A device connection method and apparatus
By deploying trusted cryptographic services on internal and external network media devices and on external network devices, the trustworthiness of external network devices and users is verified, thus solving the threat posed by external network users to internal network data and achieving secure protection of internal network data.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING UNIV OF TECH
- Filing Date
- 2023-11-30
- Publication Date
- 2026-06-19
AI Technical Summary
When internal and external network media devices and external network devices are connected, suspicious behavior of external network users may pose a threat to internal network data, and existing technologies have failed to effectively protect against it.
Deploy trusted cryptographic services on internal and external network media devices and on external network devices to determine whether to allow a connection by verifying the trustworthiness of the external network device and the user, and to prohibit untrusted connection requests.
By verifying the trustworthiness of external network devices, potential threats to internal network data are eliminated, thus protecting the security of internal network data.
Smart Images

Figure CN117896092B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer technology, and in particular to a device connection method and apparatus. Background Technology
[0002] In some industrial control scenarios, there are intranets and extranets, such as in the oil transportation sector. Currently, intranet and extranet media devices (devices that connect to both the intranet and extranet) and extranet devices establish connections for data exchange when needed.
[0003] Currently, the connection between internal and external network media devices and external network devices is established by the user sending a connection request to the internal or external network media devices through the external network device. The internal and external network media devices then directly allow the external network device to connect based on the connection request. However, if the user using the external network device engages in suspicious behavior, it may pose a threat to the internal network data. Summary of the Invention
[0004] In view of the above problems, the present invention provides a device connection method and apparatus, the main purpose of which is to avoid threatening intranet data.
[0005] To solve the above-mentioned technical problems, the present invention proposes the following solution:
[0006] In a first aspect, the present invention provides a device connection method, wherein the device includes an external network device and an internal / external network media device, and both the external network device and the internal / external network media device are equipped with a trusted cryptographic service, the method comprising:
[0007] Detect whether a connection request has been received from the external network device;
[0008] If received, the trusted cryptographic service is used to verify whether the external network device is a connectable device;
[0009] If not, then connection to the external network device is prohibited;
[0010] If so, then connect to the external network device.
[0011] In a second aspect, the present invention provides a device connection apparatus, the device comprising an external network device and an internal / external network media device, wherein a trusted cryptographic service is deployed on both the external network device and the internal / external network media device, the apparatus comprising:
[0012] A request detection unit is used to detect whether a connection request has been received from the external network device.
[0013] The device verification unit is used to verify whether the external network device is a connectable device based on the trusted cryptographic service if the request detection unit detects that the request has been received.
[0014] The first result unit is used to prohibit the connection to the external network device if the device verification unit fails to verify it.
[0015] The second result unit is used to connect to the external network device if the device verification unit verifies that the device is valid.
[0016] To achieve the above objectives, according to a third aspect of the present invention, a storage medium is provided, the storage medium including a stored program, wherein, when the program is executed, the device on which the storage medium is located is controlled to perform the device connection method of the first aspect described above.
[0017] To achieve the above objectives, according to a fourth aspect of the present invention, a processor is provided for running a program, wherein the program executes the device connection method of the first aspect described above.
[0018] By employing the above technical solution, the device connection method and apparatus provided by this invention can deploy trusted cryptographic services in an external network environment. This allows trusted cryptographic services to be deployed on both the internal and external network media devices and the external network devices themselves. When an external network user sends a connection request to the internal and external network media devices through the external network device, the internal and external network media devices and the external network device can verify whether the external network device is a connectable device based on the trusted cryptographic service. If it is not a connectable device, the internal and external network media devices can directly reject the connection request from the external network device, prohibiting the connection and cutting off the possibility of threatening internal network data from the source. In other words, this invention only allows the external network device to connect if the external network user and the external network device are verified to be secure based on the trusted cryptographic service, which can protect the security of internal network data to a certain extent.
