CN116170806A - Smart power grid LWM2M protocol security access control method and system - Google Patents
Smart power grid LWM2M protocol security access control method and system Download PDFInfo
- Publication number
- CN116170806A CN116170806A CN202211562044.4A CN202211562044A CN116170806A CN 116170806 A CN116170806 A CN 116170806A CN 202211562044 A CN202211562044 A CN 202211562044A CN 116170806 A CN116170806 A CN 116170806A
- Authority
- CN
- China
- Prior art keywords
- access
- sdp
- information
- requester
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012795 verification Methods 0.000 claims abstract description 27
- 230000006854 communication Effects 0.000 claims abstract description 24
- 238000004891 communication Methods 0.000 claims abstract description 24
- 230000004044 response Effects 0.000 claims abstract description 21
- 238000013475 authorization Methods 0.000 claims abstract description 12
- 238000011156 evaluation Methods 0.000 claims description 15
- 238000003860 storage Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 10
- 238000013210 evaluation model Methods 0.000 claims description 6
- 230000007175 bidirectional communication Effects 0.000 claims description 4
- 238000002790 cross-validation Methods 0.000 claims description 4
- 230000000903 blocking effect Effects 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 abstract description 9
- 230000006399 behavior Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/126—Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a smart grid LWM2M protocol security access control method and system based on SDP, comprising that an access request party sends SPA data packets to an SDP controller; the SDP controller performs identity authentication according to the information in the SPA data packet, and performs legal authorization on the access of the requester if the identity of the requester is legal; if not, the IP address of the visitor is forbidden; and (3) secondary authentication: if the authorization is successful, the SDP controller sends service information to the requester, sends authentication information of the requester to the SDP gateway and the responder, and then accesses the requester to send SPA data packets to the SDP gateway according to the service information; the gateway performs cross verification according to the authentication information and SPA data information; if the verification passes, opening the appointed service port; the access request party accesses the response party according to the designated service port; the interaction mode of authentication before connection based on the zero trust idea is realized, so that the safe communication access between the intelligent ammeter terminal and the server is realized.
Description
Technical Field
The invention relates to the field of secure communication control of smart grids, in particular to a secure access control method and system of a smart grid LWM2M protocol based on SDP.
Background
In recent years, mobile edge computing (Mobile Edge Computing, MEC) has evolved rapidly as an emerging information computing service. Compared with the traditional cloud computing architecture, the MEC is a cloud-side-end three-layer structure framework, and can provide faster and more reliable computing service in most of Internet of things scenes at present. At present, a plurality of specific research cases for application of mobile edge computing in a smart grid system exist, and the smart grid system combining MEC and a traditional grid can realize wide application of mass Internet of things terminals from 6 links of power generation, power transmission, power transformation, power distribution, power utilization and scheduling.
However, due to the wide deployment in the open air and the widespread use of public network wireless communication, the smart meter terminal and the MEC server have many potential safety hazards in communication aspects, such as physical access, physical attack, wireless communication data leakage, message tampering, message replay, and the like.
Disclosure of Invention
The invention aims to provide a secure access control method and system for an intelligent power grid LWM2M protocol based on SDP, which can realize secure communication between an ammeter terminal and an MEC server in an intelligent power grid system.
The software defined boundary SDP is a network framework developed by the cloud security alliance (CAS) according to the concept of zero trust, which follows the mode of software defined network creation, i.e. the data and control planes of the network are separated. Compared with the traditional connection mode of 'first connection and then authentication', the software definition boundary SDP adopts a model of 'new-to-know', and applies the minimum privilege principle on the basis of the model, and a user can obtain the minimum privilege required by accessing equipment and resources after identity authentication and authorization, namely the connection method of 'first authentication and then connection'. Only the device with the SDP client installed has access to dedicated applications and data, and therefore has good protection against many network-based attacks, including server scanning, denial of service, and man-in-the-middle attacks.
