[go: up one dir, main page]

CN118842596A - Industrial control host remote access control system and method based on multi-factor authentication - Google Patents

Industrial control host remote access control system and method based on multi-factor authentication Download PDF

Info

Publication number
CN118842596A
CN118842596A CN202411075843.8A CN202411075843A CN118842596A CN 118842596 A CN118842596 A CN 118842596A CN 202411075843 A CN202411075843 A CN 202411075843A CN 118842596 A CN118842596 A CN 118842596A
Authority
CN
China
Prior art keywords
verification
smart card
key
preset algorithm
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202411075843.8A
Other languages
Chinese (zh)
Other versions
CN118842596B (en
Inventor
梁国春
侯占英
杨宝刚
周文军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dongfang Sentai Technology Development Co ltd
Original Assignee
Beijing Dongfang Sentai Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dongfang Sentai Technology Development Co ltd filed Critical Beijing Dongfang Sentai Technology Development Co ltd
Priority to CN202411075843.8A priority Critical patent/CN118842596B/en
Publication of CN118842596A publication Critical patent/CN118842596A/en
Application granted granted Critical
Publication of CN118842596B publication Critical patent/CN118842596B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Lock And Its Accessories (AREA)

Abstract

本公开实施例公开了一种基于多因素认证的工控主机远程访问控制系统及方法,涉及工控主机远程访问技术领域,系统包括:智能卡,用于根据当前位置信息生成智能卡密钥;客户端,用于将所述智能卡生成的智能卡密钥、使用者输入的用户ID和身份密钥发送至系统端;系统端,用于根据所述用户ID获取智能卡密钥和身份密钥的验证值,并根据智能卡密钥和身份密钥的验证值对所述客户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。本实施例提供的基于多因素认证的工控主机远程访问控制系统创新性采用智能卡基于当前位置信息生成独特的智能卡密钥,使得密钥具有时效性和动态变化特性,增加了破解难度。

The disclosed embodiment discloses a remote access control system and method for an industrial control host based on multi-factor authentication, which relates to the technical field of remote access to industrial control hosts. The system includes: a smart card, which is used to generate a smart card key according to current location information; a client, which is used to send the smart card key generated by the smart card, the user ID and identity key input by the user to the system end; the system end is used to obtain the verification value of the smart card key and the identity key according to the user ID, and verify the smart card key and identity key sent by the client according to the verification value of the smart card key and the identity key. If the verification is passed, the client is allowed to access the industrial control host. The remote access control system for industrial control hosts based on multi-factor authentication provided by this embodiment innovatively uses a smart card to generate a unique smart card key based on the current location information, so that the key has timeliness and dynamic change characteristics, which increases the difficulty of cracking.

Description

基于多因素认证的工控主机远程访问控制系统及方法Industrial control host remote access control system and method based on multi-factor authentication

技术领域Technical Field

本公开涉及工控主机远程访问控制技术领域,尤其涉及一种基于多因素认证的工控主机远程访问控制系统及方法。The present disclosure relates to the technical field of remote access control of industrial control hosts, and in particular to a remote access control system and method for industrial control hosts based on multi-factor authentication.

背景技术Background Art

工控主机远程访问控制系统是一种用于远程监控和管理工业控制系统(ICS)的软件和硬件解决方案。它允许操作员和技术人员通过互联网或专用网络访问工控主机,从而实现对工业设备和系统的远程监控、故障诊断和维护。The Industrial Control Host Remote Access Control System is a software and hardware solution for remote monitoring and management of industrial control systems (ICS). It allows operators and technicians to access the industrial control host through the Internet or a private network, thereby achieving remote monitoring, fault diagnosis and maintenance of industrial equipment and systems.

基于多因素认证的工控主机远程访问控制系统是一种增强安全性的远程访问解决方案。多因素认证(Multi-FactorAuthentication,MFA)指的是使用多个独立的认证方法来验证用户身份。通常,这些认证方法包括:知识因子:用户知道的东西,如密码或PIN码。拥有因子:用户拥有的东西,如手机验证码、邮箱验证码等。生物因子:用户本身的特征,如指纹、面部识别或虹膜扫描。The industrial control host remote access control system based on multi-factor authentication is a remote access solution that enhances security. Multi-factor authentication (MFA) refers to the use of multiple independent authentication methods to verify the user's identity. Typically, these authentication methods include: Knowledge factor: something the user knows, such as a password or PIN code. Possession factor: something the user has, such as a mobile phone verification code, email verification code, etc. Biometric factor: a feature of the user himself, such as fingerprint, facial recognition, or iris scan.

一般来说,使用多因素认证主要用于出差、拜访客户等情况,现有技术认证复杂,安全性低。Generally speaking, multi-factor authentication is mainly used for business trips, visiting customers, etc. The existing authentication technology is complex and has low security.

综上所述,在进行多因素认证如何简化认证流程的同时提升安全性是函待解决的问题。In summary, how to simplify the authentication process while improving security during multi-factor authentication is an issue that needs to be resolved.

发明内容Summary of the invention

有鉴于此,本公开实施例提供了一种基于多因素认证的工控主机远程访问控制系统系统及方法,通过位置验证实现简化认证流程的同时提升安全性。In view of this, the embodiments of the present disclosure provide a system and method for remote access control of an industrial control host based on multi-factor authentication, which simplifies the authentication process while improving security through location verification.

第一方面,本公开实施例提供了一种基于多因素认证的工控主机远程访问控制系统,采用如下技术方案:In a first aspect, the embodiments of the present disclosure provide a remote access control system for an industrial control host based on multi-factor authentication, which adopts the following technical solutions:

包括:客户端、智能卡和系统端;Includes: client, smart card and system end;

所述智能卡,用于根据当前位置信息生成智能卡密钥,并发送至所述客户端;The smart card is used to generate a smart card key according to the current location information and send it to the client;

所述客户端,用于将所述智能卡生成的智能卡密钥、使用者输入的用户ID和身份密钥发送至系统端;The client is used to send the smart card key generated by the smart card, the user ID and identity key input by the user to the system end;

所述系统端,用于根据所述用户ID获取智能卡密钥和身份密钥的验证值,并根据智能卡密钥和身份密钥的验证值对所述客户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。The system end is used to obtain the verification value of the smart card key and the identity key according to the user ID, and verify the smart card key and the identity key sent by the client according to the verification value of the smart card key and the identity key. If the verification passes, the client is allowed to access the industrial control host.

作为可选的实施方式,所述智能卡包括:As an optional implementation, the smart card includes:

第一存储模块,用于存储预设的算法和校验数据;A first storage module, used to store preset algorithms and verification data;

定位模块,用于获取当前的位置信息;Positioning module, used to obtain current location information;

主控模块,用于将当前位置信息和校验数据进行拼接,并使用预设的算法对拼接后的数据进行计算,获得智能卡密钥,并发送至客户端。The main control module is used to splice the current location information and the verification data, and use the preset algorithm to calculate the spliced data to obtain the smart card key and send it to the client.

作为可选的实施方式,所述系统端包括:As an optional implementation, the system end includes:

第二存储模块用于,存储预设的位置信息、预设的算法、校验数据、用户ID和与用户ID对应的身份密钥验证值;The second storage module is used to store preset location information, preset algorithm, verification data, user ID and identity key verification value corresponding to the user ID;

智能卡密钥验证值计算模块,用于根据预设的位置信息、预设的算法和校验数据计算智能卡密钥验证值;A smart card key verification value calculation module, used to calculate the smart card key verification value according to preset location information, preset algorithm and verification data;

访问控制模块,用于根据用户端发送的用户ID在所述第二存储模块中查询身份密钥验证值,根据智能卡密钥验证值和身份密钥验证值对用户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。The access control module is used to query the identity key verification value in the second storage module according to the user ID sent by the user terminal, and verify the smart card key and identity key sent by the user terminal according to the smart card key verification value and the identity key verification value. If the verification passes, the client is allowed to access the industrial control host.

作为可选的实施方式,所述系统端还包括:预设算法和校验数据更新模块,用于在每次访问控制模块验证通过后,生成新的预设算法或校验数据,发送至客户端,以使得客户端根据新的预设算法或校验数据更改第一存储模块中存储的预设算法或校验数据,并在客户端更改成功后,根据新的预设算法或校验数据更改第二存储模块中的预设算法或校验数据。As an optional implementation, the system end also includes: a preset algorithm and verification data update module, which is used to generate a new preset algorithm or verification data after each access control module verification is passed, and send it to the client, so that the client changes the preset algorithm or verification data stored in the first storage module according to the new preset algorithm or verification data, and after the client changes successfully, changes the preset algorithm or verification data in the second storage module according to the new preset algorithm or verification data.

作为可选的实施方式,所述客户端还包括:预设算法和校验数据改写模块,用于在接收到系统端发送的新的预设算法或校验数据,根据新的预设算法或校验数据更改第一存储模块中存储的预设算法或校验数据,并将改写结果发送至系统端。As an optional implementation, the client also includes: a preset algorithm and verification data rewriting module, which is used to change the preset algorithm or verification data stored in the first storage module according to the new preset algorithm or verification data sent by the system end, and send the rewriting result to the system end.

作为可选的实施方式,所述第一存储模块包括:第一预设算法存储单元,第一校验数据存储单元,第二预设算法存储单元,第二校验数据存储单元;As an optional implementation, the first storage module includes: a first preset algorithm storage unit, a first verification data storage unit, a second preset algorithm storage unit, and a second verification data storage unit;

第一预设算法存储单元用于存储新更改的预设算法,第二预设算法存储单元用于存储上一次更改的预设算法;The first preset algorithm storage unit is used to store the newly changed preset algorithm, and the second preset algorithm storage unit is used to store the last changed preset algorithm;

第一校验数据存储单元用于存储新更改的校验数据,第二校验数据存储单元用于存储上一次更改的校验数据;The first verification data storage unit is used to store the newly changed verification data, and the second verification data storage unit is used to store the last changed verification data;

预设算法和校验数据改写模块将新的预设算法写入第一预设算法存储单元,写入成功后,主控模块再次读取预设算法时从第一预设算法存储单元读取,写入失败后,主控模块再次读取预设算法时从第二预设算法存储单元读取;The preset algorithm and verification data rewriting module writes the new preset algorithm into the first preset algorithm storage unit. After the writing is successful, the main control module reads the preset algorithm from the first preset algorithm storage unit when reading it again. After the writing fails, the main control module reads the preset algorithm from the second preset algorithm storage unit when reading it again.

预设算法和校验数据改写模块将新的校验数据写入第一校验数据存储单元,写入成功后,主控模块再次读取校验数据时从第一校验数据存储单元读取,写入失败后,主控模块再次读取校验数据时从第二校验数据存储单元读取。The preset algorithm and the verification data rewriting module write the new verification data into the first verification data storage unit. After the writing is successful, the main control module reads the verification data from the first verification data storage unit when reading it again. After the writing fails, the main control module reads the verification data from the second verification data storage unit when reading it again.

作为可选的实施方式,访问控制模块,进一步用于获取免位置密钥指令,若获取免位置密钥指令,则根据用户端发送的用户ID在所述第二存储模块中查询身份密钥验证值,根据身份密钥验证值对用户端发送的身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。As an optional implementation, the access control module is further used to obtain a location-free key instruction. If a location-free key instruction is obtained, the identity key verification value is queried in the second storage module according to the user ID sent by the user terminal, and the identity key sent by the user terminal is verified according to the identity key verification value. If the verification passes, the client is allowed to access the industrial control host.

作为可选的实施方式,所述免位置密钥指令由用户向管理者申请免位置验证申请,管理者审批通过后生成。As an optional implementation, the location-free key instruction is generated after the user applies for location-free verification to the administrator and the application is approved by the administrator.

第二方面,本公开实施例的还提供了一种基于多因素认证的工控主机远程访问控制方法,基于上述的基于多因素认证的工控主机远程访问控制系统,包括:In a second aspect, an embodiment of the present disclosure further provides a method for controlling remote access to an industrial control host based on multi-factor authentication, based on the above-mentioned remote access control system for an industrial control host based on multi-factor authentication, comprising:

利用所述智能卡根据当前位置信息生成智能卡密钥,并发送至所述客户端;Using the smart card to generate a smart card key according to the current location information, and sending the smart card key to the client;

利用所述客户端将所述智能卡生成的智能卡密钥、使用者输入的用户ID和身份密钥发送至系统端;Using the client, the smart card key generated by the smart card, the user ID and the identity key input by the user are sent to the system end;

利用所述系统端根据所述用户ID获取智能卡密钥和身份密钥的验证值,并根据智能卡密钥和身份密钥的验证值对所述客户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。The system end obtains the verification value of the smart card key and the identity key according to the user ID, and verifies the smart card key and the identity key sent by the client according to the verification value of the smart card key and the identity key. If the verification passes, the client is allowed to access the industrial control host.