[0019] The above description is merely an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention and to implement it in accordance with the contents of the specification, and in order to make the above and other objects, features and advantages of the present invention more apparent and understandable, specific embodiments of the present invention are described below. Attached Figure Description
[0020] Various other advantages and benefits will become apparent to those skilled in the art upon reading the following detailed description of preferred embodiments. The accompanying drawings are for illustrative purposes only and are not intended to limit the invention. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings:
[0021] Figure 1 A flowchart of a device connection method provided by an embodiment of the present invention is shown;
[0022] Figure 2 A flowchart of another device connection method provided by an embodiment of the present invention is shown;
[0023] Figure 3 This diagram illustrates a block diagram of a device connection apparatus provided in an embodiment of the present invention.
[0024] Figure 4 A block diagram of another device connection device provided by an embodiment of the present invention is shown. Detailed Implementation
[0025] Exemplary embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
[0026] Addressing the current issue of direct connection between internal / external network media devices and external network devices, which poses a threat to internal network data should suspicious activity by external users, the inventors discovered that a trusted cryptographic service can be deployed on both the internal / external network media devices and the external network devices. This allows the internal / external network media devices to verify the trustworthiness of the external network device and user before connection, ensuring trustworthiness. If trusted, the connection is established; otherwise, it is blocked, protecting internal network data at the source. The specific implementation steps are as follows: Figure 1 As shown, it includes:
[0027] 101. Check if a connection request has been received from an external network device.
[0028] In this invention, trusted cryptographic services can be used in the external network environment, that is, trusted cryptographic services are deployed on both internal and external network media devices and external network devices that are connected to both internal and external networks.
[0029] Trusted technology is currently a popular technology for solving information security problems. Trusted technology can provide security protection during computation, ensuring that the entire process is measurable and controllable.
[0030] After deploying trusted cryptographic services on both the internal and external network media devices and the external network device, external network users can send connection requests to the internal and external network media devices when they need to interact with them. The internal and external network devices can detect in real time whether they have received a connection request from the external network device; that is, the executing entity of this invention is the internal and external network media device. If a request is received, step 102 is executed; if not, it may be that the external network device has not sent a connection request, and the detection continues.
[0031] The connection request may include information about the external network user who sent the connection request and information about the external network device.
[0032] 102. Verify whether external network devices are connectable devices based on trusted cryptographic services.
[0033] After the internal and external network media devices receive a connection request from the external network device, since both the internal and external network media devices and the external network device are equipped with trusted cryptographic services, the trusted cryptographic services can be used to verify whether the external network device is a connectable device.
[0034] It should be noted that in this invention, mutual verification between the internal / external network media devices and the external network device is not required. Only verification between the internal / external network media devices is needed to confirm whether the external network device is a connectable device. This is because the internal / external network media devices have already successfully connected to the internal network. When connecting to the internal network, mutual verification with an administrator who has a long-term certificate is required. Only after successful verification can the connection to the internal network be established. Therefore, the successful connection of the internal / external network media devices to the internal network proves that mutual verification with the administrator has been successful, thus ensuring the security of the internal / external network media devices.
[0035] When verifying whether an external network device is a connectable device based on the trusted cryptographic service, it can simultaneously verify whether the external network user sending the connection request using the external network device has passed authentication based on both the trusted cryptographic service application deployed on the internal and external network media devices and the trusted cryptographic service execution deployed on the external network device. This is because the external network user's authentication application includes information about the external network device. If the external network user is authenticated, then the external network device is also secure. Alternatively, it can only verify based on the trusted cryptographic service application. If the external network user fails authentication, the external network device is not a connectable device, and step 103 is executed. If the external network user passes authentication, the external network device is a connectable device, and step 104 can be executed.
[0036] 103. Do not connect devices to the external network.
[0037] In this step, if the external network device is not a connectable device, the connection request from the external network device can be directly rejected.
[0038] 104. Connect to external network devices.
[0039] In this step, if the external network user using the external network device passes the verification, it proves that the external network device is a connectable device and can respond to the connection request of the external network device, and successfully connect to the external network device. That is, the connection can only be made after the authentication of this invention is passed.
