A multi-factor login authentication method, device, and PLC system for industrial control PLC systems.

By using a multi-factor authentication method for industrial control PLC systems, combining username and password, hardware identity tags, and dynamic password authentication, the low security problem of industrial control PLC systems is solved, and a higher level of security protection is achieved.

CN116346415BActive Publication Date: 2026-06-30ZHEJIANG ZHIKONG TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ZHEJIANG ZHIKONG TECH CO LTD
Filing Date
2023-02-21
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

The single username and password login method of industrial control PLC system has low security and is easily impersonated by illegal external factors to carry out illegal operations. Common multi-factor login methods have poor timeliness and security in industrial control production sites.

Method used

A multi-factor login authentication method is adopted, including username and password authentication, hardware identity tag authentication, and dynamic password authentication. The challenge code is generated by combining the username, random factor, and one-way hash function, and triple security authentication is performed through a secure hardware module.

Benefits of technology

This effectively prevents unauthorized external factors from impersonating the PLC system to illegally monitor, collect, and control it, thus improving the system's security and protection capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116346415B_ABST
    Figure CN116346415B_ABST
Patent Text Reader

Abstract

This invention discloses a multi-factor login authentication method for an industrial control PLC system, comprising the following steps: obtaining a login request from a host computer; the login request includes a username, password, and hardware identity tag information; obtaining the corresponding public key to parse the login request, and authenticating the parsed username, password, and hardware identity tag information; if the username, password, and hardware identity tag information are successfully authenticated, generating a challenge code based on the username and a random factor obtained according to a preset rule using a preset algorithm, and sending it to the host computer; generating a verification password based on the username, random factor, and a preset one-way hash function, and performing password authentication with a dynamic password sent by the host computer; if the password authentication is successful, allowing the host computer to log in and perform data communication. This method effectively solves the problem of illegal external factors impersonating the user to perform malicious acts such as illegal eavesdropping, data acquisition, and control of the PLC control system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of industrial control technology, and particularly relates to a multi-factor login authentication method, device, computer equipment, storage medium and PLC system for industrial control PLC systems. Background Technology

[0002] Typical applications of industrial control PLC systems include control logic configuration downloading, logic program debugging, and real-time data acquisition. The prerequisite for these operations is that the host computer software logs into the slave PLC using a valid username and password. Only after the slave PLC login account is successfully authenticated can the subsequent operations described above be performed.

[0003] With the rapid development of new-generation information technologies such as the Industrial Internet and cloud computing, security incidents involving industrial control PLC systems are also showing a rapid upward trend. Account information is highly sensitive and confidential. Once the username and password for logging into the PLC are illegally obtained, external forces can impersonate the user to perform harmful actions such as illegal eavesdropping, data collection, and control of the PLC control system.

[0004] Traditional industrial PLC systems use a single username and password to log in, which has a low level of security. If the username and password are illegally obtained, unauthorized external forces can impersonate the user and perform unauthorized operations on the PLC system, causing incalculable damage to the industrial production environment. Common multi-factor authentication methods, such as SMS verification codes and emails, are less reliable and less secure, easily intercepted, and difficult to implement in industrial production environments. Summary of the Invention

[0005] To address the aforementioned problems, the present invention aims to provide a multi-factor login authentication method, device, computer equipment, and storage medium for industrial control PLC systems. This multi-factor login authentication method, device, computer equipment, and storage medium for industrial control PLC systems can effectively prevent unauthorized external factors from impersonating others to perform malicious acts such as illegal eavesdropping, data collection, and control of the PLC control system.