The technical scheme is as follows: in order to solve the technical problems, the invention adopts the following technical scheme:
in a first aspect, the present invention provides a smart grid LWM2M protocol security access control method based on SDP, including:
the intelligent power grid LWM2M protocol security access control method based on the software defined boundary SDP is characterized by comprising the following steps:
primary authentication:
the access request party encrypts and packages the information required by the system identity verification into an SPA data packet and sends the SPA data packet to the SDP controller;
the SDP controller performs identity authentication according to the information in the SPA data packet, and performs legal authorization on the access of the access requester at the time in response to the legal identity of the access requester; in response to the identity of the access requester being illegal, the SDP controller seals the IP address of the access requester accessed at the time;
and (3) secondary authentication:
in response to successful access authorization, the SDP controller sends service information to a corresponding access requester and sends authentication information of the access requester to an SDP gateway; transmitting an SPA data packet to an SDP gateway in response to the access request party receiving the service information;
responding to the SDP gateway receiving the authentication information and the SPA data packet, and performing cross verification on the SDP gateway according to the authentication information and the SPA data packet; responsive to the verification failing, blocking the access requester IP address for the access; updating a system firewall rule in response to the verification passing, and opening a designated service port for the access requester in a set time;
and the access request party accesses the response party according to the designated service port.
In some embodiments, the SPA packet includes three parts:
the first part is the IP address of the access requester;
the second part is basic information of an access requester and LwM2M information of the access requester, wherein the basic information of the access requester comprises a user ID, a random number, a time stamp, a message type and a message content, and the LwM2M information of the access requester comprises a request mode, an access target and a DTLS encryption mode;
the third part is a hashed message authentication code HMAC key.
In some embodiments, the SPA packets are encrypted using the Rijndael algorithm.
In some embodiments, the SDP controller performs identity authentication on the access requester according to the SPA packet, including:
the SDP controller analyzes the SPA data packet to obtain the user ID, IP address, random number, time stamp, message type, request mode, access target and DTLS encryption mode of the access request party;
the SDP controller inquires related users according to the user ID and the IP address of the access request party and judges whether corresponding users exist in the system;
based on a trust evaluation model of the five-dimensional attribute, calculating the trust of the access according to the random number, the timestamp, the message type, the request mode, the access target and the DTLS encryption mode information data, and comparing the trust of the access with a preset threshold;
and responding to the judgment that the corresponding user exists in the system and the trust degree of the access is higher than a preset threshold value, and successful identity authentication.
In some embodiments, in the identity authentication process, the trust level of the access is calculated based on the trust level evaluation model of the five-dimensional attribute, which means that:
comprehensively evaluating the trust value of the access from the main body, the object, the environment, the behavior and the five attribute dimensions in the access process;
there is a separate evaluation index for each attribute.
In some embodiments, the trust model of the five-dimensional attribute is:
wherein T is n (t, z) represents the confidence of each attribute of the requestor within the t timestamp; n represents the set of evaluation attributes, n= { subject, object, environment, behavior, operation }, to set J n Trust level value Z corresponding to each evaluation index at time stamp t j,t ,J n ={Z 1,t ,Z 2,t ,…,Z j,t };α j Weighting each evaluation index by adopting an entropy method:
wherein k=1/ln (J);
the integrated confidence T (T, z) within the requestor timestamp T is weighted by the confidence of each attribute within the timestamp:
wherein beta is n And weighting the weight of each attribute dimension by adopting an entropy method.
In some embodiments, the SDP gateway performs cross-validation with SPA data information according to the authentication information, including:
the information party of the SDP gateway cross verification in the secondary authentication is from the information of a requester obtained by analyzing the SPA data packet sent by the SDP controller; the other party information is analyzed by another SPA data packet sent by the SDP gateway from the request direction;
the authentication information includes: the method comprises the steps that a SDP controller sends requester information obtained by analyzing an SPA data packet, wherein the requester information comprises a first user ID and a first IP address;
the SDP gateway receives the SPA data packet sent by the access request party, analyzes the SPA data packet, and obtains a second user ID and second IP address information;
the SDP gateway performs comparison verification on the first user ID and the first IP address, the second user ID and the second IP address information to obtain a comparison result;
if the two types of data are different, the cross verification is unsuccessful; if the two are the same, the cross-validation is successful.
In a second aspect, an SDP-based smart grid LWM2M protocol security access control system, the system comprising: a smart meter terminal as one of the access requester and the responder, and an MEC server as the other of the access requester and the responder; an SDP controller and an SDP gateway;
the system is further provided with a smart grid communication network and a smart grid security access control protocol to realize the smart grid LWM2M protocol security access control method so as to realize secure bidirectional communication in the smart grid.
