CN-122027311-A - Security access detection method and device based on industrial Internet of things

Abstract

The invention discloses a security access detection method and a security access detection device based on an industrial Internet of things, which are characterized in that authentication factors of communication entities of the industrial Internet of things are obtained, a PUF authentication mechanism is introduced between a gateway and a sensor according to the authentication factors and a preset risk model to obtain a trust anchor, authentication is respectively carried out on user registration, user login and authentication stages according to the trust anchor to obtain a session key, proVerif is adopted to carry out authentication calculation on the session key to obtain an authentication result, the authentication result is evaluated and analyzed to obtain an evaluation analysis result, target authentication information is generated based on the session and the evaluation analysis result, three authentication factors (passwords, biological identification and smart cards) and lightweight encrypted graphic primitives are seamlessly integrated, and a PUF enhanced mutual authentication mechanism is introduced between the gateway and the sensor to improve the semantic security of the session key.

Inventors

• LI JIANSHENG
• YU DONGHUA
• GUO YUJIE
• WANG YU
• ZHANG JIALE
• LI DONGDONG
• QIN XUEYUAN
• JIN HONGYI
• WANG WEIYUN
• Ru Nanjie
• XU CHAOCHAO
• SHI DA
• LI HUXIONG
• LI QI
• Wang Jiangda
• DONG YUANYUAN

Assignees

• 同创工程设计有限公司
• 绍兴文理学院

Dates

Publication Date

20260512

Application Date

20260302

Claims (10)

1. 1. The security access detection method based on the industrial Internet of things is characterized by comprising the following steps of: Acquiring an identity verification factor of a communication entity of the industrial Internet of things, wherein the communication entity comprises a user, a gateway and a sensor; Introducing a PUF authentication mechanism between a gateway and a sensor to obtain a trust anchor according to the identity verification factors and a preset risk model, wherein the identity verification factors comprise single factors, double factors and multiple factors; Respectively carrying out identity verification on the user registration, user login and authentication stages according to the trust anchor to obtain a session key, and carrying out verification calculation on the session key by adopting ProVerif to obtain a verification result; And carrying out evaluation analysis on the verification result to obtain an evaluation analysis result, and generating target identity verification information based on the session and the evaluation analysis result.
2. 2. The method for detecting the security access based on the industrial internet of things according to claim 1, wherein introducing a PUF authentication mechanism between a gateway and a sensor to obtain a trust anchor according to the authentication factors and a preset risk model comprises: Extraction of data from stolen smart cards And capturing the sensor to obtain a subset of PUF modules Wherein, the , Representing a set of sensor CRPs, Representing the credentials of the user and, Representing the master key and the master key, The auxiliary data is represented by a representation of the auxiliary data, The hash value is represented by a value of a hash, 、 、 The response R of the PUF can be expressed mathematically as a function of the challenge C: c is the input applied to the PUF, R is the random key generated by the PUF, Representing the physical properties of the PUF; computing shared secrets using chebyshev chaotic map Presetting a chaotic map And three values 、 And x, wherein, And b is a secret integer, calculated without knowing a or b , Satisfy the semi-group property Wherein the Chebyshev polynomial The method comprises the following cyclic relations: , When n is more than or equal to 1, The corresponding polynomial uses the triangle identity as Wherein N is a non-negative integer; Presetting Is a material meeting the semi-group property X is a common value, for any probability polynomial time algorithm a, given the chaotic map of 、 And x, calculate Neglecting, the expression is: ; The method comprises the steps of extracting input data by a fuzzy extractor to obtain a secret key, and specifically comprises the following steps: generating Gen, generating an encrypted key R and an helper string P given an input w, resulting in The random key R is used for encryption and the helper string P does not reveal any information about R or w; duplicating Rep, given input And the noise version of the auxiliary character string P, and the original key R is reconstructed by a replication algorithm to obtain 。
3. 3. The method for detecting the security access based on the industrial internet of things according to claim 2, wherein the step of performing authentication to obtain the session key according to the trust anchor in the user registration, user login and authentication phases respectively includes: Step one, user initialization, digital evidence obtaining user Selection of Cipher code Random number And provides biometric information User calculation: , , , , ; Wherein, the To gateway through secure channel Transmitting ; Step two, gateway processing, namely, in the process of obtaining After that, the processing unit is configured to, The following steps are performed: Selecting a random value ; And (3) calculating: , , , , , , ; Storing in a database ; Will be Stored in a smart card and transmitted to the smart card via a secure channel ; Step three, the user finishes: after receiving the smart card, the following operations are performed: decryption Obtaining And ; And (3) calculating: , , , , , wherein, ; Smart card storage 。
4. 4. The method for detecting the security access based on the industrial internet of things according to claim 3, wherein the digital evidence obtaining user authentication comprises: User authentication request digital evidence obtaining user Inserting a smart card and providing it 、 And The user performs the following calculations: , , , , ; User check equation Whether or not it is established, and the steps are as follows: Selecting random numbers And a current timestamp ; And (3) calculating: , , , ; Directional gateway Sending an authentication request ; Gateway authentication at the slave Obtaining a request Thereafter, gateway The following steps are performed: Verifying a timestamp Whether or not it is within the valid time window, if Invalidation, gateway The authentication request will be denied; If it is Effective, then gateway Retrieving stored information from a database as ; Gateway (GW) Using The following calculations are performed: , , , , ; gateway check equation Whether or not it is true, otherwise, gateway Increment the login list by 1 and terminate the session, if the equation is true, the gateway The following steps will continue to be performed: calculating a new temporary identifier: retrieval using the following commands : Selecting a current timestamp And use Retrieval ; And (3) calculating: , , , ; Through open channels Sending messages 。
5. 5. The method for detecting the security access based on the industrial internet of things according to claim 4, further comprising: Front-end entity authentication, in the event of receiving a message After that, the processing unit is configured to, The following steps are performed: Checking a time stamp Whether or not it is new, if Invalid, then The session will be terminated; If it is The effect is achieved, And (3) calculating: ; Inspection equation Whether or not the equation is satisfied, if so Will verify Identity of (c); Selecting random numbers And a time stamp ; And (3) calculating: , , , , ; Message is sent to the client To be transmitted to ; User final verification of receipt of message After that, the processing unit is configured to, The following steps are performed: Checking a time stamp Whether or not to be effective, if Invalid, then The session will be terminated; If it is Is effective, then And (3) calculating: , , , ; Inspection equation Whether or not it is true, if so, then Successful verification of Identity of (c); calculating a new temporary identifier: 。
6. 6. the method for detecting the security access based on the industrial internet of things according to claim 1, wherein the step of performing verification calculation on the session key by ProVerif to obtain a verification result comprises the steps of: User registration when a user Selected identity And password And uses identity And password Computing a corresponding biometric hash User(s) Calculation of And User(s) Tuple is added Send to the system administrator SA; Upon receipt of the message, the system administrator SA calculates And generates a smart card The SA sends to the user via the secure dedicated channel the smart card SC ; After receiving the smart card SC from the SA, the user Selecting a random value And calculate User(s) Updating smart card SC to ; Login stage, user Inserting a smart card SC into a terminal and using biometric data Providing identity Random value And password ; The smart card performs the following calculations: , , And ; Smart card SC authentication Whether or not to be equal to If the equivalence is not established, the protocol is terminated, otherwise, the smart card selects a random value And calculating: , , And ; Wherein, the Representing a current timestamp; The intelligent card SC sends to the gateway node Sending login messages ; Authentication: When (when) When obtaining a login message, the current timestamp is used Checking a time stamp If the time delay is the validity of If not, the login and authentication process is terminated, otherwise, And (3) calculating: And ; Verification If the equation is true, the protocol continues, otherwise And (3) calculating: And ; Direction sensor node Sending messages ; On receipt of a message from After a message of (a), sensor node Using time stamps Verification time delay If the time delay is not valid, then it is terminated, otherwise, And (3) calculating: and check If the equation is true, the protocol continues, otherwise, the protocol stops, if successful, Selecting a random value And calculating: , And ; And To the direction of Sending messages , wherein, Representing a user i in an industrial internet of things system, Representing sensor j in IIoT system, GWN represents gateway node, Representing a user Is used to determine the identity of the (c) tag, Representing a user Is used for the password of (a), Representing a user Is used for the data of the biological characteristics of the (a), Representing both dynamic and static pseudo-identities, Representing provided biometric templates , Auxiliary data representing the replication of the biometric feature, Representation sensor Is used to determine the identity of the (c) tag, Representing a function that is not physically clonable, Representation of Is a challenge-response pair k of (c), Representing a user Is used to determine the master key of (a), Representing the random number (user, gateway, sensor), Representing the chaotic map output of the random number n, Representing a protocol-specific calculated value, Representation of And Is used for the session key of (a), The cryptographic hash function is represented as such, Representing a bitwise XOR operation, Represents the series operator and, A time stamp indicating the freshness of the message, Representing a maximum allowable time delay; slave slave Received by After that, the processing unit is configured to, Verifying freshness of time stamps, if time delays If not, refusing verification, otherwise And (3) calculating: and check If the equation is true, And (3) calculating: ; Message is sent to the client To the user ; On receipt of a message from After the message of (a), the user The freshness of the timestamp was verified as follows: User inspection of If the equation is not true, the verification is aborted, otherwise, And (3) calculating: And as it is with the sensor node Is used to share the key.
7. 7. The method for detecting the security access based on the industrial internet of things according to claim 6, wherein each user Prior to contact with the sensor or IIoT device, registration with the GWN includes: User' s Creation of As a pseudo-identity and send the pseudo-identity to gateway GWN; Upon receipt of a pseudo-identity Thereafter, GWN selection , And calculate As a means for users Will (F) respond to Stored in a database; User' s Selecting a password And biological characteristics And inserts it into a smart card In, smart card Selecting one Is calculated by small integers of (2) , , , , , , Will be And Stored in a memory.
8. 8. The method for detecting the security access based on the industrial internet of things according to claim 7, wherein the user Gateway GWN and sensor The following steps are performed to mutually authenticate and establish a session key, including: User' s Will be 、 And Is inserted into the value of (2) In the process, the Retrieving parameters And calculate If the condition is satisfied The user has passed the authentication; If the user is authenticated, then Calculation of And Searching , Generating a random number And calculates a corresponding chaotic map And Smart card computing , , , wherein, Is the current time stamp of the time stamp, Transmitting to gateway GWN ; Upon receipt of Gateway GWN computation And search for If the time stamp is poor Exceeding acceptable delay The search is aborted and, among other things, Is the current timestamp, GWN calculation And check the conditions If the condition is satisfied, the user is authenticated, otherwise, GWN is increased And prompt the user to log in again if Is greater than a maximum limit The user Will be revoked and require re-registration, and if the user is authenticated, GWN will generate a random number And calculate And , wherein, And Is taken from and Corresponding to GWN direction sensor Sending messages ; Sensor for detecting a position of a body Calculation of , wherein, If the relation is Verify GWN if it is true, if the timestamp is bad Exceeding acceptable delay The calculation is aborted and, in this case, Is the current timestamp; selecting a random number And constructs session key Calculation of And , Sending messages to gateway GWN ; In obtaining a message Thereafter, the GWN will authenticate the sensor if the following conditions are met; And GWN construction And send the message To be sent to the customer , wherein, Is the current timestamp of GWN; User' s Verifying whether the following conditions are satisfied: If so, gateway GWN is approved, user Constructing a session key as , wherein, Is the user Is not included in the current timestamp of (a).
9. 9. The method for detecting the security access based on the industrial internet of things according to claim 8, further comprising: When a user instance And sensor examples Session keys negotiated between An adversary remains in an unopened state by any real query, and is considered new; When opponent A performs operation on the new instance of protocol P in polynomial time and correctly guesses that c is used in Test query, opponent A is considered successful, and expression of session key semantic security in A unreturned protocol P is 。
10. 10. The security access detection device based on the industrial internet of things, which is applied to the security access detection method based on the industrial internet of things according to any one of claims 1 to 9, and comprises the following steps: The system comprises a data acquisition unit, a data processing unit and a data processing unit, wherein the data acquisition unit is used for acquiring an authentication factor of a communication entity of the industrial Internet of things, and the communication entity comprises a user, a gateway and a sensor; The information introducing unit is used for introducing a PUF authentication mechanism between the gateway and the sensor to obtain a trust anchor according to the identity verification factors and a preset risk model, wherein the identity verification factors comprise single factors, double factors and multiple factors; the authentication unit is used for respectively carrying out authentication on the user registration, user login and authentication stages according to the trust anchor to obtain a session key, and carrying out authentication calculation on the session key by adopting ProVerif to obtain an authentication result; and the evaluation analysis unit is used for performing evaluation analysis on the verification result to obtain an evaluation analysis result, and generating target identity verification information based on the session and the evaluation analysis result.

Description

Security access detection method and device based on industrial Internet of things Technical Field The invention belongs to the technical field of identity verification, and particularly relates to a security access detection method and device based on industrial Internet of things. Background The industrial internet of things (IIoT) integrates sensors, actuators, and system networks into an industrial environment, making operations unnecessary for direct manual intervention. These interconnected systems are efficient and can operate in real-time, including predictive maintenance, resource optimization, and remote monitoring of critical infrastructure. In most use cases, these devices operate with simple autonomous behavior, collecting and transmitting data for centralized control. The paradigm consisting of a vast, interconnected network of IIoT devices that carry complex, coordinated tasks is becoming the basis of the modern industry. According to current research, these IIoT ecosystems can include thousands of smart devices, ranging from simple sensors to complex actuators, working cooperatively. The integrated IIoT network provides a more efficient, intelligent approach than a stand-alone system in terms of overall performance and data consistency. In large-scale industrial internet of things, various devices work cooperatively to achieve a common objective. For example, in an intelligent factory, sensors on the assembly line can monitor device health, transmit data to actuators that automatically adjust parameters, and also send performance indicators to the central dashboard for analysis. Due to the scale of these networks, some nodes can act as communication bridges, expanding network coverage, ensuring that data reliably reaches the destination. However, such hyperlinks greatly expand the scope of attack, making traditionally isolated industrial systems vulnerable to cyber attacks. In such a threatening environment, reverse osmosis authentication is not only an IT function, but also a basic security requirement. It serves as a first line of defense to ensure that only authorized devices and users are entitled to join the network and interact with critical infrastructure, thereby ensuring system integrity, reliability and security. Therefore, it is needed to provide a security access detection method based on the industrial internet of things to solve the above technical problems. Disclosure of Invention In view of the above, the invention provides a security access detection method and device based on industrial internet of things, which seamlessly integrates three authentication factors (passwords, biological recognition and smart cards) with lightweight encrypted graphic primitives, introduces a PUF enhanced mutual authentication mechanism between a gateway and a sensor, improves the semantic security of a session key, and is realized by adopting the following technical scheme. In a first aspect, the present invention provides a security access detection method based on industrial internet of things, comprising the following steps: Acquiring an identity verification factor of a communication entity of the industrial Internet of things, wherein the communication entity comprises a user, a gateway and a sensor; Introducing a PUF authentication mechanism between a gateway and a sensor to obtain a trust anchor according to the identity verification factors and a preset risk model, wherein the identity verification factors comprise single factors, double factors and multiple factors; Respectively carrying out identity verification on the user registration, user login and authentication stages according to the trust anchor to obtain a session key, and carrying out verification calculation on the session key by adopting ProVerif to obtain a verification result; And carrying out evaluation analysis on the verification result to obtain an evaluation analysis result, and generating target identity verification information based on the session and the evaluation analysis result. As an preference of the above technical solution, introducing a PUF authentication mechanism between the gateway and the sensor to obtain a trust anchor according to the authentication factor and a preset risk model, including: Extraction of data from stolen smart cards And capturing the sensor to obtain a subset of PUF modulesWherein, the ,Representing a set of sensor CRPs,Representing the credentials of the user and,Representing the master key and the master key,The auxiliary data is represented by a representation of the auxiliary data,The hash value is represented by a value of a hash,、、The response R of the PUF can be expressed mathematically as a function of the challenge C: c is the input applied to the PUF, R is the random key generated by the PUF, Representing the physical properties of the PUF; computing shared secrets using chebyshev chaotic map Presetting a chaotic mapAnd three values、And x, wherein,And b is a secret inte