[0006] To achieve the above objectives, the technical solution of the present invention is as follows: a multi-factor login authentication method for an industrial control PLC system, comprising the following steps: obtaining a login request from a host computer; wherein the login request includes a username, password, and hardware identity tag information, and the login request is encrypted by a preset private key and sent by the host computer to the slave PLC; obtaining the corresponding public key to parse the login request, and authenticating the parsed username, password, and hardware identity tag information; if the username, password, and hardware identity tag information are successfully authenticated, generating a challenge code based on the username and a random factor obtained according to a preset rule according to a preset algorithm and sending it to the host computer; generating a verification password based on the username, random factor, and a preset one-way hash function, and performing password authentication with a dynamic password sent by the host computer; wherein the dynamic password is generated by the host computer based on the username, random factor, and the preset one-way hash function sent by the slave PLC; and allowing the host computer to log in and perform data communication if the password authentication is successful.

[0007] In a preferred embodiment of the present invention, before obtaining the login request from the host computer, the method further includes: burning the hardware identity tag into the security hardware module and security hardware device of the lower-level PLC; wherein the security hardware device is integrated into the host computer or connected to the host computer through a hardware interface.

[0008] In a preferred embodiment of the present invention, multiple sets of usernames, passwords and hardware identity tag information with unique correspondences are burned into the security hardware module of the lower-level PLC.

[0009] In a preferred embodiment of the present invention, obtaining the random factor according to a preset rule further includes: obtaining the login timestamp of the login request and using the login timestamp as the random factor.

[0010] In a preferred embodiment of the present invention, the step of generating a challenge code based on the username and a random factor obtained according to a preset rule and a preset algorithm further includes: obtaining the username and login timestamp of the user currently requesting login; and calling a preset encryption algorithm to process the username and the login timestamp to generate a challenge code.

[0011] In a preferred embodiment of the present invention, the method further includes: receiving newly added authentication information written by a preset program through a preset interface; extracting the username, password, and hardware identity tag information from the newly added authentication information; and writing the username, password, and hardware identity tag information into the security hardware module of the lower-level PLC.

[0012] Based on the same concept, this invention also provides a multi-factor login authentication device for an industrial control PLC system, comprising: an acquisition module for acquiring a login request from a host computer; wherein the login request includes a username, password, and hardware identity tag information, and the login request is encrypted by a preset private key and sent by the host computer to the slave PLC; a preliminary verification module for acquiring the corresponding public key to parse the login request and authenticating the parsed username, password, and hardware identity tag information; a challenge code generation module for generating a challenge code based on the username and a random factor obtained according to a preset rule, and sending it to the host computer, if the username, password, and hardware identity tag information are successfully authenticated; and a password authentication module for generating a verification password based on the username, random factor, and a preset one-way hash function, and performing password authentication with a dynamic password sent by the host computer; wherein the dynamic password is generated by the host computer based on the username, random factor, and the preset one-way hash function sent by the slave PLC; and allowing the host computer to log in and perform data communication if the password authentication is successful.

[0013] Based on the same concept, the present invention also provides a computer device, comprising: a memory for storing a processing program; and a processor, wherein the processor, when executing the processing program, implements the multi-factor login authentication method for the industrial control PLC system described above.

[0014] Based on the same concept, the present invention also provides a readable storage medium storing a processing program, which, when executed by a processor, implements the multi-factor login authentication method for an industrial control PLC system as described above.

[0015] Based on the same concept, the present invention also provides a PLC system, including: a PLC system security management platform, a host computer, a security hardware device for connecting to the host computer, and a slave PLC with an integrated security hardware module. The PLC system security management platform is used for the creation and issuance of PLC system user hardware identity tags. The security hardware module is used for storing verification information to verify the legality of user identity. The security hardware device is used for providing secure storage, encryption / decryption, and storage of hardware identity tag information.

[0016] Because the present invention adopts the above technical solution, it has the following advantages and positive effects compared with the prior art:

[0017] 1. This invention employs triple security authentication on the host computer requesting login, including username and password authentication, hardware identity tag and user binding authentication, and dynamic password authentication. This effectively prevents unauthorized external factors from impersonating the PLC control system to perform illegal listening, data collection, and control behaviors.