作为可选的实施方式,利用所述系统端根据所述用户ID获取智能卡密钥和身份密钥的验证值,并根据智能卡密钥和身份密钥的验证值对所述客户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机包括:As an optional implementation, using the system end to obtain the verification value of the smart card key and the identity key according to the user ID, and verifying the smart card key and the identity key sent by the client according to the verification value of the smart card key and the identity key, if the verification is successful, allowing the client to access the industrial control host includes:

利用所述第二存储模块存储预设的位置信息、预设的算法、校验数据、用户ID和与用户ID对应的身份密钥验证值;Using the second storage module to store preset location information, preset algorithm, verification data, user ID and identity key verification value corresponding to the user ID;

利用所述智能卡密钥验证值计算模块根据预设的位置信息、预设的算法和校验数据计算智能卡密钥验证值;Utilizing the smart card key verification value calculation module to calculate the smart card key verification value according to preset location information, preset algorithm and verification data;

利用所述访问控制模块根据用户端发送的用户ID在所述第二存储模块中查询身份密钥验证值,根据智能卡密钥验证值和身份密钥验证值对用户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。The access control module is used to query the identity key verification value in the second storage module according to the user ID sent by the user terminal, and the smart card key and identity key sent by the user terminal are verified according to the smart card key verification value and the identity key verification value. If the verification passes, the client is allowed to access the industrial control host.

综上所述,本公开提供的基于多因素认证的工控主机远程访问控制系统的技术效果在于:In summary, the technical effects of the industrial control host remote access control system based on multi-factor authentication provided by the present disclosure are:

本实施例提供的基于多因素认证的工控主机远程访问控制系统通过结合客户端、智能卡和系统端,实现了多重身份验证,确保只有经过授权的用户才能访问工控主机。创新性采用智能卡基于当前位置信息生成独特的智能卡密钥,使得密钥具有时效性和动态变化特性,增加了破解难度。通过客户端将所述智能卡生成的智能卡密钥、使用者输入的用户ID和身份密钥发送至系统端,客户端进行综合验证。The industrial control host remote access control system based on multi-factor authentication provided in this embodiment realizes multiple identity authentication by combining the client, smart card and system end, ensuring that only authorized users can access the industrial control host. The smart card is innovatively used to generate a unique smart card key based on the current location information, so that the key has timeliness and dynamic change characteristics, which increases the difficulty of cracking. The smart card key generated by the smart card, the user ID and identity key entered by the user are sent to the system end by the client, and the client performs comprehensive verification.

另一方面,通过2个存储单元轮流更新的方式,写入失败时不影响原来的预设算法和校验数据。增加系统的稳定性。On the other hand, by updating the two storage units in turn, the original preset algorithm and verification data will not be affected when writing fails, thus increasing the stability of the system.

再一方面,在定位模块信号不好等情况下,例如,地下停车场或者高楼的室内,可以通过用户向管理者申请的方式,不对位置进行校验,增加使用的便利性。On the other hand, in the case of poor positioning module signal, for example, in an underground parking lot or indoors in a high-rise building, the user can apply to the administrator to not verify the position, thereby increasing convenience of use.

上述说明仅是本公开技术方案的概述,为了能更清楚了解本公开的技术手段,而可依照说明书的内容予以实施,并且为让本公开的上述和其他目的、特征和优点能够更明显易懂,以下特举较佳实施例,并配合附图,详细说明如下。The above description is only an overview of the technical solution of the present invention. In order to more clearly understand the technical means of the present invention, it can be implemented in accordance with the contents of the specification. In order to make the above and other purposes, features and advantages of the present invention more obvious and easy to understand, the following preferred embodiments are specifically cited and described in detail with reference to the accompanying drawings.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本公开实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings required for use in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present disclosure. For ordinary technicians in this field, other drawings can be obtained based on these drawings without creative work.

图1为本公开实施例提供的基于多因素认证的工控主机远程访问控制系统的结构示意图;FIG1 is a schematic diagram of the structure of an industrial control host remote access control system based on multi-factor authentication provided by an embodiment of the present disclosure;

图2为本公开实施例提供的基于多因素认证的工控主机远程访问控制方法的流程示意图。FIG2 is a flow chart of a method for controlling remote access to an industrial control host based on multi-factor authentication according to an embodiment of the present disclosure.

具体实施方式DETAILED DESCRIPTION

下面结合附图对本公开实施例进行详细描述。The embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.

应当明确,以下通过特定的具体实例说明本公开的实施方式,本领域技术人员可由本说明书所揭露的内容轻易地了解本公开的其他优点与功效。显然,所描述的实施例仅仅是本公开一部分实施例,而不是全部的实施例。本公开还可以通过另外不同的具体实施方式加以实施或应用,本说明书中的各项细节也可以基于不同观点与应用,在没有背离本公开的精神下进行各种修饰或改变。需说明的是,在不冲突的情况下,以下实施例及实施例中的特征可以相互组合。基于本公开中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本公开保护的范围。It should be clear that the following embodiments of the present disclosure are described by specific specific examples, and those skilled in the art can easily understand other advantages and effects of the present disclosure from the contents disclosed in this specification. Obviously, the described embodiments are only a part of the embodiments of the present disclosure, rather than all of the embodiments. The present disclosure can also be implemented or applied through other different specific embodiments, and the details in this specification can also be modified or changed in various ways based on different viewpoints and applications without departing from the spirit of the present disclosure. It should be noted that the following embodiments and features in the embodiments can be combined with each other in the absence of conflict. Based on the embodiments in the present disclosure, all other embodiments obtained by ordinary technicians in the field without making creative work are within the scope of protection of the present disclosure.

需要说明的是,下文描述在所附权利要求书的范围内的实施例的各种方面。应显而易见,本文中所描述的方面可体现于广泛多种形式中,且本文中所描述的任何特定结构及/或功能仅为说明性的。基于本公开,所属领域的技术人员应了解,本文中所描述的一个方面可与任何其它方面独立地实施,且可以各种方式组合这些方面中的两者或两者以上。举例来说,可使用本文中所阐述的任何数目各方面来实施设备及/或实践方法。另外,可使用除了本文中所阐述的方面中的一或多者之外的其它结构及/或功能性实施此设备及/或实践此方法。It should be noted that various aspects of the embodiments within the scope of the appended claims are described below. It should be apparent that the aspects described herein may be embodied in a wide variety of forms, and any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, it should be understood by those skilled in the art that an aspect described herein may be implemented independently of any other aspect, and two or more of these aspects may be combined in various ways. For example, any number of aspects described herein may be used to implement the device and/or practice the method. In addition, other structures and/or functionalities other than one or more of the aspects described herein may be used to implement this device and/or practice this method.

还需要说明的是,以下实施例中所提供的图示仅以示意方式说明本公开的基本构想,图式中仅显示与本公开中有关的组件而非按照实际实施时的组件数目、形状及尺寸绘制,其实际实施时各组件的型态、数量及比例可为一种随意的改变,且其组件布局型态也可能更为复杂。It should also be noted that the illustrations provided in the following embodiments are only schematic illustrations of the basic concept of the present disclosure. The drawings only show components related to the present disclosure rather than being drawn according to the number, shape and size of components in actual implementation. In actual implementation, the type, quantity and proportion of each component may be changed arbitrarily, and the component layout may also be more complicated.

另外,在以下描述中,提供具体细节是为了便于透彻理解实例。然而,所属领域的技术人员将理解,可在没有这些特定细节的情况下实践所述方面。Additionally, in the following description, specific details are provided to facilitate a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects described may be practiced without these specific details.

为了解决在进行多因素认证如何简化认证流程的同时提升安全性的问题,参照图1,本发明的第一方面提供了一种基于多因素认证的工控主机远程访问控制系统,包括:客户端、智能卡和系统端;一般来说,客户端运行在用户的电脑上,系统端运行在服务器上,智能卡为单独的硬件设备,可以利用USB接口等方式插在用户的电脑上,与客户端进行数据交互;In order to solve the problem of how to simplify the authentication process and improve security while performing multi-factor authentication, referring to FIG1 , a first aspect of the present invention provides an industrial control host remote access control system based on multi-factor authentication, comprising: a client, a smart card and a system end; generally speaking, the client runs on the user's computer, the system end runs on the server, and the smart card is a separate hardware device that can be plugged into the user's computer using a USB interface or the like to interact with the client for data;

所述智能卡,用于根据当前位置信息生成智能卡密钥,并发送至所述客户端;The smart card is used to generate a smart card key according to the current location information and send it to the client;

所述客户端,用于将所述智能卡生成的智能卡密钥、使用者输入的用户ID和身份密钥发送至系统端;The client is used to send the smart card key generated by the smart card, the user ID and identity key input by the user to the system end;

所述系统端,用于根据所述用户ID获取智能卡密钥和身份密钥的验证值,并根据智能卡密钥和身份密钥的验证值对所述客户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。The system end is used to obtain the verification value of the smart card key and the identity key according to the user ID, and verify the smart card key and the identity key sent by the client according to the verification value of the smart card key and the identity key. If the verification passes, the client is allowed to access the industrial control host.

本实施例提供的基于多因素认证的工控主机远程访问控制系统通过结合客户端、智能卡和系统端,实现了多重身份验证,确保只有经过授权的用户才能访问工控主机。创新性采用智能卡基于当前位置信息生成独特的智能卡密钥,使得密钥具有时效性和动态变化特性,增加了破解难度。通过客户端将所述智能卡生成的智能卡密钥、使用者输入的用户ID和身份密钥发送至系统端,客户端进行综合验证。The industrial control host remote access control system based on multi-factor authentication provided in this embodiment realizes multiple identity authentication by combining the client, smart card and system end, ensuring that only authorized users can access the industrial control host. The smart card is innovatively used to generate a unique smart card key based on the current location information, so that the key has timeliness and dynamic change characteristics, which increases the difficulty of cracking. The smart card key generated by the smart card, the user ID and identity key entered by the user are sent to the system end by the client, and the client performs comprehensive verification.

作为可选的实施方式,所述智能卡包括:As an optional implementation, the smart card includes:

第一存储模块,用于存储预设的算法和校验数据;A first storage module, used to store preset algorithms and verification data;

定位模块,用于获取当前的位置信息;Positioning module, used to obtain current location information;

主控模块,用于将当前位置信息和校验数据进行拼接,并使用预设的算法对拼接后的数据进行计算,获得智能卡密钥,并发送至客户端。举例来说,可以对当前位置信息和校验数据进行拼接,然后采用预设的算法进行计算得到智能卡密钥验证值。The main control module is used to splice the current location information and the verification data, and use a preset algorithm to calculate the spliced data to obtain the smart card key, and send it to the client. For example, the current location information and the verification data can be spliced, and then the preset algorithm can be used to calculate the smart card key verification value.

作为可选的实施方式,所述系统端包括:As an optional implementation, the system end includes:

第二存储模块用于,存储预设的位置信息、预设的算法、校验数据、用户ID和与用户ID对应的身份密钥验证值;可以知道的是,在正常情况下,第二存储模块存储的预设的算法与第一存储模块存储的预设的算法是一致的,举例来说,预设的算法可以采用哈希算法及其类似的校验算法。The second storage module is used to store preset location information, a preset algorithm, verification data, a user ID and an identity key verification value corresponding to the user ID; it can be known that, under normal circumstances, the preset algorithm stored in the second storage module is consistent with the preset algorithm stored in the first storage module. For example, the preset algorithm can adopt a hash algorithm and a similar verification algorithm.

具体而言,当用户在出差时进行访问审批申请,同时在申请中记载位置信息,在该申请审批通过后,该申请记载位置信息会作为预设的位置信息存储至第二存储模块。Specifically, when a user makes an application for access approval while on a business trip and records location information in the application, after the application is approved, the location information recorded in the application will be stored in the second storage module as preset location information.

校验数据可以采用随机数或者时间戳,主要用于增加安全性,在每次验证通过后会进行更改。Verification data can be a random number or a timestamp, which is mainly used to increase security and will be changed after each verification.

智能卡密钥验证值计算模块,用于根据预设的位置信息、预设的算法和校验数据计算智能卡密钥验证值;举例来说,可以对预设的位置信息和校验数据进行拼接,然后采用预设的算法进行计算得到智能卡密钥验证值。The smart card key verification value calculation module is used to calculate the smart card key verification value according to the preset location information, the preset algorithm and the verification data; for example, the preset location information and the verification data can be spliced, and then the preset algorithm is used to calculate the smart card key verification value.

访问控制模块,用于根据用户端发送的用户ID在所述第二存储模块中查询身份密钥验证值,根据智能卡密钥验证值和身份密钥验证值对用户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。The access control module is used to query the identity key verification value in the second storage module according to the user ID sent by the user terminal, and verify the smart card key and identity key sent by the user terminal according to the smart card key verification value and the identity key verification value. If the verification passes, the client is allowed to access the industrial control host.

作为可选的实施方式,所述系统端还包括:预设算法和校验数据更新模块,用于在每次访问控制模块验证通过后,生成新的预设算法或校验数据,发送至客户端,以使得客户端根据新的预设算法或校验数据更改第一存储模块中存储的预设算法或校验数据,并在客户端更改成功后,根据新的预设算法或校验数据更改第二存储模块中的预设算法或校验数据。As an optional implementation, the system end also includes: a preset algorithm and verification data update module, which is used to generate a new preset algorithm or verification data after each access control module verification is passed, and send it to the client, so that the client changes the preset algorithm or verification data stored in the first storage module according to the new preset algorithm or verification data, and after the client changes successfully, changes the preset algorithm or verification data in the second storage module according to the new preset algorithm or verification data.

在本实施方式中,在每次验证通过后,更改预设算法或校验数据,提升系统的安全性。同时,在客户端更改成功后修改系统端,避免由于特殊情况智能卡写入不成功系统端与智能卡的数据不一致的问题。In this embodiment, after each verification, the preset algorithm or verification data is changed to improve the security of the system. At the same time, the system end is modified after the client end is successfully changed to avoid the problem of inconsistent data between the system end and the smart card due to special circumstances where the smart card is not successfully written.

作为可选的实施方式,所述客户端还包括:预设算法和校验数据改写模块,用于在接收到系统端发送的新的预设算法或校验数据,根据新的预设算法或校验数据更改第一存储模块中存储的预设算法或校验数据,并将改写结果发送至系统端。As an optional implementation, the client also includes: a preset algorithm and verification data rewriting module, which is used to change the preset algorithm or verification data stored in the first storage module according to the new preset algorithm or verification data sent by the system end, and send the rewriting result to the system end.

作为可选的实施方式,所述第一存储模块包括:第一预设算法存储单元,第一校验数据存储单元,第二预设算法存储单元,第二校验数据存储单元;As an optional implementation, the first storage module includes: a first preset algorithm storage unit, a first verification data storage unit, a second preset algorithm storage unit, and a second verification data storage unit;

第一预设算法存储单元用于存储新更改的预设算法,第二预设算法存储单元用于存储上一次更改的预设算法;The first preset algorithm storage unit is used to store the newly changed preset algorithm, and the second preset algorithm storage unit is used to store the last changed preset algorithm;

第一校验数据存储单元用于存储新更改的校验数据,第二校验数据存储单元用于存储上一次更改的校验数据;The first verification data storage unit is used to store the newly changed verification data, and the second verification data storage unit is used to store the last changed verification data;

预设算法和校验数据改写模块将新的预设算法写入第一预设算法存储单元,写入成功后,主控模块再次读取预设算法时从第一预设算法存储单元读取,写入失败后,主控模块再次读取预设算法时从第二预设算法存储单元读取;The preset algorithm and verification data rewriting module writes the new preset algorithm into the first preset algorithm storage unit. After the writing is successful, the main control module reads the preset algorithm from the first preset algorithm storage unit when reading it again. After the writing fails, the main control module reads the preset algorithm from the second preset algorithm storage unit when reading it again.

预设算法和校验数据改写模块将新的校验数据写入第一校验数据存储单元,写入成功后,主控模块再次读取校验数据时从第一校验数据存储单元读取,写入失败后,主控模块再次读取校验数据时从第二校验数据存储单元读取。The preset algorithm and the verification data rewriting module write the new verification data into the first verification data storage unit. After the writing is successful, the main control module reads the verification data from the first verification data storage unit when reading it again. After the writing fails, the main control module reads the verification data from the second verification data storage unit when reading it again.

本实施方式通过2个存储单元轮流更新的方式,写入失败时不影响原来的预设算法和校验数据。增加系统的稳定性。In this embodiment, two storage units are updated in turn, so that the original preset algorithm and verification data are not affected when writing fails, thereby increasing the stability of the system.

作为可选的实施方式,访问控制模块,进一步用于获取免位置密钥指令,若获取免位置密钥指令,则根据用户端发送的用户ID在所述第二存储模块中查询身份密钥验证值,根据身份密钥验证值对用户端发送的身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。As an optional implementation, the access control module is further used to obtain a location-free key instruction. If a location-free key instruction is obtained, the identity key verification value is queried in the second storage module according to the user ID sent by the user terminal, and the identity key sent by the user terminal is verified according to the identity key verification value. If the verification passes, the client is allowed to access the industrial control host.

作为可选的实施方式,所述免位置密钥指令由用户向管理者申请免位置验证申请,管理者审批通过后生成。免位置密钥指令可以在本系统生成,也可以在其他的OA系统或者考勤系统生成后发送至本系统。As an optional implementation, the location-free key instruction is generated by the user applying for location-free verification to the administrator, and the administrator approves it. The location-free key instruction can be generated in this system, or generated in other OA systems or attendance systems and then sent to this system.

在本实施方式中,在定位模块信号不好等情况下,例如,地下停车场或者高楼的室内,可以通过用户向管理者申请的方式,不对位置进行校验,增加使用的便利性。In this embodiment, in the case where the positioning module signal is not good, for example, in an underground parking lot or indoors in a high-rise building, the user can apply to the administrator to not verify the position, thereby increasing convenience of use.

另一方面,参照图2,本发明提供了一种基于多因素认证的工控主机远程访问控制方法,基于上述的基于多因素认证的工控主机远程访问控制系统,包括:On the other hand, referring to FIG. 2 , the present invention provides a method for controlling remote access to an industrial control host based on multi-factor authentication, based on the above-mentioned remote access control system for an industrial control host based on multi-factor authentication, comprising:

步骤S1,利用所述智能卡根据当前位置信息生成智能卡密钥,并发送至所述客户端;Step S1, using the smart card to generate a smart card key according to the current location information, and sending it to the client;

步骤S2,利用所述客户端将所述智能卡生成的智能卡密钥、使用者输入的用户ID和身份密钥发送至系统端;Step S2, using the client to send the smart card key generated by the smart card, the user ID and identity key input by the user to the system end;

步骤S3,利用所述系统端根据所述用户ID获取智能卡密钥和身份密钥的验证值,并根据智能卡密钥和身份密钥的验证值对所述客户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。Step S3, using the system end to obtain the verification value of the smart card key and the identity key according to the user ID, and verifying the smart card key and the identity key sent by the client according to the verification value of the smart card key and the identity key. If the verification passes, the client is allowed to access the industrial control host.

本实施例提供的基于多因素认证的工控主机远程访问控制方法通过结合客户端、智能卡和系统端,实现了多重身份验证,确保只有经过授权的用户才能访问工控主机。创新性采用智能卡基于当前位置信息生成独特的智能卡密钥,使得密钥具有时效性和动态变化特性,增加了破解难度。通过客户端将所述智能卡生成的智能卡密钥、使用者输入的用户ID和身份密钥发送至系统端,客户端进行综合验证。The multi-factor authentication-based remote access control method for industrial control hosts provided in this embodiment realizes multiple identity authentication by combining the client, smart card and system end, ensuring that only authorized users can access the industrial control host. The smart card is innovatively used to generate a unique smart card key based on the current location information, so that the key has timeliness and dynamic change characteristics, which increases the difficulty of cracking. The smart card key generated by the smart card, the user ID and identity key entered by the user are sent to the system end by the client, and the client performs comprehensive verification.

作为可选的实施方式,利用所述系统端根据所述用户ID获取智能卡密钥和身份密钥的验证值,并根据智能卡密钥和身份密钥的验证值对所述客户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机包括:As an optional implementation, using the system end to obtain the verification value of the smart card key and the identity key according to the user ID, and verifying the smart card key and the identity key sent by the client according to the verification value of the smart card key and the identity key, if the verification is successful, allowing the client to access the industrial control host includes:

利用所述第二存储模块存储预设的位置信息、预设的算法、校验数据、用户ID和与用户ID对应的身份密钥验证值;可以知道的是,在正常情况下,第二存储模块存储的预设的算法与第一存储模块存储的预设的算法是一致的,举例来说,可以采用哈希算法及其类似的校验算法。The second storage module is used to store preset location information, a preset algorithm, verification data, a user ID and an identity key verification value corresponding to the user ID; it can be known that, under normal circumstances, the preset algorithm stored in the second storage module is consistent with the preset algorithm stored in the first storage module. For example, a hash algorithm and a similar verification algorithm can be used.

具体而言,当用户在出差时进行访问审批申请,同时在申请中记载位置信息,在该申请审批通过后,该申请记载位置信息会作为预设的位置信息存储至第二存储模块。Specifically, when a user makes an application for access approval while on a business trip and records location information in the application, after the application is approved, the location information recorded in the application will be stored in the second storage module as preset location information.

校验数据可以采用随机数或者时间戳,主要用于增加安全性,在每次验证通过后会进行更改。Verification data can be a random number or a timestamp, which is mainly used to increase security and will be changed after each verification.

利用所述智能卡密钥验证值计算模块根据预设的位置信息、预设的算法和校验数据计算智能卡密钥验证值;举例来说,可以对预设的位置信息和校验数据进行拼接,然后采用预设的算法进行计算得到智能卡密钥验证值。The smart card key verification value calculation module is used to calculate the smart card key verification value according to the preset location information, the preset algorithm and the verification data; for example, the preset location information and the verification data can be spliced, and then the preset algorithm is used to calculate the smart card key verification value.

利用所述访问控制模块根据用户端发送的用户ID在所述第二存储模块中查询身份密钥验证值,根据智能卡密钥验证值和身份密钥验证值对用户端发送的智能卡密钥和身份密钥进行验证,若验证通过,则允许所述客户端访问工控主机。The access control module is used to query the identity key verification value in the second storage module according to the user ID sent by the user terminal, and the smart card key and identity key sent by the user terminal are verified according to the smart card key verification value and the identity key verification value. If the verification passes, the client is allowed to access the industrial control host.

有关本实施例的详细说明可以参考前述各实施例中的相应说明,在此不再赘述。For detailed description of this embodiment, reference may be made to the corresponding descriptions in the aforementioned embodiments, which will not be repeated here.

以上结合具体实施例描述了本公开的基本原理,但是,需要指出的是,在本公开中提及的优点、优势、效果等仅是示例而非限制,不能认为这些优点、优势、效果等是本公开的各个实施例必须具备的。另外,上述公开的具体细节仅是为了示例的作用和便于理解的作用,而非限制,上述细节并不限制本公开为必须采用上述具体的细节来实现。The basic principles of the present disclosure are described above in conjunction with specific embodiments. However, it should be noted that the advantages, strengths, effects, etc. mentioned in the present disclosure are only examples and not limitations, and it cannot be considered that these advantages, strengths, effects, etc. are required by each embodiment of the present disclosure. In addition, the specific details disclosed above are only for the purpose of illustration and ease of understanding, and are not limitations. The above details do not limit the present disclosure to the necessity of adopting the above specific details to be implemented.

在本公开中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序,本公开中涉及的器件、装置、设备、系统的方框图仅作为例示性的例子并且不意图要求或暗示必须按照方框图示出的方式进行连接、布置、配置。如本领域技术人员将认识到的,可以按任意方式连接、布置、配置这些器件、装置、设备、系统。诸如“包括”、“包含”、“具有”等等的词语是开放性词汇,指“包括但不限于”,且可与其互换使用。这里所使用的词汇“或”和“和”指词汇“和/或”,且可与其互换使用,除非上下文明确指示不是如此。这里所使用的词汇“诸如”指词组“诸如但不限于”,且可与其互换使用。In the present disclosure, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is any such actual relationship or order between these entities or operations. The block diagrams of the devices, devices, equipment, and systems involved in the present disclosure are only illustrative examples and are not intended to require or imply that they must be connected, arranged, and configured in the manner shown in the block diagram. As will be appreciated by those skilled in the art, these devices, devices, equipment, and systems can be connected, arranged, and configured in any manner. Words such as "including", "comprising", "having", etc. are open words, referring to "including but not limited to", and can be used interchangeably with them. The words "or" and "and" used here refer to the words "and/or" and can be used interchangeably with them, unless the context clearly indicates otherwise. The words "such as" used here refer to the phrase "such as but not limited to", and can be used interchangeably with them.

另外,如在此使用的,在以“至少一个”开始的项的列举中使用的“或”指示分离的列举,以便例如“A、B或C的至少一个”的列举意味着A或B或C,或AB或AC或BC,或ABC(即A和B和C)。此外,措辞“示例的”不意味着描述的例子是优选的或者比其他例子更好。Additionally, as used herein, "or" used in a list of items beginning with "at least one" indicates a separate list, so that, for example, a list of "at least one of A, B, or C" means A or B or C, or AB or AC or BC, or ABC (i.e., A and B and C). Furthermore, the word "exemplary" does not mean that the example described is preferred or better than other examples.

还需要指出的是,在本公开的系统和方法中,各部件或各步骤是可以分解和/或重新组合的。这些分解和/或重新组合应视为本公开的等效方案。It should also be noted that in the system and method of the present disclosure, each component or each step can be decomposed and/or recombined. Such decomposition and/or recombination should be regarded as equivalent solutions of the present disclosure.

可以不脱离由所附权利要求定义的教导的技术而进行对在此所述的技术的各种改变、替换和更改。此外,本公开的权利要求的范围不限于以上所述的处理、机器、制造、事件的组成、手段、方法和动作的具体方面。可以利用与在此所述的相应方面进行基本相同的功能或者实现基本相同的结果的当前存在的或者稍后要开发的处理、机器、制造、事件的组成、手段、方法或动作。因而,所附权利要求包括在其范围内的这样的处理、机器、制造、事件的组成、手段、方法或动作。Various changes, substitutions, and modifications of the techniques described herein may be made without departing from the teachings defined by the appended claims. Furthermore, the scope of the claims of the present disclosure is not limited to the specific aspects of the processes, machines, manufactures, compositions of events, means, methods, and actions described above. Currently existing or later to be developed processes, machines, manufactures, compositions of events, means, methods, or actions that perform substantially the same functions or achieve substantially the same results as the corresponding aspects described herein may be utilized. Thus, the appended claims include such processes, machines, manufactures, compositions of events, means, methods, or actions within their scope.

提供所公开的方面的以上描述以使本领域的任何技术人员能够做出或者使用本公开。对这些方面的各种修改对于本领域技术人员而言是非常显而易见的,并且在此定义的一般原理可以应用于其他方面而不脱离本公开的范围。因此,本公开不意图被限制到在此示出的方面,而是按照与在此公开的原理和新颖的特征一致的最宽范围。The above description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other aspects without departing from the scope of the present disclosure. Therefore, the present disclosure is not intended to be limited to the aspects shown herein, but rather to the widest scope consistent with the principles and novel features disclosed herein.

为了例示和描述的目的已经给出了以上描述。此外,此描述不意图将本公开的实施例限制到在此公开的形式。尽管以上已经讨论了多个示例方面和实施例,但是本领域技术人员将认识到其某些变型、修改、改变、添加和子组合。The above description has been given for the purpose of illustration and description. In addition, this description is not intended to limit the embodiments of the present disclosure to the forms disclosed herein. Although multiple example aspects and embodiments have been discussed above, those skilled in the art will recognize certain variations, modifications, changes, additions and sub-combinations thereof.

Claims (10)

1. An industrial control host remote access control system based on multi-factor authentication, which is characterized by comprising: the system comprises a client, a smart card and a system end;
the smart card is used for generating a smart card key according to the current position information and sending the smart card key to the client;
the client is used for sending the smart card key generated by the smart card, the user ID and the identity key input by the user to the system side;
The system end is used for acquiring verification values of the intelligent card key and the identity key according to the user ID, verifying the intelligent card key and the identity key sent by the client according to the verification values of the intelligent card key and the identity key, and allowing the client to access the industrial control host if the verification is passed.
2. The multi-factor authentication-based industrial control host remote access control system of claim 1, wherein the smart card comprises:
The first storage module is used for storing a preset algorithm and verification data;
the positioning module is used for acquiring current position information;
The main control module is used for splicing the current position information and the check data, calculating the spliced data by using a preset algorithm, obtaining a smart card key and sending the smart card key to the client.
3. The multi-factor authentication-based industrial control host remote access control system according to claim 2, wherein the system side comprises:
The second storage module is used for storing preset position information, preset algorithm, verification data, user ID and an identity key verification value corresponding to the user ID;
the smart card key verification value calculation module is used for calculating a smart card key verification value according to preset position information, a preset algorithm and verification data;
And the access control module is used for inquiring the identity key verification value in the second storage module according to the user ID sent by the user terminal, verifying the intelligent card key and the identity key sent by the user terminal according to the intelligent card key verification value and the identity key verification value, and allowing the client terminal to access the industrial control host if the verification is passed.
4. The multi-factor authentication-based industrial control host remote access control system of claim 3, wherein the system side further comprises: and the preset algorithm and check data updating module is used for generating a new preset algorithm or check data after each access control module passes the verification, and sending the new preset algorithm or check data to the client so that the client can change the preset algorithm or check data stored in the first storage module according to the new preset algorithm or check data, and after the client is successfully changed, changing the preset algorithm or check data in the second storage module according to the new preset algorithm or check data.
5. The multi-factor authentication-based industrial control host remote access control system of claim 4, wherein the client further comprises: the system comprises a first storage module, a first verification module, a second storage module, a first algorithm and verification data rewriting module, a second storage module and a second storage module, wherein the first storage module is used for storing the first verification data and the second verification data, the first storage module is used for storing the second verification data and the second verification data, and the second storage module is used for storing the second verification data and the first verification data and the second verification data.
6. The multi-factor authentication-based industrial control host remote access control system of claim 5, wherein the first storage module comprises: the system comprises a first preset algorithm storage unit, a first check data storage unit, a second preset algorithm storage unit and a second check data storage unit;
the first preset algorithm storage unit is used for storing a new modified preset algorithm, and the second preset algorithm storage unit is used for storing a last modified preset algorithm;
The first check data storage unit is used for storing the check data which is changed newly, and the second check data storage unit is used for storing the check data which is changed last time;
The method comprises the steps that a preset algorithm and verification data rewriting module writes a new preset algorithm into a first preset algorithm storage unit, after the writing is successful, the main control module reads from the first preset algorithm storage unit when the preset algorithm is read again, and after the writing fails, the main control module reads from a second preset algorithm storage unit when the preset algorithm is read again;
The preset algorithm and the verification data rewriting module write new verification data into the first verification data storage unit, after the writing is successful, the main control module reads the verification data from the first verification data storage unit when reading the verification data again, and after the writing is failed, the main control module reads the verification data from the second verification data storage unit when reading the verification data again.
7. The remote access control system of an industrial personal computer based on multi-factor authentication according to claim 6, wherein the access control module is further configured to obtain a location-free key instruction, if the location-free key instruction is obtained, query an identity key verification value in the second storage module according to a user ID sent by the user terminal, verify an identity key sent by the user terminal according to the identity key verification value, and if the verification is passed, allow the client terminal to access the industrial personal computer.
8. The multi-factor authentication-based remote access control system of an industrial personal computer of claim 7, wherein the location-free key instruction is generated after the manager approves the application for location-free verification from the manager.
9. The industrial control host remote access control method based on multi-factor authentication, which is based on the industrial control host remote access control system based on multi-factor authentication as claimed in any one of claims 1-8, comprises the following steps:
Generating a smart card key according to the current position information by using the smart card, and sending the smart card key to the client;
transmitting a smart card key generated by the smart card, a user ID and an identity key input by a user to a system end by using the client;
and acquiring verification values of the intelligent card key and the identity key according to the user ID by using the system terminal, verifying the intelligent card key and the identity key sent by the client terminal according to the verification values of the intelligent card key and the identity key, and allowing the client terminal to access the industrial control host if the verification is passed.
10. The automated test analysis method of WiFi and bluetooth functions according to claim 9, wherein obtaining verification values of a smart card key and an identity key according to the user ID by using the system side, verifying the smart card key and the identity key sent by the client according to the verification values of the smart card key and the identity key, and if the verification is passed, allowing the client to access an industrial control host includes:
Storing preset position information, a preset algorithm, verification data, a user ID and an identity key verification value corresponding to the user ID by using the second storage module;
Calculating a smart card key verification value according to preset position information, a preset algorithm and verification data by using the smart card key verification value calculation module;
And inquiring an identity key verification value in the second storage module according to the user ID sent by the user terminal by using the access control module, verifying the intelligent card key and the identity key sent by the user terminal according to the intelligent card key verification value and the identity key verification value, and allowing the client terminal to access the industrial control host if verification is passed.
CN202411075843.8A 2024-08-07 2024-08-07 Industrial control host remote access control system and method based on multi-factor authentication Active CN118842596B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411075843.8A CN118842596B (en) 2024-08-07 2024-08-07 Industrial control host remote access control system and method based on multi-factor authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411075843.8A CN118842596B (en) 2024-08-07 2024-08-07 Industrial control host remote access control system and method based on multi-factor authentication

Publications (2)

Publication Number Publication Date
CN118842596A true CN118842596A (en) 2024-10-25
CN118842596B CN118842596B (en) 2025-08-01

Family

ID=93142318

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411075843.8A Active CN118842596B (en) 2024-08-07 2024-08-07 Industrial control host remote access control system and method based on multi-factor authentication

Country Status (1)

Country Link
CN (1) CN118842596B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6044349A (en) * 1998-06-19 2000-03-28 Intel Corporation Secure and convenient information storage and retrieval method and apparatus
WO2003093942A2 (en) * 2002-05-01 2003-11-13 Bruce Eric Ross System for configuring client computers to a secure host using smart cards
DE102013201245A1 (en) * 2013-01-25 2014-07-31 Bundesdruckerei Gmbh Method for performing cryptographic operation of smart card for use with e.g. smart phone, involves applying key derivation function to data value and position data by smart card to generate position-dependent first cryptographic key
CN104937900A (en) * 2013-01-25 2015-09-23 联邦印刷有限公司 Provide location data with distance boundary protocol
CN105072110A (en) * 2015-08-06 2015-11-18 山东科技大学 Two-factor remote identity authentication method based on smart card
WO2016171295A1 (en) * 2015-04-23 2016-10-27 최운호 Authentication in ubiquitous environment
CN116915515A (en) * 2023-09-14 2023-10-20 北京东方森太科技发展有限公司 Access security control method and system for industrial control network
CN118368615A (en) * 2024-05-20 2024-07-19 西安电子科技大学 A two-factor authentication key exchange protocol based on location and password

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6044349A (en) * 1998-06-19 2000-03-28 Intel Corporation Secure and convenient information storage and retrieval method and apparatus
WO2003093942A2 (en) * 2002-05-01 2003-11-13 Bruce Eric Ross System for configuring client computers to a secure host using smart cards
DE102013201245A1 (en) * 2013-01-25 2014-07-31 Bundesdruckerei Gmbh Method for performing cryptographic operation of smart card for use with e.g. smart phone, involves applying key derivation function to data value and position data by smart card to generate position-dependent first cryptographic key
CN104937900A (en) * 2013-01-25 2015-09-23 联邦印刷有限公司 Provide location data with distance boundary protocol
WO2016171295A1 (en) * 2015-04-23 2016-10-27 최운호 Authentication in ubiquitous environment
CN105072110A (en) * 2015-08-06 2015-11-18 山东科技大学 Two-factor remote identity authentication method based on smart card
CN116915515A (en) * 2023-09-14 2023-10-20 北京东方森太科技发展有限公司 Access security control method and system for industrial control network
CN118368615A (en) * 2024-05-20 2024-07-19 西安电子科技大学 A two-factor authentication key exchange protocol based on location and password

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李曦;李传锋;朱巍;何明星;: "基于身份的多服务器认证密钥协商方案", 华中科技大学学报(自然科学版), no. 01, 23 January 2011 (2011-01-23) *

Also Published As

Publication number Publication date
CN118842596B (en) 2025-08-01

Similar Documents

Publication Publication Date Title
CN102930199B (en) Secure machine registration in many tenant subscription environment
CN110363026B (en) File manipulation method, apparatus, device, system, and computer-readable storage medium
CN101527633A (en) System and method for intelligent key devices to obtain digital certificates
CN117494162B (en) Data storage encryption system, method, device and medium
CN110223075B (en) Identity authentication method, device, computer equipment and storage medium
Kuzminykh et al. Comparative analysis of cryptographic key management systems
CN111368311A (en) Block chain-based point management method and related device
CN109710675A (en) A storage database switching method, device, server and storage medium
CN109409041A (en) A kind of server-side safety certifying method and system based on the application of more certificates
CN112527802B (en) Soft link method and device based on key-value database
CN114218191A (en) System function migration method and device, computer equipment and storage medium
CN118842596A (en) Industrial control host remote access control system and method based on multi-factor authentication
WO2021169655A1 (en) Authorized access method and apparatus for super account book, and storage medium
CN107196957A (en) A kind of distributed identity authentication method and system
CN107633390B (en) A cloud wallet management method and server
CN109710692A (en) User information processing method and device in block chain network and storage medium
CN107947934A (en) The fingerprint recognition Verification System and method of mobile terminal based on banking system
CN113592645A (en) Data verification method and device
JP5053756B2 (en) Certificate verification server, certificate verification method, and certificate verification program
CN113704723B (en) Block chain-based digital identity verification method and device and storage medium
CN114329375B (en) A data access method, device and computer equipment based on blockchain
US20260019261A1 (en) Portable identity verification context with automatic renewal or verification orchestration to mitigate decay
CN110557362A (en) Intelligent locking and managing method and system and intelligent lock
CN108038782A (en) A kind of security system for securities trading and the safe checking method for securities trading
CN119668741A (en) Rule generation method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant