Fusion and authentication method and system of identity and authority in industrial control system

Abstract

The invention discloses a fusion and authentication method and system of identity and authority in an industrial control system. The method comprises the following steps of: storing role information of a user into an identity certificate through fusing an attribute certificate and the identity certificate; setting an authority database; saving authority information corresponding to different roles of the user; first, authenticating the identity of the user while the user logs into the system; extracting the authority information of the user according to the user name information and a role information association authority database in the identity certificate after passing the authentication; and providing resources corresponding to the authority to the user by the system. Therefore, the industrial control system can finish the user identity authentication and complicated authority authentication in the industrial field only by supporting one reliable third party and using one certificate under the situation of support system security grade. The two certificates are combined into one so that the management is more convenient. The specific authorities of the user in different roles are saved in the authority database; and larger information storage space and more complete preservation of the information are obtained.

Description

technical field [0001] The invention relates to an authentication technology of identity and authority Background technique [0002] In order to provide public network user directory information services, the International Telecommunications Union (International Telecommunications Union, referred to as "ITU") formulated the X.500 Directory Access Protocol (Directory Access Protocol, referred to as "DAP") series of standards in 1988. Among them, X.500 and X.509 (public key infrastructure) are the core of the security authentication system. X.500 defines a distinguishing naming rule, which uses a naming tree to ensure the uniqueness of user names; X.509 is X. The 500 user name provides a communication entity authentication mechanism, and specifies the widely applicable certificate syntax and data interface in the entity authentication process. X.509 is called a certificate. [0003] The authentication framework given by X.509 is an authentication service key management based ...

AI Technical Summary

Problems solved by technology

[0010] However, in the industrial field, the roles corresponding to users are limited, and the permissions corresponding to users of each role are relatively fixed. If the permissions change, usually their identities will also change, so the existing identities are not applicable. Certificates and attribute certificates, using the existing technology of identity certificates and attribute certificates makes the industrial control system must support two reliable third parties (CA and AA) at the same time, and needs to manage multiple certificates, which is more inconvenient to use and manage

[0011] Moreover, there are many types and quantities of equipment involved in the industrial field, and the types of user permissions are very complicated. Taking operators as an example, different operators may have different operation permissions for different equipment. Using the existing attribute certificate Authentication of permissions by means of authentication, cannot list all permissions well, and it is inconvenient to confirm their permissions

Images