[0018] 2. In the process of dynamic password authentication, this invention introduces a dynamic factor of the current login timestamp. Each login by the same user will generate a different challenge code, thus enhancing security. Simultaneously, when the host computer receives the challenge code, it uses a one-way hash function to generate a dynamic password, preventing unauthorized eavesdropping and cracking by malicious users, further improving security. Attached Figure Description

[0019] The specific embodiments of the present invention will be further described in detail below with reference to the accompanying drawings, wherein:

[0020] Figure 1 This is an architecture diagram of the industrial control PLC system of the present invention;

[0021] Figure 2 This is a schematic diagram of the multi-factor login authentication method for the industrial control PLC system of the present invention. Detailed Implementation

[0022] The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. The advantages and features of the present invention will become clearer from the following description and claims. It should be noted that the drawings are all in a very simplified form and use non-precise ratios, and are only used to facilitate and clarify the illustration of the embodiments of the present invention.

[0023] It should be noted that all directional indications (such as up, down, left, right, front, back, etc.) in the embodiments of the present invention are only used to explain the relative positional relationship and movement of each component in a certain specific posture (as shown in the figure). If the specific posture changes, the directional indication will also change accordingly.

[0024] like Figure 1 The diagram shows the architecture of the invented industrial control PLC system. This industrial control PLC system includes: a PLC system security management platform, a host computer, security hardware devices for connecting to the host computer, and a slave PLC with integrated security hardware modules. The PLC system security management platform is mainly used for creating and issuing user hardware identity tags for the PLC system. The PLC system with integrated security hardware modules is used to verify the legitimacy of user identities. The security hardware devices mainly provide functions such as secure storage, encryption / decryption, and identity authentication.

[0025] In this invention, the username and password authentication factors are input through the interface of the host computer's logic configuration software or monitoring configuration software that initiates the login request. The hardware identity tag is applied for by the PLC system user from the PLC system security management platform. After the PLC system security management platform generates and issues a user certificate, it burns the hardware identity tag into the security hardware device connected to the host computer. The hardware identity tag is bound to the user and can uniquely identify a legitimate user. Simultaneously, the security hardware device provides secure and reliable storage, ensuring that the hardware identity tag cannot be stolen or tampered with. Dynamic password verification using a challenge-response mode based on the principle of dynamic password asynchronous token technology is achieved by the lower-level PLC using a feature sequence obtained by calculating the username and the user's current login timestamp carried in the login request from the host computer software using a one-way hash function as the challenge code.

[0026] Preferably, in one embodiment, the security hardware device may also be integrated with the host computer.

[0027] Preferably, the hardware security module can consist of: a trusted chip, an FPGA chip, a configuration chip, a PCI-E protocol chip, an SRAM chip, a clock chip, a power supply chip, and a PCI-E interface. The trusted chip serves as the root of trust for the host computer, providing trusted measurement and trusted storage support.

[0028] like Figure 2 The diagram shows a schematic flow chart of the multi-factor login authentication method for the industrial control PLC system of the present invention. The login authentication process is described below.

[0029] S1: When the logic configuration software or monitoring configuration software of the host computer sends a login authentication request to the lower-level PLC, the configuration software first requires the user to enter the username and password of the PLC system account on the host computer client.

[0030] S2: Obtain the hardware identity tag stored in the security hardware device connected to the host computer.

[0031] S3: Using the host computer's private key, the username, password, and hardware identity tag are encrypted using a secure hardware device to obtain ciphertext, which is then sent to the lower-level PLC as a login request message.

[0032] S4: After receiving the login request message from the host computer, the lower-level PLC uses the host computer's public key to call the security hardware module for decryption. It then matches the decrypted username and password with the account information in the local database. If the username and password authentication is successful, the decrypted hardware identity tag is sent to the security hardware module for authentication. Specifically, the hardware identity tag is pre-written into the security hardware module through the PLC system's security management platform.

[0033] S5: After successful authentication using the username, password, and hardware identity tag, the lower-level PLC calls the security hardware module to perform encryption calculations based on the username and the current login timestamp to generate a random challenge code. Because the challenge code generation incorporates a dynamic factor of the user's login timestamp, each login by the same user will generate a different challenge code, ensuring high security.

[0034] S6: Use the lower-level PLC private key to call the security hardware module for encryption and send the ciphertext to the login requester (i.e., the upper-level computer).

[0035] S7: After receiving the response message from the lower-level PLC, the host computer decrypts it using the lower-level PLC's public key to obtain the challenge code. Next, it uses a one-way hash function to encrypt the challenge code to obtain the dynamic password. The encrypted dynamic password is then sent to the lower-level PLC.

[0036] This invention introduces a dynamic factor—the current login timestamp—during dynamic password authentication. Each login by the same user generates a different challenge code, thus enhancing security. Simultaneously, the host computer uses a one-way hash function to generate a dynamic password upon receiving the challenge code, preventing unauthorized eavesdropping and cracking, further improving security.

[0037] S8: After receiving the dynamic password verification request, the lower-level PLC first decrypts the dynamic password, then uses the challenge code generated in S5 to perform encryption using the same one-way hash function as the upper-level software. The resulting dynamic password is then matched with the decrypted dynamic password sent by the upper-level software. If the match is successful, it indicates that the asynchronous token authentication of the dynamic password is successful. At this point, the entire multi-factor login authentication process is successful, and the upper-level and lower-level PLCs can securely communicate subsequently.

[0038] This invention employs triple security authentication on the host computer requesting login, including username and password authentication, hardware identity tag and user binding authentication, and dynamic password authentication. This effectively prevents unauthorized external factors from impersonating the user and engaging in malicious activities such as illegal eavesdropping, data collection, and control of the PLC control system.

[0039] In this invention, username and password serve as the first basic authentication factor. User certificates issued by the PLC system security management platform act as hardware identity tags bound to the user, serving as the second enhanced authentication factor. Furthermore, dynamic password verification using a challenge-response mode based on the dynamic password asynchronous token technology principle, implemented by the PLC system with integrated security hardware modules and the host computer software, serves as the third authentication factor. This comprehensive technical solution offers higher security and effectively prevents unauthorized external factors from impersonating users and engaging in malicious activities such as illegal eavesdropping, data collection, and control of the PLC control system.

[0040] Based on the same inventive concept, the present invention also provides a computer device, comprising: a memory for storing a processing program; and a processor, wherein the processor, when executing the processing program, implements the multi-factor login authentication method of any one of the industrial control PLC systems described above.

[0041] Based on the same inventive concept, the present invention also provides a readable storage medium storing a processing program, which, when executed by a processor, implements the multi-factor login authentication method for the industrial control PLC system described in any one of the claims.

[0042] Those skilled in the art will understand that all or part of the steps of the above method embodiments can be implemented by hardware related to program instructions. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, it performs the steps of the above method embodiments. The aforementioned storage medium includes various media that can store program code, such as mobile storage devices, read-only memory (ROM), magnetic disks, or optical disks.

[0043] Based on the same concept, the present invention also provides a PLC system, including: a PLC system security management platform, a host computer, a security hardware device for connecting to the host computer, and a slave PLC with an integrated security hardware module. The PLC system security management platform is used for the creation and issuance of PLC system user hardware identity tags. The security hardware module is used for storing verification information to verify the legality of user identity. The security hardware device is used for providing secure storage, encryption / decryption, and storage of hardware identity tag information.

[0044] The embodiments of the present invention have been described in detail above with reference to the accompanying drawings, but the present invention is not limited to the above embodiments. Even if various changes are made to the present invention, if these changes fall within the scope of the claims of the present invention and their equivalents, they shall still fall within the protection scope of the present invention.

Claims

1. A multi-factor login authentication method for an industrial PLC system, characterized in that, Includes the following steps: Obtain the login request from the host computer; The login request includes a username, password, and hardware identity tag information. The login request is encrypted with a preset private key and sent from the host computer to the slave PLC. Obtain the corresponding public key to parse the login request, and authenticate the obtained username, password, and hardware identity tag information; If the username, password, and hardware identity tag information are successfully authenticated, a challenge code is generated based on the username and a random factor obtained according to preset rules, according to a preset algorithm, and sent to the host computer. A verification password is generated based on the username, random factor, and preset one-way hash function. The verification password is then used to authenticate the password with a dynamic password sent by the host computer. The dynamic password is generated by the host computer based on the username, random factor, and preset one-way hash function sent by the slave PLC. Once the password authentication is successful, the host computer is allowed to log in and conduct data communication.

2. The multi-factor login authentication method for an industrial control PLC system according to claim 1, characterized in that, Before obtaining the login request from the host computer, the following steps are also included: The hardware identification tag is burned into the safety hardware module and safety hardware device of the lower-level PLC; wherein the safety hardware device is integrated into the upper-level computer or connected to the upper-level computer through a hardware interface.

3. The multi-factor login authentication method for an industrial control PLC system according to claim 2, characterized in that, Multiple sets of usernames, passwords, and hardware identity tags with unique correspondences are burned into the security hardware module of the lower-level PLC.

4. The multi-factor login authentication method for an industrial control PLC system according to claim 1, characterized in that, Obtaining the random factor according to the preset rules further includes: Obtain the login timestamp of the login request and use the login timestamp as the random factor.

5. The multi-factor login authentication method for an industrial control PLC system according to claim 4, characterized in that, The step of generating a challenge code based on the username and a random factor obtained according to a preset rule using a preset algorithm further includes: Get the username and login timestamp of the user currently requesting login; A preset encryption algorithm is invoked to process the username and login timestamp to generate a challenge code.

6. The multi-factor login authentication method for an industrial control PLC system according to claim 1, characterized in that, The method further includes: Receive newly added authentication information written by the preset program through the preset interface; Extract the username, password, and hardware identity tag information from the newly added authentication information; The username, password, and hardware identity tag information are written into the security hardware module of the lower-level PLC.

7. A multi-factor login authentication device for an industrial control PLC system, characterized in that, include: The acquisition module is used to acquire login requests from the host computer. The login request includes a username, password, and hardware identity tag information. The login request is encrypted with a preset private key and sent from the host computer to the slave PLC. The preliminary verification module is used to obtain the corresponding public key to parse the login request and to authenticate the username, password and hardware identity tag information obtained through parsing. The challenge code generation module is used to generate a challenge code based on the username and a random factor obtained according to a preset rule, and send it to the host computer after the username, password and hardware identity tag information are successfully authenticated. The password authentication module is used to generate a verification password based on the username, random factor, and preset one-way hash function, and to perform password authentication with the verification password and the dynamic password sent by the host computer; wherein, the dynamic password is generated by the host computer based on the username, random factor, and preset one-way hash function sent by the slave PLC; if the password authentication is successful, the host computer is allowed to log in and perform data communication.

8. A computer device, characterized in that, include: The memory is used to store the processing program; A processor, which, when executing the processing program, implements the multi-factor login authentication method for an industrial control PLC system as described in any one of claims 1 to 6.

9. A readable storage medium, characterized in that, The readable storage medium stores a processing program, which, when executed by a processor, implements the multi-factor login authentication method for an industrial control PLC system as described in any one of claims 1 to 6.

10. A PLC system, characterized in that, include: The system comprises a PLC system security management platform, a host computer, security hardware devices for connecting to the host computer, and a slave PLC with integrated security hardware modules. The PLC system security management platform is used for the creation and issuance of PLC system user hardware identity tags. The security hardware modules are used to store verification information to verify the legitimacy of user identities. The security hardware devices are used to provide secure storage, encryption / decryption, and storage of hardware identity tag information.