[0040] Based on the above Figure 1As can be seen from the implementation method, the device connection method provided by this invention can deploy a trusted cryptographic service in an external network environment. This allows the trusted cryptographic service to be deployed on both the internal and external network media devices and the external network device itself. When an external network user sends a connection request to the internal and external network media devices through the external network device, the internal and external network media devices and the external network device can verify whether the external network device is a connectable device based on the trusted cryptographic service. If it is not a connectable device, the internal and external network media devices can directly reject the connection request from the external network device and prohibit the connection, thus cutting off the possibility of threatening internal network data from the source. In other words, this invention only allows the external network device to connect if the external network device and the external network user are verified to be secure based on the trusted cryptographic service, which can protect the security of internal network data to a certain extent.
[0041] Furthermore, as a response to Figure 1 Further refinement and extension of the illustrated embodiments, this invention also provides another device connection method, such as... Figure 2 As shown, the specific steps are as follows:
[0042] 201. Check if a connection request has been received from an external network device.
[0043] The implementation method of step 201 is the same as that of step 101, and can achieve the same technical effect and solve the same technical problem, so it will not be repeated here.
[0044] 202. Verify whether external network devices are connectable devices based on trusted cryptographic services.
[0045] Step 202 proposes a better implementation method that differs from step 102.
[0046] In this invention, the trusted cryptographic service architecture is divided into three layers: the request layer, the parsing layer, and the execution layer. Each of the request layer, the parsing layer, and the execution layer maintains its corresponding database.
[0047] The request layer is used to monitor the operational behavior of the subject and, when password services are needed, determines the type of password service to be triggered based on the operational behavior. The database of the request layer is used to store the association between system objects (behavior descriptions) and application objects (subjects).
[0048] The parsing layer maintains the association between application objects and cryptographic objects. During cryptographic services, it provides specific cryptographic object identifiers (identifiers represent the specific key used), type, and other parameters (cryptographic type indicates whether the key is used for authentication or encapsulation, etc.). This layer's database stores the association between application objects (the actors) and cryptographic objects (keys, trusted certificates, and trusted reports). Upon receiving a cryptographic operation request from the application object interaction layer, this layer can query its database (key database) based on the request and the accompanying application object to determine the cryptographic operation to be performed (e.g., whether a certificate exists, whether to use the certificate for mutual recognition with other application objects if one exists, or to perform self-authentication if no certificate exists).
[0049] The execution layer determines the parameter configuration and execution sequence of cryptographic operations to generate execution commands, executes the cryptographic operations by invoking trusted cryptographic devices, and returns the processing results. The database in this layer stores and maintains information such as the attributes and status of cryptographic objects (e.g., whether the key is active).
[0050] In addition, the request layer includes: a personal status check module, a key exchange request module, a key exchange processing module, an integrity report request module, an integrity report information collection module, and an integrity report processing module. It also establishes an application object attribute database, a node attribute database, and a PCR register-trusted status association database.
[0051] The parsing layer includes: a key management module, a key inspection module, a certificate application preparation module, a certificate exchange request module, a certificate exchange processing module, an integrity report preparation module, and an integrity report verification preparation module, enabling key object querying and operation selection. It also establishes an application object-certificate association database (key database) and a PCR value-trust status association database.
[0052] The execution layer includes modules for certificate application, certificate issuance, certificate activation, certificate public key / certificate acquisition, key creation, integrity report generation, and integrity report verification, and establishes a trusted key state database.
[0053] The PCR (Proof-of-Reliability Report) is a register built into the cryptographic chip that stores the actual execution process of the application. The PCR value represents this actual application execution process and is also known as the actual trusted platform credibility report. It's important to note that there is a standard execution process for the application. The verifier (the party requesting the trusted cryptographic service) can reproduce this standard execution process to obtain the reproduced PCR value, which is essentially a reproduced trusted platform credibility report.
[0054] After explaining the trusted cryptographic service described above, the external network device verification process implemented based on the trusted cryptographic service architecture will be further explained in detail:
[0055] The trusted cryptography service can be used to apply for trusted cryptography service and execute trusted cryptography service deployed on external network devices to verify whether external network users have passed authentication. If they pass, the external network device is determined to be a connectable device; if they fail, the external network device is determined to be an unconnectable device.
[0056] Specifically, one could first use the trusted key exchange service deployed on the internal and external network media devices to send a key exchange request to the key exchange request module in the application request layer of the trusted cryptography service. The key exchange request includes the external network user's unique identifier (ID) and the external network device information where the external network user is located.
[0057] Upon receiving a key exchange request, the key exchange request module in the request request layer can forward the request to the key check module in the application parsing layer of the application trusted cryptography service. Then, the key check module in the application parsing layer checks its own application key database for the existence of the public key corresponding to the external network user based on the external network user's unique identifier (ID) and the external network device information in the key exchange request. If it exists, it can be determined that the external network user has a certificate and the certificate has been authenticated. The external network user is authenticated and the external network device is a connectable device. At the same time, the public key information can be returned to the application trusted key exchange service through the request request layer.
[0058] If the key is missing, it may be because the external user does not have a certificate, in which case the connection of the external device can be rejected. However, there is another possibility, which is also a preferred embodiment of the present invention: the external device may not have sent public key information. In this case, the application for trusted cryptography service can further communicate with the execution of trusted cryptography service to determine whether the external user has a certificate. Specifically:
[0059] The certificate exchange processing module in the application parsing layer first queries the PCR value-trusted status association database for the external network user's corresponding reproducible trusted platform trust report based on the key exchange application. Then, it combines the reproducible trusted platform trust report, the external network user's unique identifier (ID), and the external network device information of the external network user to form certificate exchange index information, and returns the certificate exchange index information to the key exchange request module in the application request layer.
[0060] The key exchange request module of the request request layer can send the certificate exchange index information to the application trusted key interaction service of the application layer. The application trusted key exchange service then sends the certificate exchange index information to the execution trusted key exchange service in the execution request layer of the execution trusted cryptography service on the external network device.
[0061] The execution trusted key exchange service in the execution request layer sends the certificate exchange index information to the key exchange request module of the execution request layer. The key exchange request module then sends the certificate exchange index information to the certificate exchange processing module of the execution parsing layer. The certificate exchange processing module of the execution parsing layer can use the certificate exchange index information to query its own execution key database to see if the external network user has a corresponding certificate identifier and public key identifier. If not, it proves that the external network user does not have a certificate and the external network device is not a connectable device. If it does, the certificate exchange processing module of the execution parsing layer can send the public key identifier, certificate identifier, and certificate exchange index information together to the certificate public key / certificate acquisition module of the execution layer in the execution trusted cryptography service.
[0062] The certificate public key / certificate acquisition module of the execution layer in the trusted cryptographic service can read the certificate file corresponding to the certificate identifier and the public key file corresponding to the public key identifier, combine the certificate file and the public key file into certificate exchange information, and return the certificate exchange information and certificate exchange index information to the certificate exchange processing module of the execution parsing layer. The certificate exchange processing module of the execution parsing layer returns the certificate exchange information and certificate exchange index information to the key exchange request module of the execution request layer. The key exchange request module of the execution request layer returns the certificate exchange information and certificate exchange index information to the trusted key exchange service.
[0063] The trusted key exchange service returns the certificate exchange information and certificate exchange index information to the trusted key exchange service in the application trusted cryptography service. The trusted key exchange service then sends the certificate exchange information and certificate exchange index information to the key exchange processing module of the application request layer. The key exchange processing module then sends them to the certificate integrity verification module of the application parsing layer. The certificate integrity verification module extracts the public key and certificate information from the certificate exchange information and submits the certificate and public key information to the certificate verification program and certificate integrity verification program of the application execution layer, respectively, to verify the trustworthiness of the certificate using the public key. At the same time, it calculates the public key digest value and compares it with the key digest value in the certificate to further confirm whether the certificate is trustworthy. If the certificate is trustworthy, the certificate and public key can be stored in the application key database of the application parsing layer, and the result is returned to the trusted key exchange service through the key exchange module of the application request layer to complete the verification. At this point, it can be considered that the external network user has a certificate and has passed the verification, the external network user is authenticated, and the external network device is a connectable device. However, in order to prevent tampering, the certificate can be further verified by step 204.
[0064] 203. Perform auxiliary verification of external network users' certificates to confirm whether the external network users' certificates are trustworthy.
[0065] In this step, after the application execution layer verifies the trustworthiness of the external network user's certificate, in addition to directly storing the external network user's certificate and public key in the application resolution layer's key database, the certificate can also be further verified by combining the reproduced trusted platform trustworthiness report and the actual trusted platform trustworthiness report. This is because the reproduced trusted platform trustworthiness report reproduces the standard execution process of the application, such as the standard user certificate generation process. The actual trusted platform trustworthiness report stores the actual application execution process, such as the actual user certificate generation process. If someone tampers with, forges, or deletes the certificate, it will be recorded in the actual trusted platform trustworthiness report. Therefore, the actual trusted platform trustworthiness report recorded in the PCR register can be obtained, and the actual trusted platform trustworthiness report can be compared with the reproduced trusted platform trustworthiness report to determine whether they are consistent. If they are inconsistent, it proves that someone has tampered with the execution process, and the certificate is untrustworthy, so step 204 can be executed. If they are consistent, the certificate is verified as trustworthy, and step 205 is executed.
[0066] It should be noted that the reproduced Trusted Platform Trustworthiness Report is based on the standard user certificate generation process and is unrelated to whether a certificate actually exists. This is because the reproduced Trusted Platform Trustworthiness Report can be generated even before a certificate is found. This allows for comparison with the actual certificate generation process to verify the authenticity of the certificate if a certificate is found later. If no certificate is found, no comparison is needed.
[0067] Additionally, if the certificate is untrusted, the status of the certificate and key needs to be marked in the execution layer, for example, the certificate is invalid, and the certificate is deleted from the key database in the parsing layer.
[0068] Furthermore, it is meaningless to prove whether a certificate exists based solely on the actual trusted platform trust report recorded in the register, because the report only records the execution process of certificate generation and does not record the actual certificate content. Therefore, it is still necessary to obtain the certificate again. Thus, it is better to use the comparison between the actual trusted platform trust report and the reproduced trusted platform trust report to verify the authenticity of the certificate.
[0069] 204. Do not connect to external network devices.
[0070] 205. Connect to external network devices.
[0071] Furthermore, as a response to the above Figure 1 In addition to the implementation of the method shown, this embodiment of the invention also provides a device connection apparatus for connecting the above-described device. Figure 1The method shown is implemented accordingly. This device embodiment corresponds to the foregoing method embodiment. For ease of reading, this device embodiment will not repeat the details of the foregoing method embodiment, but it should be clear that the device in this embodiment can implement all the contents of the foregoing method embodiment. Figure 3 As shown, the device includes:
[0072] The request detection unit 301 is used to detect whether a connection request has been received from the external network device.
[0073] The device verification unit 302 is used to verify whether the external network device is a connectable device based on the trusted cryptographic service if the request detection unit 301 detects that the request has been received.
[0074] The first result unit 303 is used to prohibit the connection to the external network device if the device verification unit 302 fails to verify it.
[0075] The second result unit 304 is used to connect to the external network device if the device verification unit 302 verifies that the device is valid.
[0076] Furthermore, as a response to the above Figure 2 In addition to the implementation of the method shown, this embodiment of the invention also provides another device connection device for the above-described method. Figure 2 The method shown is implemented accordingly. This device embodiment corresponds to the foregoing method embodiment. For ease of reading, this device embodiment will not repeat the details of the foregoing method embodiment, but it should be clear that the device in this embodiment can implement all the contents of the foregoing method embodiment. Figure 4 As shown, the device includes:
[0077] The request detection unit 301 is used to detect whether a connection request has been received from the external network device.
[0078] The device verification unit 302 is used to verify whether the external network device is a connectable device based on the trusted cryptographic service if the request detection unit 301 detects that the request has been received.
[0079] The first result unit 303 is used to prohibit the connection to the external network device if the device verification unit 302 fails to verify it.
[0080] The second result unit 304 is used to connect to the external network device if the device verification unit 302 verifies that the device is valid.
[0081] In one optional implementation, the device verification unit 302 includes:
[0082] Device verification module 3021 is used to verify whether an external network user using the external network device has passed authentication by using the application trusted cryptography service in the trusted cryptography service and the execution trusted cryptography service deployed on the external network device. The application trusted cryptography service is deployed on the internal and external network media devices. The trusted cryptography service includes a request layer, a parsing layer and an execution layer. The request layer, the parsing layer and the execution layer are each responsible for their respective databases.
[0083] The first determining module 3022 is used to determine that the external network device is a connectable device if the device verification module 3021 verifies it successfully.
[0084] The second determining module 3023 is used to determine that the external network device is not a connectable device if the device verification module 3021 fails the verification.
[0085] In one optional implementation, the device verification module 3021 includes:
[0086] The certificate verification submodule 30211 is used to verify whether the external network user has a certificate by applying for trusted cryptographic service and executing trusted cryptographic service.
[0087] The first verification submodule 30212 is used to determine that the external network user has passed authentication if the certificate verification submodule 30211 verifies that the certificate has been verified and the certificate has been verified.
[0088] The second verification submodule 30213 is used to determine that the external network user has not been authenticated if the certificate verification submodule 30211 does not have the certificate or the certificate fails verification.
[0089] In one optional implementation, the certificate verification submodule 30211 is specifically used for:
[0090] The application for trusted key exchange in the application trusted cryptography service is used to send a key exchange application to the application request layer in the application trusted cryptography service. The key exchange application includes the unique identifier of the external network user and the external network device information of the external network user.
[0091] The request layer forwards the key exchange request to the request parsing layer in the trusted cryptographic service.
[0092] Using the application parsing layer, the system queries the application key database to see if the external network user has corresponding public key information based on the key exchange application;
[0093] If it exists, then the external network user is confirmed to be authenticated, and the public key information is returned to the application trusted key exchange service.
[0094] In another optional implementation, the certificate verification submodule 30211 is specifically used for:
[0095] Certificate exchange index information is formed using the application resolution layer. The certificate exchange index information includes the unique identifier of the external network user, the external network device information where the external network user is located, and the credibility report of the external network user's reproduction trusted platform. The credibility report of the reproduction trusted platform is used to characterize the reproduction of the external network user's standard certificate generation process.
[0096] Send the certificate exchange index information to the trusted cryptography service;
[0097] Using the trusted cryptography service, the system queries whether the external network user has a certificate based on the certificate exchange index information.
[0098] In an optional implementation, when the certificate verification submodule 30211 uses the trusted cryptography service to query whether the external network user has a certificate based on the certificate exchange index information, it is specifically used for:
[0099] In the execution key database of the trusted cryptographic service, the certificate exchange index information is used to query whether the external network user has a corresponding certificate identifier and public key identifier.
[0100] If they exist, the execution layer in the trusted cryptographic service is used to read the certificate file corresponding to the certificate identifier and the public key file corresponding to the public key identifier, and the certificate file and the public key file are combined into certificate exchange information;
[0101] Return the certificate exchange information and the certificate exchange index information to the application trusted cryptography service;
[0102] The application execution layer in the trusted cryptography service is used to verify whether the certificate file and public key file in the certificate exchange information of the external network user are trustworthy.
[0103] If trusted, the certificate file and public key file of the external network user are stored in the application key database of the application resolution layer, and the result is returned to the application trusted key exchange service to complete the verification.
[0104] In an optional implementation, after the certificate verification submodule 30211 verifies the trustworthiness of the certificate file and public key file in the certificate exchange information of the external network user using the application execution layer in the application trusted cryptography service, the device further includes a certificate verification unit 305, which includes:
[0105] The report acquisition module 3051 is used to acquire the actual trusted platform trustworthiness report of the external network user from a specified register. The actual trusted platform trustworthiness report is used to characterize the actual certificate generation process of the external network user.
[0106] The report comparison module 3052 is used to determine whether the actual trusted platform credibility report obtained by the report acquisition module 3051 is consistent with the external network user's reproduced trusted platform credibility report;
[0107] The first verification and determination module 3053 is used to determine that the certificate file and the public key file are untrustworthy if the report comparison module 3052 does not match.
[0108] The second verification and determination module 3054 is used to determine that the certificate file and the public key file are trustworthy if the report comparison module 3052 makes a consistent comparison.
[0109] Furthermore, embodiments of the present invention also provide a storage medium for storing a computer program, wherein the computer program, when running, controls the device where the storage medium is located to execute the above-described... Figure 1-2 The device connection method described herein.
[0110] Furthermore, embodiments of the present invention also provide a processor for running a program, wherein the program executes the above-described... Figure 1-2 The device connection method described herein.
[0111] In the above embodiments, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions in other embodiments.
[0112] It is understood that the relevant features in the above methods and apparatus can be referenced interchangeably. Furthermore, the terms "first," "second," etc., in the above embodiments are used to distinguish between embodiments and do not represent the superiority or inferiority of any particular embodiment.
[0113] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0114] The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general-purpose systems can also be used in conjunction with the teachings herein. The required structure for constructing such systems is apparent from the above description. Furthermore, this invention is not directed to any particular programming language. It should be understood that the contents of the invention described herein can be implemented using various programming languages, and the above description of specific languages is for the purpose of disclosing the best mode of implementation of the invention.
[0115] In addition, the memory may include non-permanent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM, and the memory includes at least one memory chip.
[0116] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0117] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0118] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0119] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0120] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0121] Memory may include non-persistent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0122] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0123] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.
[0124] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0125] The above are merely embodiments of this application and are not intended to limit the scope of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of the claims of this application.
Claims
1. A device connection method characterized by, The device includes an external network device and internal / external network media devices, both of which are equipped with trusted cryptographic services. The method includes: Detect whether a connection request has been received from the external network device; If received, the system verifies whether the external network device is a connectable device based on the trusted cryptographic service, including: The trusted cryptography service utilizes the application trusted cryptography service and the execution trusted cryptography service deployed on the external network device to verify whether the external network user using the external network device is authenticated. The application trusted cryptography service is deployed on both the internal and external network media devices. The trusted cryptography service includes a request layer, a parsing layer, and an execution layer. Each of these layers is responsible for its corresponding database. Verifying whether the external network user has a certificate using the aforementioned application for trusted cryptography service and the aforementioned execution of trusted cryptography service includes: Certificate exchange index information is formed using the application resolution layer. The certificate exchange index information includes the unique identifier of the external network user, the external network device information where the external network user is located, and the credibility report of the external network user's reproduction trusted platform. The credibility report of the reproduction trusted platform is used to characterize the reproduction of the external network user's standard certificate generation process. Send the certificate exchange index information to the trusted cryptography service; Using the trusted cryptography service, the system queries whether the external network user has a certificate based on the certificate exchange index information. If a certificate exists and passes verification, then the external network user is confirmed to be authenticated. If the certificate is not present or fails verification, the external network user is determined to have failed authentication. If successful, the external network device is determined to be a connectable device; If the connection fails, the external network device is determined to be an unconnectable device. If not, then connection to the external network device is prohibited; If so, then connect to the external network device.
2. The method of claim 1, wherein, Verifying whether the external network user has a certificate using the aforementioned application for trusted cryptography service and the aforementioned execution of trusted cryptography service includes: The application for trusted key exchange in the application trusted cryptography service is used to send a key exchange application to the application request layer in the application trusted cryptography service. The key exchange application includes the unique identifier of the external network user and the external network device information of the external network user. The request layer forwards the key exchange request to the request parsing layer in the trusted cryptographic service. Using the application parsing layer, the system queries the application key database to see if the external network user has corresponding public key information based on the key exchange application; If it exists, then the external network user is confirmed to be authenticated, and the public key information is returned to the application trusted key exchange service.
3. The method according to claim 1, characterized in that, Using the trusted cryptography service, querying whether the external network user has a certificate based on the certificate exchange index information includes: In the execution key database of the trusted cryptographic service, the certificate exchange index information is used to query whether the external network user has a corresponding certificate identifier and public key identifier. If they exist, the execution layer in the trusted cryptographic service is used to read the certificate file corresponding to the certificate identifier and the public key file corresponding to the public key identifier, and the certificate file and the public key file are combined into certificate exchange information; Return the certificate exchange information and the certificate exchange index information to the application trusted cryptography service; The application execution layer in the trusted cryptography service is used to verify whether the certificate file and public key file in the certificate exchange information of the external network user are trustworthy. If trusted, the certificate file and public key file of the external network user are stored in the application key database of the application resolution layer, and the result is returned to the application trusted key exchange service to complete the verification.
4. The method according to claim 3, characterized in that, After verifying the trustworthiness of the certificate file and public key file in the certificate exchange information of the external network user using the application execution layer in the application trusted cryptography service, the method further includes: Obtain the actual trusted platform trustworthiness report of the external network user from the designated register. The actual trusted platform trustworthiness report is used to characterize the actual certificate generation process of the external network user. Determine whether the actual trusted platform credibility report is consistent with the external network user's reproduced trusted platform credibility report; If they do not match, then the certificate file and the public key file are deemed untrustworthy. If they match, then the certificate file and the public key file are deemed trustworthy.
5. A device connection apparatus, characterized by The device includes an external network device and internal / external network media devices, both of which are equipped with trusted cryptographic services. The apparatus includes: A request detection unit is used to detect whether a connection request has been received from the external network device. A device verification unit, configured to verify, based on the trusted cryptographic service, whether the external network device is a connectable device if the request detection unit detects that a request has been received, the device verification unit includes: A device verification module is used to verify whether an external network user using the external network device has been authenticated by utilizing the trusted cryptography service in the trusted cryptography service and the execution trusted cryptography service deployed on the external network device. The trusted cryptography service is deployed on both the internal and external network media devices. The trusted cryptography service includes a request layer, a parsing layer, and an execution layer, each responsible for its corresponding database. The device verification module includes: The certificate verification submodule is used to verify whether the external network user has a certificate by utilizing the application for trusted cryptography service and the execution of trusted cryptography service. Specifically, the certificate verification submodule 30211 is used for: Certificate exchange index information is formed using the application resolution layer. The certificate exchange index information includes the unique identifier of the external network user, the external network device information where the external network user is located, and the credibility report of the external network user's reproduction trusted platform. The credibility report of the reproduction trusted platform is used to characterize the reproduction of the external network user's standard certificate generation process. Send the certificate exchange index information to the trusted cryptography service; Using the trusted cryptography service, the system queries whether the external network user has a certificate based on the certificate exchange index information. The first verification submodule is used to determine that the external network user has passed authentication if the certificate verification submodule verifies that the certificate has been verified and the certificate has been verified. The second verification submodule is used to determine that the external network user has not been authenticated if the certificate verification submodule does not have the certificate or the certificate fails verification. The first determining module is used to determine that the external network device is a connectable device if the device verification module passes the verification. The second determining module is used to determine that the external network device is not a connectable device if the device verification module fails the verification. The first result unit is used to prohibit the connection to the external network device if the device verification unit fails to verify it. The second result unit is used to connect to the external network device if the device verification unit verifies that the device is valid.
6. A storage medium, characterized by The storage medium includes a stored program, wherein, when the program is executed, it controls the device on which the storage medium is located to perform the device connection method as described in any one of claims 1 to 4.
7. A processor, characterized in that, The processor is used to run a program, wherein the program executes the device connection method as described in any one of claims 1 to 4.