The smart grid communication network comprises an edge device layer and a smart grid terminal layer: the intelligent power grid terminal layer comprises a plurality of intelligent electric meter terminals; the edge equipment layer comprises an edge computing server for managing the intelligent ammeter terminal;
the bi-directional secure communication in the smart grid includes: the communication link from the intelligent ammeter terminal to the MEC server realizes the safe reporting operation of the intelligent ammeter terminal to the MEC server; and a communication link from the MEC server to the intelligent ammeter terminal, so as to realize access control operation of the MEC server to the intelligent ammeter terminal.
In a third aspect, the invention provides an SDP-based smart grid LWM2M protocol security access control system, which comprises a processor and a storage medium;
the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method according to the first aspect.
In a fourth aspect, the present invention provides a storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of the first aspect.
Compared with the prior art, the invention has the beneficial effects that:
based on the background of communication interaction in a smart grid system, in the whole communication access process, an access request party firstly needs to send an SPA data packet to an SDP controller, the SDP controller performs identity authentication on the request party, and after the authentication is successful, the SDP controller can send authentication information to a gateway and a response party respectively; the gateway carries out secondary authentication on the access request party, and data interaction can be carried out after the access request party succeeds; therefore, an interaction mode of 'authentication before connection' based on the zero trust idea is realized, and the safe access between the intelligent ammeter terminal and the server is realized.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a flowchart of an LWM2M protocol security access control method of a smart grid based on SDP according to a preferred embodiment of the present invention;
fig. 2 is a schematic diagram of a communication architecture of an LWM2M protocol security access control system for an SDP-based smart grid according to a preferred embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms in this application are explained as follows: the software defines a boundary SDP, a single packet authorization authentication SPA, and a hash operation message authentication code HMAC.
Example 1
The intelligent power grid LWM2M protocol security access control method based on the software defined boundary SDP is characterized by comprising the following steps:
primary authentication:
the access request party encrypts and packages the information required by the system identity verification into an SPA data packet and sends the SPA data packet to the SDP controller;
the SDP controller performs identity authentication according to the information in the SPA data packet, and performs legal authorization on the access of the access requester at the time in response to the legal identity of the access requester; in response to the identity of the access requester being illegal, the SDP controller seals the IP address of the access requester accessed at the time;
and (3) secondary authentication:
in response to successful access authorization, the SDP controller sends service information to a corresponding access requester and sends authentication information of the access requester to an SDP gateway; transmitting an SPA data packet to an SDP gateway in response to the access request party receiving the service information;
responding to the SDP gateway receiving the authentication information and the SPA data packet, and performing cross verification on the SDP gateway according to the authentication information and the SPA data packet; responsive to the verification failing, blocking the access requester IP address for the access; updating a system firewall rule in response to the verification passing, and opening a designated service port for the access requester in a set time;
and the access request party accesses the response party according to the designated service port.
In some embodiments, as shown in fig. 1, a method for controlling security access of a smart grid LWM2M protocol based on SDP includes:
primary authentication:
the access request party firstly sends an SPA data packet to the SDP controller;
the SDP controller performs identity authentication according to the information in the SPA data packet, if the identity of the requester is legal, the SDP controller performs legal authorization on the access of the requester, and if the identity of the requester is illegal, the SDP controller refuses the access;
and (3) secondary authentication:
if the authorization is successful, the authentication information of the requester is sent to the SDP gateway and the responder, and then the access requester sends an SPA data packet to the SDP gateway according to the service information;
the gateway performs cross verification on the authentication information acquired by the gateway and SPA data information; if the verification is not passed, rejecting the access; if the verification is passed, updating the firewall rules of the system;
the access requester accesses the responder according to the designated service port.
The whole method is based on the background of communication interaction in the intelligent power grid system, and provides a communication interaction mode of an intelligent ammeter terminal and an MEC server in the intelligent power grid system: the access request party firstly needs to send SPA data packets to the SDP controller, the SDP controller carries out identity authentication on the request party, and after the authentication is successful, the SDP controller can send authentication information to the gateway and the response party respectively; the gateway carries out secondary authentication on the access request party, and data interaction can be carried out after the access request party succeeds; therefore, the 'authentication first' and 'connection' interaction mode based on the zero trust idea is realized, and the safe connection and communication interaction between the intelligent ammeter terminal and the server are realized.
Specifically: the SPA data packet sent by the SDP controller from the access request comprises three parts, including: the first part is the IP address of the access requester; the second part is the basic information of the access request party, and comprises a user ID, a random number, a time stamp, a message type, a message content and LwM2M information of the access request party, and comprises a request mode, an access target and a DTLS encryption mode; the third part is the HMAC (Hash-based Message Authentication Code) key; SPA packets are typically encrypted using the Rijndael algorithm.
Specifically: the authentication process of the SDP controller to the SPA data packet is as follows: the SDP controller analyzes the SPA data packet, firstly queries the user ID and the IP address of a visitor, and then calculates the access trust degree according to the information data such as the random number, the timestamp, the message type, the request mode, the access target, the DTLS encryption mode and the like based on the trust degree evaluation model of the five-dimensional attribute; if the user corresponding to the user is inquired in the system and the trust degree of the access is higher than a threshold value, the identity authentication is successful.
The trust evaluation model of the five-dimensional attribute is specifically explained as follows: the principal, object, environment, behavior and operation of the requesting party in the access process comprehensively evaluate the trust value of the access, and specifically explain each dimension:
(1) A main body. The main body refers to a network and a resource access requester, serves as a core based on user identity authentication in the traditional network, is also a first dimension in the scheme, carries out continuous authentication and trust evaluation on the main body based on the attributes such as main body equipment, identity and the like, and adjusts the access authority of the main body according to the trust evaluation level;
(2) An object. The object refers to the resource of the access request, including data, service, interface, etc., define different resource grades to the accessed resource, judge whether the main body has access right according to the resource grade of the main body access resource, the main body with low trust degree can not realize the resource with high resource grade, realize the protection to the resource;
(3) An environment. The environment refers to a security situation in the network and resource request process, and comprises a physical environment (such as the geographic position of equipment, etc.), a network environment and a computing environment, and according to the security situation in the current request process, corresponding trust evaluation is given to influence the access of a main body to an object;
(4) Behavior. The behavior is a historical access behavior and a current access behavior of a network and resources, the access behavior of a main body is continuously monitored and recorded, the trust degree of the main body behavior is comprehensively considered, and the dynamic control of the access authority of the main body is realized;
(5) And (3) operating. The operation refers to interactive operation between a smart grid terminal and a server in the smart grid, different operations have different influences on a resource object, the most basic query operation cannot influence the resource, and the operation of modifying the class can directly influence the resource, so that different operation grades are defined for the operation, and a main body with low trust degree cannot perform operation with high operation grade.
The trust degree calculation model based on the five-dimensional attribute is as follows:
where N represents the set of evaluation attributes, n= { subject, object, environment, behavior, operation }, to set J n Trust level value, J, corresponding to time stamp t representing respective evaluation index of each evaluation attribute n ={Z 1,t ,Z 2,t ,…,Z j,t };α j Weighting each evaluation index by adopting an entropy method, namely:
wherein k=1/ln (J); then T is n (t, z) represents the confidence of each attribute of the requestor within the t timestamp;
and the integrated confidence T (T, z) within the requestor timestamp T is weighted by the confidence of each attribute within the timestamp:
wherein beta is n Weighting the weight of each attribute dimension by adopting an entropy method;
next, the information party of the cross verification of the SDP gateway comes from the information of the requesting party of the last SPA data packet analysis sent by the SDP controller; the other party information is analyzed by another SPA data packet sent by the SDP gateway from the request direction; the SDP gateway performs comparison verification on the information of the two parties, if the information of the two parties is different, the access is refused, and if the information of the two parties is the same, the information of the two parties is proved to come from the same visitor, and the cross verification is successful; if the cross verification is successful, the system modifies the firewall rule at the moment, opens the appointed service port for the requester in a certain time, and the visitor establishes a DTLS connection tunnel between the visitor and the SDP gateway and between the visitor and the responder, so as to finish the security access.
Example 2
In a second aspect, this embodiment provides an SDP-based smart grid LWM2M protocol security access control system, as shown in fig. 2, including: a smart meter terminal as one of the access requester and the responder, and an MEC server as the other of the access requester and the responder; an SDP controller and an SDP gateway;
the system is further provided with a smart grid communication network and a smart grid security access control protocol to realize the smart grid LWM2M protocol security access control method of the embodiment 1 so as to realize secure bidirectional communication in the smart grid.
In some particular embodiments, an SDP-based smart grid LWM2M protocol security access control system is provided that includes a smart grid communication network and smart grid security access control devices (SDP controller and SDP gateway) to enable secure bi-directional communications within the smart grid.
Further, the smart grid communication network includes an edge device layer and a smart grid terminal layer: the intelligent power grid terminal layer comprises a plurality of intelligent electric meter terminals; the edge equipment layer comprises an edge computing server for managing the intelligent ammeter terminal;
further, the two-way secure communication in the smart grid includes: the communication link from the intelligent ammeter terminal to the MEC server realizes the safe reporting operation of the intelligent ammeter terminal to the MEC server; and a communication link from the MEC server to the intelligent ammeter terminal, so as to realize access control operation of the MEC server to the intelligent ammeter terminal.
Example 3
In a third aspect, the present embodiment provides an SDP-based smart grid LWM2M protocol security access control system, including a processor and a storage medium;
the storage medium is used for storing instructions;
the processor is operative according to the instructions to perform the steps of the method according to embodiment 1.
Example 4
In a fourth aspect, the present embodiment provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method described in embodiment 1.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is only a preferred embodiment of the invention, it being noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. The utility model provides a smart power grid LWM2M protocol security access control method based on SDP, which is characterized by comprising the following steps:
primary authentication:
the access request party encrypts and packages the information required by the system identity verification into an SPA data packet and sends the SPA data packet to the SDP controller;
the SDP controller performs identity authentication according to the information in the SPA data packet, and performs legal authorization on the access of the access requester at the time in response to the legal identity of the access requester; in response to the identity of the access requester being illegal, the SDP controller seals the IP address of the access requester accessed at the time;
and (3) secondary authentication:
in response to successful access authorization, the SDP controller sends service information to a corresponding access requester and sends authentication information of the access requester to an SDP gateway; transmitting an SPA data packet to an SDP gateway in response to the access request party receiving the service information;
responding to the SDP gateway receiving the authentication information and the SPA data packet, and performing cross verification on the SDP gateway according to the authentication information and the SPA data packet; responsive to the verification failing, blocking the access requester IP address for the access; updating a system firewall rule in response to the verification passing, and opening a designated service port for the access requester in a set time;
and the access request party accesses the response party according to the designated service port.
2. The SDP-based smart grid LWM2M protocol security access control method of claim 1, wherein the SPA packet comprises three parts:
the first part is the IP address of the access requester;
the second part is basic information of an access requester and LwM2M information of the access requester, wherein the basic information of the access requester comprises a user ID, a random number, a time stamp, a message type and a message content, and the LwM2M information of the access requester comprises a request mode, an access target and a DTLS encryption mode;
the third part is a hashed message authentication code HMAC key.
3. The SDP-based smart grid LWM2M protocol security access control method of claim 1, wherein the SPA data packet is encrypted using a Rijndael algorithm.
4. The SDP-based smart grid LWM2M protocol security access control method of claim 1, wherein the SDP controller authenticates the access requester based on the SPA packet, comprising:
the SDP controller analyzes the SPA data packet to obtain the user ID, IP address, random number, time stamp, message type, request mode, access target and DTLS encryption mode of the access request party;
the SDP controller inquires related users according to the user ID and the IP address of the access request party and judges whether corresponding users exist in the system;
based on a trust evaluation model of the five-dimensional attribute, calculating the trust of the access according to the random number, the timestamp, the message type, the request mode, the access target and the DTLS encryption mode information data, and comparing the trust of the access with a preset threshold;
and responding to the judgment that the corresponding user exists in the system and the trust degree of the access is higher than a preset threshold value, and successful identity authentication.
5. The SDP-based smart grid LWM2M protocol security access control method of claim 4, wherein in the authentication process, the trust level of the access is calculated based on a trust level evaluation model of five-dimensional attributes, which means that:
comprehensively evaluating the trust value of the access from the main body, the object, the environment, the behavior and the five attribute dimensions in the access process;
there is a separate evaluation index for each attribute.
6. The SDP-based smart grid LWM2M protocol security access control method of claim 4, wherein the trust model of the five-dimensional attribute is:
wherein T is n (t, z) represents the confidence of each attribute of the requestor within the t timestamp; n represents the set of evaluation attributes, n= { subject, object, environment, behavior, operation }, to set J n Trust level value Z corresponding to each evaluation index at time stamp t j,t ,J n ={Z 1,t ,Z 2,t ,…,Z j,t };α j Weighting each evaluation index by adopting an entropy method:
wherein k=1/ln (J);
the integrated confidence T (T, z) within the requestor timestamp T is weighted by the confidence of each attribute within the timestamp:
wherein beta is n And weighting the weight of each attribute dimension by adopting an entropy method.
7. The SDP-based smart grid LWM2M protocol security access control method of claim 1, wherein the SDP gateway performs cross-validation with SPA data information according to the authentication information, comprising:
the information party of the SDP gateway cross verification in the secondary authentication is from the information of a requester obtained by analyzing the SPA data packet sent by the SDP controller; the other party information is analyzed by another SPA data packet sent by the SDP gateway from the request direction;
the authentication information includes: the method comprises the steps that a SDP controller sends requester information obtained by analyzing an SPA data packet, wherein the requester information comprises a first user ID and a first IP address;
the SDP gateway receives the SPA data packet sent by the access request party, analyzes the SPA data packet, and obtains a second user ID and second IP address information;
the SDP gateway performs comparison verification on the first user ID and the first IP address, the second user ID and the second IP address information to obtain a comparison result;
if the two types of data are different, the cross verification is unsuccessful; if the two are the same, the cross-validation is successful.
8. An SDP-based smart grid LWM2M protocol security access control system, the system comprising: a smart meter terminal as one of the access requester and the responder, and an MEC server as the other of the access requester and the responder; an SDP controller and an SDP gateway;
the system is further deployed with a smart grid communication network and a smart grid security access control protocol to implement the smart grid LWM2M protocol security access control method of any one of claims 1-7 to implement secure bidirectional communication within the smart grid.
9. The intelligent power grid LWM2M protocol safety access control device based on SDP is characterized by comprising a processor and a storage medium;
the storage medium is used for storing instructions;
the processor being operative according to the instructions to perform the steps of the method according to any one of claims 1 to 8.
10. A storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the method according to any of claims 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211562044.4A CN116170806B (en) | 2022-12-07 | 2022-12-07 | Smart power grid LWM2M protocol security access control method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211562044.4A CN116170806B (en) | 2022-12-07 | 2022-12-07 | Smart power grid LWM2M protocol security access control method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116170806A true CN116170806A (en) | 2023-05-26 |
CN116170806B CN116170806B (en) | 2024-05-24 |
Family
ID=86415343
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211562044.4A Active CN116170806B (en) | 2022-12-07 | 2022-12-07 | Smart power grid LWM2M protocol security access control method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116170806B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116887266A (en) * | 2023-09-05 | 2023-10-13 | 中电长城网际***应用有限公司 | Vehicle data access method, electronic device, and computer-readable storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170332238A1 (en) * | 2016-05-12 | 2017-11-16 | Zscaler, Inc. | Multidimensional risk profiling for network access control of mobile devices through a cloud based security system |
CN107395430A (en) * | 2017-08-16 | 2017-11-24 | 中国民航大学 | A kind of cloud platform dynamic risk access control method |
CN111770090A (en) * | 2020-06-29 | 2020-10-13 | 深圳市联软科技股份有限公司 | Single package authorization method and system |
CN113746790A (en) * | 2020-07-22 | 2021-12-03 | 北京沃东天骏信息技术有限公司 | Abnormal flow management method, electronic device and storage medium |
US20220210173A1 (en) * | 2020-12-31 | 2022-06-30 | Fortinet, Inc. | Contextual zero trust network access (ztna) based on dynamic security posture insights |
CN115065564A (en) * | 2022-08-18 | 2022-09-16 | 天津天元海科技开发有限公司 | Access control method based on zero trust mechanism |
CN115296818A (en) * | 2022-08-05 | 2022-11-04 | 中国电信股份有限公司 | Authentication method and device, storage medium and electronic equipment |
CN115333747A (en) * | 2022-07-26 | 2022-11-11 | 国网湖北省电力有限公司信息通信公司 | Safety protection method, equipment and storage medium based on multi-factor authentication |
-
2022
- 2022-12-07 CN CN202211562044.4A patent/CN116170806B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170332238A1 (en) * | 2016-05-12 | 2017-11-16 | Zscaler, Inc. | Multidimensional risk profiling for network access control of mobile devices through a cloud based security system |
CN107395430A (en) * | 2017-08-16 | 2017-11-24 | 中国民航大学 | A kind of cloud platform dynamic risk access control method |
CN111770090A (en) * | 2020-06-29 | 2020-10-13 | 深圳市联软科技股份有限公司 | Single package authorization method and system |
CN113746790A (en) * | 2020-07-22 | 2021-12-03 | 北京沃东天骏信息技术有限公司 | Abnormal flow management method, electronic device and storage medium |
US20220210173A1 (en) * | 2020-12-31 | 2022-06-30 | Fortinet, Inc. | Contextual zero trust network access (ztna) based on dynamic security posture insights |
CN115333747A (en) * | 2022-07-26 | 2022-11-11 | 国网湖北省电力有限公司信息通信公司 | Safety protection method, equipment and storage medium based on multi-factor authentication |
CN115296818A (en) * | 2022-08-05 | 2022-11-04 | 中国电信股份有限公司 | Authentication method and device, storage medium and electronic equipment |
CN115065564A (en) * | 2022-08-18 | 2022-09-16 | 天津天元海科技开发有限公司 | Access control method based on zero trust mechanism |
Non-Patent Citations (1)
Title |
---|
吴克河: "基于SDP的电力物联网安全防护方案", 《信息网络安全》, no. 2022, pages 32 - 37 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116887266A (en) * | 2023-09-05 | 2023-10-13 | 中电长城网际***应用有限公司 | Vehicle data access method, electronic device, and computer-readable storage medium |
CN116887266B (en) * | 2023-09-05 | 2024-04-12 | 中电长城网际***应用有限公司 | Vehicle data access method, electronic device, and computer-readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN116170806B (en) | 2024-05-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN115189927B (en) | Zero trust-based power network safety protection method | |
CN113114656B (en) | Infrastructure layout method based on edge cloud computing | |
Kim et al. | Smart grid security: Attacks and defence techniques | |
CN114513786A (en) | 5G feeder automation access control method, device and medium based on zero trust | |
CN113872944A (en) | Block chain-oriented zero-trust security architecture and cluster deployment framework thereof | |
CN112910861A (en) | Group authentication and segmented authentication-based authentication method for terminal equipment of power internet of things | |
CN114239046A (en) | Data sharing method | |
CN111935168A (en) | Industrial information physical system-oriented intrusion detection model establishing method | |
CN116170806B (en) | Smart power grid LWM2M protocol security access control method and system | |
CN116405187A (en) | Distributed node intrusion situation sensing method based on block chain | |
CN115459992A (en) | Resource access request processing method and device, storage medium and electronic equipment | |
CN115603987A (en) | Cloud-side-end-fused cross-domain zero-trust authentication system for power information communication system | |
CN108924086A (en) | A kind of host information acquisition method based on TSM Security Agent | |
Zhong et al. | Data Security Storage Method for Power Distribution Internet of Things in Cyber‐Physical Energy Systems | |
Wang et al. | An Efficient Data Sharing Scheme for Privacy Protection Based on Blockchain and Edge Intelligence in 6G‐VANET | |
Kumar et al. | A real time fog computing applications their privacy issues and solutions | |
Gupta et al. | Fog computing and its security challenges | |
CN108347426B (en) | Teaching system information security management system based on big data and access method | |
CN113839945A (en) | Credible access control system and method based on identity | |
Alshomrani et al. | PUFDCA: A Zero‐Trust‐Based IoT Device Continuous Authentication Protocol | |
Fang et al. | Zero‐Trust‐Based Protection Scheme for Users in Internet of Vehicles | |
CN116208401A (en) | Cloud master station access control method and device based on zero trust | |
KR20210123811A (en) | Apparatus and Method for Controlling Hierarchical Connection based on Token | |
US20190068573A1 (en) | Detection of the network logon protocol used in pass-through authentication | |
CN114745444B (en) | 5G network traffic analysis-based regulation and control service access control method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |