1 to C4 to realize the using link authentication method;
step C1, the networking equipment is electrified to be connected with the access gateway of the using mechanism, the identification private key in the networking equipment is used for signing aiming at the identification information, the identification information and the signature are sent to the access gateway of the using mechanism, and then the step C2 is carried out;
step C2, the using mechanism uses the using block chain node of the corresponding block chain to judge whether the block chain has the identification information, if yes, the step C3 is entered; otherwise, the authentication fails for the use of the networked device;
step C3, the mechanism is used to obtain the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the block chain inquiry, and then the step C4 is carried out;
c4, verifying the signature by using the mechanism according to the public parameters, and if the verification is successful, indicating that the networking equipment passes the use authentication and feeding back the networking equipment; if the verification is unsuccessful, the network-connected equipment is indicated to fail to use the authentication, and feedback is carried out to the network-connected equipment.
6. The method of claim 5, wherein the block chain-based networking device supervision authentication method comprises: based on the using mechanism executing the steps C1 to C4, after the using link authentication method is realized, the method further comprises the following steps D1 to D2;
d1, the networking device applies for service interaction to the access gateway of the using mechanism, the access gateway executes access control aiming at the application, and the step D2 is entered;
and D2, the access gateway applies for the service interaction from the networking equipment, forwards the application to the corresponding service application, responds by the service application, and forwards the application to the networking equipment through the access gateway.
7. A system for performing the block chain based networking device supervision authentication method of claim 6, characterized by: the equipment manufacturer comprises an IBC key management infrastructure and an encryption and decryption module corresponding to the equipment manufacturer besides the manufacturer block chain link points of the corresponding block chain; the IBC key management infrastructure contains public parameter service of encryption service adopted by equipment manufacturers, and manufacturer block chain nodes are respectively connected and communicated with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption modules; the method for constructing the production link identification private key comprises the following steps:
a1, acquiring unique identification information of the networking equipment by an equipment manufacturer, and applying for a key from the corresponding IBC key management infrastructure based on the identification information; then applying for checking the uniqueness and the legality of the identification information to a manufacturer block chain node of a block chain corresponding to an equipment manufacturer by using a public parameter service in the IBC key management infrastructure, checking and returning a checking result to the corresponding IBC key management infrastructure by using the manufacturer block chain node based on data on the block chain, wherein if the checking result fails, the construction of the networking equipment identification private key fails, and if the checking result succeeds, entering the step A2;
step A2, the IBC key management infrastructure inquires and acquires the public parameters of the encryption service adopted by the equipment manufacturer through the public parameter service in the IBC key management infrastructure, generates an identification private key corresponding to the identification information by combining the private key of the corresponding IBC key management infrastructure, and enters step A3;
step A3, the IBC key management infrastructure obtains the key hash of the identification private key, the IBC key management infrastructure constructs the corresponding relation between the identification information and the key hash and stores the corresponding relation on the block chain through the manufacturer block chain node, the monitoring block chain node and the using block chain node of the block chain corresponding to the monitoring organization and the using organization respectively realize the common identification synchronization aiming at the data stored on the block chain, and then the step A4 is carried out;
and A4, encrypting the identification private key by the IBC key management infrastructure, sending the encrypted identification private key to the networking equipment, receiving and decrypting the encrypted identification private key by the networking equipment to obtain the identification private key, and adding the identification private key to the networking equipment to realize construction of the identification private key in the production link of the networking equipment.
8. The system for performing blockchain-based networking device supervisory authentication method according to claim 7, wherein: the supervision mechanism comprises an IBC key management infrastructure and an encryption and decryption module corresponding to the supervision mechanism besides a supervision block chain node of a corresponding block chain; the IBC key management infrastructure contains public parameter service, and the monitoring block chain nodes are respectively connected and communicated with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption module; the sales link supervision and authentication method comprises the following steps:
in the step B3, the monitoring authority obtains the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the blockchain query through the public parameter service in the corresponding IBC key management infrastructure.
9. The system for performing blockchain-based networking device supervisory authentication method according to claim 7, wherein: the using mechanism comprises an IBC key management infrastructure and an encryption and decryption module corresponding to the using mechanism besides using block chain link points of a corresponding block chain; the IBC key management infrastructure contains public parameter service, and the monitoring block chain nodes are respectively connected and communicated with the corresponding IBC key management infrastructure, the public parameter service and the encryption and decryption module; the use link authentication method comprises the following steps:
in the step C3, the mechanism obtains the public parameters of the encryption service adopted by the equipment manufacturer corresponding to the identification information based on the block chain query through the public parameter service in the corresponding IBC key management infrastructure.
10. The system for performing blockchain-based networking device supervisory authentication method according to claim 7, wherein: the networking device comprises a device and a password module, wherein the password module is used for storing the identification private key.
CN202110337101.8A 2021-03-30 2021-03-30 Block chain-based networking equipment supervision authentication method and system Active CN112804356B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110337101.8A CN112804356B (en) 2021-03-30 2021-03-30 Block chain-based networking equipment supervision authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110337101.8A CN112804356B (en) 2021-03-30 2021-03-30 Block chain-based networking equipment supervision authentication method and system

Publications (2)

Publication Number Publication Date
CN112804356A true CN112804356A (en) 2021-05-14
CN112804356B CN112804356B (en) 2021-07-23

Family

ID=75815863

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110337101.8A Active CN112804356B (en) 2021-03-30 2021-03-30 Block chain-based networking equipment supervision authentication method and system

Country Status (1)

Country Link
CN (1) CN112804356B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949535A (en) * 2021-09-18 2022-01-18 陈德周 Block chain-based networking equipment supervision authentication method and system
CN114866595A (en) * 2022-04-02 2022-08-05 深圳力维智联技术有限公司 Connection method, end station data acquisition unit and management platform
CN117272389A (en) * 2023-11-14 2023-12-22 信联科技(南京)有限公司 Non-interactive verifiable joint safety modeling method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107147489A (en) * 2017-05-02 2017-09-08 南京理工大学 Distributed access authentication management method in a kind of LEO satellite network
CN108449325A (en) * 2018-02-27 2018-08-24 中国地质大学(武汉) A kind of block chain authentication method, equipment and the storage device of ID-based cryptosystem
CN110138560A (en) * 2019-06-04 2019-08-16 北京理工大学 A kind of dual-proxy cross-domain authentication method based on id password and alliance's chain
CN110166254A (en) * 2019-05-27 2019-08-23 国家电网有限公司 The key managing project and device of identity-based are realized using intelligent contract
CN111586049A (en) * 2020-05-08 2020-08-25 国网电子商务有限公司 Lightweight key authentication method and device for mobile internet

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107147489A (en) * 2017-05-02 2017-09-08 南京理工大学 Distributed access authentication management method in a kind of LEO satellite network
CN108449325A (en) * 2018-02-27 2018-08-24 中国地质大学(武汉) A kind of block chain authentication method, equipment and the storage device of ID-based cryptosystem
CN110166254A (en) * 2019-05-27 2019-08-23 国家电网有限公司 The key managing project and device of identity-based are realized using intelligent contract
CN110138560A (en) * 2019-06-04 2019-08-16 北京理工大学 A kind of dual-proxy cross-domain authentication method based on id password and alliance's chain
CN111586049A (en) * 2020-05-08 2020-08-25 国网电子商务有限公司 Lightweight key authentication method and device for mobile internet

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
姚英英等: "基于区块链的去中心化身份认证及密钥管理方案", 《网络空间安全》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949535A (en) * 2021-09-18 2022-01-18 陈德周 Block chain-based networking equipment supervision authentication method and system
CN113949535B (en) * 2021-09-18 2024-03-29 陈德周 Networking equipment supervision authentication method and system based on blockchain
CN114866595A (en) * 2022-04-02 2022-08-05 深圳力维智联技术有限公司 Connection method, end station data acquisition unit and management platform
CN114866595B (en) * 2022-04-02 2024-02-27 深圳力维智联技术有限公司 Connection method, terminal station data collector and management platform
CN117272389A (en) * 2023-11-14 2023-12-22 信联科技(南京)有限公司 Non-interactive verifiable joint safety modeling method
CN117272389B (en) * 2023-11-14 2024-04-02 信联科技(南京)有限公司 Non-interactive verifiable joint safety modeling method

Also Published As

Publication number Publication date
CN112804356B (en) 2021-07-23

Similar Documents

Publication Publication Date Title
Saxena et al. Authentication and authorization scheme for various user roles and devices in smart grid
EP3432532B1 (en) Key distribution and authentication method, apparatus and system
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
CN112804356B (en) Block chain-based networking equipment supervision authentication method and system
CN107317674B (en) Key distribution and authentication method, device and system
US9590961B2 (en) Automated security provisioning protocol for wide area network communication devices in open device environment
CN101662705B (en) Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
CN113746632B (en) Multi-level identity authentication method for Internet of things system
Saxena et al. Integrated distributed authentication protocol for smart grid communications
KR20100134745A (en) Method for distributed identification, a station in a network
CN111970699B (en) Terminal WIFI login authentication method and system based on IPK
CN101969638A (en) Method for protecting international mobile subscriber identity (IMSI) in mobile communication
CN101540669A (en) Method for distributing keys and protecting information for wireless mobile communication network
EP3570487B1 (en) Private key generation method, device and system
CN109194474A (en) A kind of data transmission method and device
CN114765534B (en) Private key distribution system and method based on national secret identification cryptographic algorithm
US20120226909A1 (en) Method of Configuring a Node, Related Node and Configuration Server
CN110401530A (en) A kind of safety communicating method of gas meter, flow meter, system, equipment and storage medium
CN111447067A (en) Encryption authentication method for power sensing equipment
CN113630407A (en) Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology
KR100892616B1 (en) Method For Joining New Device In Wireless Sensor Network
KR101704540B1 (en) A method of managing group keys for sharing data between multiple devices in M2M environment
Cho et al. Using QKD in MACsec for secure Ethernet networks
GB2543359A (en) Methods and apparatus for secure communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant