An edge device-oriented lightweight security authentication system and method
By designing a lightweight security authentication system on edge devices and combining blockchain technology with behavioral assessment, the problems of high computational complexity and data tampering risk in traditional authentication systems are solved, achieving efficient and reliable security authentication and real-time threat detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING INTEGRATED CHINA SERVICE TECH SERVICE CO LTD
- Filing Date
- 2025-12-01
- Publication Date
- 2026-06-16
AI Technical Summary
Traditional security authentication systems have high computational complexity and resource consumption on edge devices, and lack comprehensive assessment of device behavior, making it impossible to detect abnormal behavior in a timely manner and effectively prevent dynamic security threats. Blockchain technology has not been fully utilized, resulting in the risk of data storage and transmission being tampered with.
A lightweight security authentication system for edge devices is designed, including modules such as device registration, request generation, request verification, behavior assessment, authorization decision-making, and certificate management. It combines blockchain technology to store data, uses lightweight encryption algorithms and differential update technology, and introduces a behavior assessment module for anomaly detection.
It enables secure authentication to operate efficiently on resource-constrained edge devices, ensuring the security and reliability of the authentication process. It provides real-time security monitoring by identifying and preventing potential threats from multiple dimensions, and enhances the credibility and traceability of data.
Smart Images

Figure CN121509027B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of digital information security authentication technology, and in particular to a lightweight security authentication system and method for edge devices. Background Technology
[0002] Traditional security authentication systems are often based on complex encryption algorithms and authentication processes. While these methods can provide high security, they are computationally complex and resource-intensive. In the field of edge computing, edge devices typically have low storage and computing power, so a lightweight security authentication solution is needed to meet their security authentication needs under resource-constrained conditions.
[0003] Traditional authentication systems often focus only on identity verification or certificate verification, ignoring the behavioral patterns of edge devices and lacking a comprehensive assessment of their behavior. This single-dimensional authentication method cannot detect abnormal behaviors that may occur during device operation in a timely manner, thus failing to effectively prevent dynamic security threats, especially when facing complex network environments and diverse device behaviors.
[0004] Blockchain technology is an emerging distributed ledger technology. With its decentralized, immutable and highly trustworthy characteristics, it has great potential in the fields of data security and privacy protection. Most traditional security authentication systems have failed to fully utilize the advantages of blockchain technology, resulting in the risk of data storage and transmission being tampered with, making it difficult to meet the requirements of high security. Summary of the Invention
[0005] This invention provides a lightweight security authentication system and method for edge devices to solve existing technical problems.
[0006] To solve the above-mentioned technical problems, the present invention provides the following technical solution:
[0007] A lightweight security authentication system for edge devices includes:
[0008] Device registration module: Used to collect basic information about edge devices and obtain security certificates and private keys from the authentication server;
[0009] Request generation module: used to detect the status information of edge devices, combine security certificates and private keys to generate authentication requests and send them to the authentication server;
[0010] Request verification module: Used to verify the identity and certificate of authentication requests and obtain the verification result;
[0011] Behavior assessment module: Used to perform behavior analysis and anomaly detection on edge devices to obtain behavior assessment information;
[0012] Authorization module: Used to perform trust assessment and authorization decisions for edge devices based on verification results and behavior evaluation information;
[0013] Certificate Management Module: Used to manage and update security certificates for edge devices;
[0014] Audit module: Used to collect log information, audit the log information, and generate audit reports.
[0015] A lightweight security authentication method for edge devices, applicable to the aforementioned lightweight security authentication system for edge devices, includes the following steps:
[0016] Step S1: Collect basic information about the edge device through the device registration module, and obtain the security certificate and private key from the authentication server;
[0017] Step S2: The request generation module detects the status information of the edge device, and generates an authentication request by combining the security certificate and private key, and sends the authentication request to the authentication server;
[0018] Step S3: The authentication request is verified by the request verification module to obtain the verification result;
[0019] Step S4: Perform behavior analysis and anomaly detection on the edge device through the behavior assessment module to obtain behavior assessment information;
[0020] Step S5: Based on the verification results and behavior assessment information, perform trust assessment and authorization decisions for the edge device through the authorization module;
[0021] Step S6: Manage and update the security certificates of edge devices through the certificate management module;
[0022] Step S7: Collect log information through the audit module, audit the log information, and generate an audit report.
[0023] The beneficial effects of the technical solution provided by this invention include at least the following:
[0024] This invention proposes a lightweight security authentication system for edge devices. Through lightweight encryption algorithms and differential update technology, this design enables the security authentication system to run efficiently on resource-constrained edge devices, while ensuring the security and reliability of the authentication process.
[0025] This invention designs a multi-module collaborative authentication mechanism, including multiple modules such as device registration, request generation, request verification, behavior assessment, authorization decision-making, certificate management, and auditing. These modules cooperate with each other and work together to identify and prevent potential security threats from multiple dimensions, ensuring the comprehensiveness and security of the authentication process.
[0026] This invention combines blockchain technology with a secure authentication system, storing basic information, security certificates, and log information of edge devices in the blockchain network. This enhances data credibility and traceability, and prevents malicious data tampering. The application of blockchain technology provides a more transparent and trustworthy operating environment for the secure authentication system, ensuring the integrity and fairness of the authentication process.
[0027] This invention introduces a behavior assessment module, which analyzes and detects anomalies in the authentication request frequency and network behavior patterns of edge devices. This enables the system to promptly detect potential security threats (such as abnormal network behavior or frequent authentication requests), thereby taking measures in advance to avoid security incidents and providing the system with real-time security monitoring capabilities. Attached Figure Description
[0028] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0029] Figure 1 A system structure diagram provided for an embodiment of the present invention;
[0030] Figure 2 This is a flowchart of a method provided in an embodiment of the present invention. Detailed Implementation
[0031] To make the objectives, technical solutions, and advantages of the present invention clearer, the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
[0032] Reference Figure 1 , Figure 1 This is a system architecture diagram provided in an embodiment of the present invention. This embodiment provides a lightweight security authentication system for edge devices, including:
[0033] I. Device Registration Module: This module is used to collect basic information about edge devices and obtain security certificates and private keys from the authentication server. It includes an information collection submodule, a key registration submodule, a certificate generation submodule, and an information storage submodule.
[0034] The information collection submodule is used to collect basic information through the self-testing mechanism of the edge device. The basic information includes the type of edge device, hardware identifier, manufacturer information and operating system version. The hardware identifier includes MAC address and device serial number.
[0035] The key registration submodule is used to encapsulate basic information into a standardized registration request and send the standardized registration request to the authentication server when the edge device is first started.
[0036] The certificate generation submodule is used to receive the security certificate and private key from the authentication server via the CoAP protocol after the authentication server verifies the legitimacy of the standardized registration request;
[0037] The information storage submodule is used to store the basic information and security certificate of the edge device in the local database and blockchain network of the edge device, and to store the private key of the edge device in the HSM.
[0038] It should be noted that the self-testing mechanism of edge devices refers to the detection and diagnostic functions that the edge devices themselves possess. Its working principle is as follows: through built-in sensors and detection circuits, the device's hardware components (such as processors, memory, storage devices, network interfaces, etc.) are detected to obtain hardware identification information (such as MAC address, device serial number, etc.) and to check the version information of the operating system running on the device, including operating system type, version number, patch information, etc.
[0039] CoAP (Constrained Application Protocol) is a lightweight application layer communication protocol for the Internet of Things (IoT). CoAP is designed to adapt to resource-constrained devices and network environments, has low protocol overhead, and is suitable for use in low-bandwidth, high-latency networks.
[0040] Blockchain is a distributed ledger technology that uses cryptographic algorithms and consensus mechanisms to store data in blocks across multiple nodes in a network, forming an immutable and decentralized data recording system. The blockchain network has no centralized control body, and the data in the blockchain network is transparent to all nodes. Each node can view and verify the data in the blockchain network, which can effectively enhance the credibility and traceability of the data.
[0041] HSM (Hardware Security Module) is a system specifically designed to protect and manage digital keys and perform encryption operations. It is widely used in finance, communications, the Internet of Things and other fields to ensure information security and data security. It typically has a high level of security protection mechanisms, including physical protection, logical protection and encryption algorithms, which can effectively prevent key leakage and data tampering.
[0042] II. Request Generation Module: This module is used to detect the status information of edge devices, generate authentication requests by combining security certificates and private keys, and send them to the authentication server. It includes a status detection submodule, an information management submodule, a request generation and encryption submodule, and a log recording submodule.
[0043] The status detection submodule is used to detect the status information of the edge device in real time through the edge device's self-testing mechanism. The status information includes the edge device's operating status, network connection status, and fault status.
[0044] The information management submodule is used to read the basic information, security certificate, and private key of the edge device from the device's local database, and to perform hash verification on the read basic information, security certificate, and private key of the edge device;
[0045] The request generation and encryption submodule is used to encapsulate the basic information and security certificate of the edge device into an authentication request, digitally sign the authentication request with a private key, encrypt the authentication request with a lattice-based lightweight encryption algorithm, and finally send the encrypted authentication request to the authentication server via the CoAP protocol.
[0046] The logging submodule is used to record the operation process of status detection, information management, request generation and encryption as log information of the request generation module, and store the log information in the device's local database and blockchain network.
[0047] It should be noted that the running status refers to information such as the device's CPU utilization, memory usage, and process running status (e.g., CPU utilization remaining high for an extended period).
[0048] Network connectivity status refers to information such as the network interface status of a device, network bandwidth usage, and network latency.
[0049] Fault status refers to information such as hardware fault signals and software operation errors (e.g., device overheating, hard drive read / write errors, or application crashes).
[0050] A hash algorithm is an algorithm that transforms input data of arbitrary length into data of fixed length using a specific algorithm. The resulting data is usually called a hash value or digest value. In the information management submodule of the request generation module, the hash algorithm is used to locally verify the basic information, security certificate, and private key of the edge device to ensure the integrity of this data and that it has not been tampered with.
[0051] Lattice-based lightweight encryption algorithms are encryption algorithms built using lattice theory. The design of the algorithm takes into account the limitations of hardware resources, with a smaller key length and lower computational overhead. Compared with traditional encryption algorithms, it has higher efficiency in terms of computation and storage, and is suitable for running on resource-constrained edge devices.
[0052] III. Request Verification Module: This module is used to verify the identity and certificate of authentication requests and obtain the verification result. It is deployed on the authentication server and includes a certificate extraction submodule, an identity verification submodule, a certificate verification submodule, and a logging submodule.
[0053] The certificate extraction submodule is used to decode the authentication request using a JSON parser and extract basic information about the edge device, security certificate, and digital signature from the authentication request.
[0054] The authentication submodule is used to authenticate the edge device based on its basic information using the elliptic curve ECDSA algorithm, and obtain the authentication result.
[0055] The certificate verification submodule is used to verify the format, integrity, and validity of the security certificate in sequence using the X.509 certificate verification method, then verify the validity of the digital signature, and finally check whether the extended fields of the security certificate conform to the predefined certificate policy to obtain the certificate verification result.
[0056] The logging submodule records the certificate extraction, authentication, and certificate verification processes as log information for the request verification module, and stores the authentication results, certificate verification results, and log information in the lightweight SQLite database on the server side and the blockchain network.
[0057] It should be noted that JSON (JavaScript Object Notation) is a lightweight data interchange format that is easy to read and write, as well as easy for machines to parse and generate. It is text-based, uses the Unicode character set, and supports multiple programming languages.
[0058] ECDSA (Elliptic Curve Digital Signature Algorithm) is a digital signature algorithm based on elliptic curve cryptography. Compared with traditional algorithms such as RSA, ECDSA can achieve the same security with a shorter key length (such as 256 bits), reducing storage and transmission overhead. It is suitable for use on resource-constrained devices. In the authentication submodule of the request verification module, the edge device is authenticated by the elliptic curve-based ECDSA algorithm to ensure that the authentication request is generated by a legitimate edge device.
[0059] X.509 is an international standard used to define the format and verification method of digital certificates. It is used to verify the identity of entities (such as edge devices) and the legitimacy of public keys. It is widely used in various secure communication scenarios. In the certificate verification submodule of the request verification module, the X.509 certificate verification method is used to ensure the legitimacy and trustworthiness of the certificate and prevent the use of forged or expired certificates for authentication.
[0060] SQLite is a lightweight, embedded relational database that does not require a separate server process and can be easily embedded into applications. It performs well when handling small to medium-sized data and has high read and write performance.
[0061] IV. Behavior Assessment Module: This module is used to perform behavior analysis and anomaly detection on edge devices, obtain behavior assessment information, and is deployed on the authentication server. It includes a behavior detection submodule, an anomaly detection submodule, and a log recording submodule.
[0062] The behavior detection submodule is used to detect the authentication request frequency and network behavior patterns of edge devices using the K-means clustering algorithm to obtain behavior detection results;
[0063] The anomaly detection submodule is used to evaluate whether the behavior of the edge device is abnormal based on the behavior detection results and a method based on predefined thresholds, and obtain the anomaly detection results.
[0064] The logging submodule records the operation process of behavior detection and anomaly detection as log information of the behavior evaluation module, and stores the behavior detection results, anomaly detection results and log information in the lightweight SQLite database on the server side and the blockchain network.
[0065] It should be noted that the K-means clustering algorithm is a classic unsupervised learning algorithm. It is simple to implement, computationally efficient, suitable for processing large-scale datasets, and can adapt to different data distributions by adjusting the parameter, namely the number of clusters (K value).
[0066] The predefined threshold-based method is a simple anomaly detection technique. Methods for defining the predefined threshold include:
[0067] Based on historical data statistics: By analyzing historical data of edge device operation, the average and standard deviation of normal behavior data are calculated (e.g., for authentication request frequency, the average request frequency and standard deviation of all edge devices over a past period are calculated). A threshold range is set based on the average and standard deviation, typically set as the average plus or minus a certain multiple of the standard deviation. (For example, setting the threshold to the average ± 2 times the standard deviation; data outside this range is considered abnormal).
[0068] Based on domain knowledge and experience: Thresholds are set with reference to the experience and knowledge of experts in the application domain of edge devices (for example, network security experts may judge based on past experience that the authentication request frequency of normal devices should not exceed a certain value).
[0069] Based on industry standards: Set thresholds with reference to industry standards or best practices (for example, the industry where edge devices are used may already have a complete and comprehensive definition of the normal range of device behavior).
[0070] V. Authorization Module: This module is used to perform trust assessment and authorization decisions for edge devices based on verification results and behavior evaluation information. It is deployed on the authentication server and includes a trust assessment submodule, an authorization policy management submodule, an authorization decision submodule, and a log recording submodule.
[0071] The trust assessment submodule is used to comprehensively assess the trust level of edge devices based on the verification results and behavioral assessment information, using predefined trust scoring criteria, and generate trust assessment results. The verification results include the authentication results and certificate verification results from the request verification module, and the behavioral assessment information includes the anomaly detection results from the behavioral assessment module.
[0072] The authorization policy management submodule is used to define authorization policies based on the type of edge device and the trust assessment results. The authorization policy includes the operation permissions and resource usage corresponding to the edge device, and dynamically updates the authorization policy based on the device status information using a time window method.
[0073] The authorization decision submodule is used to generate and send lightweight authorization tokens to edge devices according to the authorization policy, and to receive feedback information from the edge devices;
[0074] The logging submodule records the operation process of trust assessment, authorization policy management and authorization decision as the logging information of the authorization module, and stores the trust assessment results, authorization policies, feedback information and log information in the lightweight SQLite database on the server and the blockchain network.
[0075] It should be noted that an example of a predefined trust rating standard is as follows:
[0076]
[0077] Suppose the verification results and behavior evaluation information of a certain edge device are as follows:
[0078] The authentication result is: Authentication passed (1.0 point), with a weight of 0.3;
[0079] The certificate verification result is: Certificate valid (1.0 point), weight 0.3;
[0080] The anomaly detection result is: Network behavior anomaly detected (0.5 points), with a weight of 0.4;
[0081] Based on the scoring rules in the example, a weighted calculation is performed to obtain the trust assessment result:
[0082] Trust assessment result = (1.0 × 0.3) + (1.0 × 0.3) + (0.5 × 0.4) = 0.8
[0083] An example of defining an authorization strategy is as follows:
[0084]
[0085] The time window-based approach is a dynamic adjustment strategy. By defining the length of the time window (e.g., 1 hour, 1 day, or 1 week), data is collected and analyzed within each time window. Based on the changing trends of the data in different time windows, the authorization strategy is dynamically adjusted (for example, if an edge device rated as a medium-trust device sends authentication requests at an abnormally high frequency within a certain time window, the trust score of the device is reduced to 0.4, the authorization strategy is updated to low-trust device, allowing only basic operations and limiting resource usage to 20%).
[0086] Lightweight authorization tokens are digital credentials used for authorization and authentication. They typically contain authorization information and some necessary metadata for fast authentication and authorization between edge devices and authentication servers. They are characterized by their simple format and low resource consumption, making them suitable for use on resource-constrained edge devices.
[0087] VI. Certificate Management Module: This module is used to manage and update the security certificates of edge devices, including a revocation check submodule, a response check submodule, a certificate update submodule, and a log recording submodule.
[0088] The revocation check submodule is used to define the revocation conditions for security certificates. It executes the certificate revocation operation on security certificates that meet the revocation conditions through the CA of the authentication server and records the revocation information in the Certificate Revocation List (CRL).
[0089] The response check submodule is used to detect the historical response frequency of edge devices that are not in the Certificate Revocation List (CRL). It defines the response frequency standard for the edge device based on the historical response frequency, checks the response frequency of the edge device using a time window-based method, and marks the edge device and sends a notification to the administrator if the response frequency does not meet the response frequency standard.
[0090] The certificate update submodule is used to update the security certificates of edge devices using differential update technology, and to send a notification to the edge devices after the update.
[0091] The logging submodule records the revocation check, response check, and certificate update operations as log information for the certificate management module, and stores the log information in the lightweight SQLite database on the server and the blockchain network.
[0092] It's important to note that a Certificate Authority (CA) is a trusted entity responsible for issuing, managing, and revoking digital certificates. It is typically a widely recognized authority and a core component of authentication servers, ensuring the legitimacy and trustworthiness of digital certificates. The CA is responsible for maintaining certificate status information, including validity, expiration, and revocation. When a certificate is no longer valid (e.g., due to a leaked private key or a change in user identity), the CA performs a certificate revocation and records the revocation information in the Certificate Revocation List (CRL).
[0093] A CRL (Certificate Revocation List) is a list maintained by a Certificate Authority (CA) that records the serial numbers of all revoked certificates and the reasons for their revocation. The CRL is an important mechanism for ensuring the validity of certificates.
[0094] An example of the operation process for a response check is as follows:
[0095] If the time window is set to 1 hour, and historical data analysis shows that the response frequency of device A is between 10 and 50 times within 1 hour, then the standard response frequency of this edge device is defined as 10 to 50 times.
[0096] In actual operation, the authentication server continuously monitors the response frequency of device A. Assume the detection result is:
[0097]
[0098] The test results show that device A's response frequency exceeds the normal range for two consecutive time windows, which does not meet the response frequency standard. This may mean that the edge device has abnormal behavior. The response inspection submodule will mark device B and send a notification to the management personnel to remind them that device B may have a security problem or malfunction.
[0099] Differential update technology is a software update method that only detects the changed parts of the data, generates a differential update package based on the changed parts, and then applies the differential update package to the current version after the edge device downloads the differential update package, thereby completing the update. This method can reduce the use of communication resources and improve update efficiency.
[0100] VII. Audit Module: This module is used to collect log information, audit the log information, and generate audit reports. It includes a log extraction submodule, a log analysis submodule, a log audit submodule, and a blockchain interface submodule.
[0101] The log extraction submodule is used to extract log information of the authorization management process from the blockchain network. The log information of the authorization management process includes log information of the request generation module, log information of the request verification module, log information of the behavior evaluation module, log information of the authorization module, and log information of the certificate management module.
[0102] The log analysis submodule is used to clean and standardize the log information of the authorization management process, and to compress the preprocessed log information using the Huffman coding algorithm to obtain compressed log information.
[0103] The log auditing submodule is used to perform security and compliance audits on compressed log information using auditing methods based on predefined rules, and regularly generates audit reports and sends them to administrators.
[0104] The blockchain interface submodule is used to upload operation records of log extraction, log analysis, and log auditing to the blockchain network.
[0105] It should be noted that Huffman coding is a lossless data compression algorithm based on the frequency of character occurrence. It achieves efficient data compression by constructing an optimal binary tree (Huffman tree) to assign a variable-length code to each character.
[0106] The predefined rule-based auditing approach is a method of analyzing and evaluating log information through pre-defined rules and standards. These rules define patterns of normal and abnormal behavior to detect potential security and compliance issues.
[0107] This embodiment provides a lightweight security authentication method for edge devices. Please refer to... Figure 2 , Figure 2 This is a flowchart of a method provided in an embodiment of the present invention.
[0108] A lightweight security authentication method for edge devices in this embodiment includes the following steps:
[0109] Step S1: Collect basic information about the edge device through the device registration module, and obtain the security certificate and private key from the authentication server;
[0110] Step S2: The request generation module detects the status information of the edge device, and generates an authentication request by combining the security certificate and private key, and sends the authentication request to the authentication server;
[0111] Step S3: Verify the authentication request and certificate through the request verification module to obtain the verification result;
[0112] Step S4: Perform behavior analysis and anomaly detection on the edge device through the behavior assessment module to obtain behavior assessment information;
[0113] Step S5: Based on the verification results and behavior assessment information, perform trust assessment and authorization decisions for the edge device through the authorization module;
[0114] Step S6: Manage and update the security certificates of edge devices through the certificate management module;
[0115] Step S7: Collect log information through the audit module, audit the log information, and generate an audit report.
[0116] Furthermore, it should be noted that the present invention can be provided as a method, apparatus, or computer program product. Therefore, embodiments of the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Moreover, embodiments of the present invention can take the form of a computer program product implemented on one or more computer-usable storage media containing computer-usable program code.
[0117] Embodiments of the present invention are described with reference to flowchart illustrations and / or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0118] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The functions specified in one or more boxes. These computer program instructions may also be loaded onto a computer or other programmable data processing terminal equipment to cause a series of operational steps to be performed on the computer or other programmable terminal equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable terminal equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1The steps of the function specified in one or more boxes.
[0119] It should also be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. The terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or terminal device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or terminal device. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or terminal device that includes said element.
[0120] Finally, it should be noted that the above description represents a preferred embodiment of the present invention. It should be pointed out that although preferred embodiments have been described, those skilled in the art, once they understand the basic inventive concept of the present invention, can make various improvements and modifications without departing from the principles described herein. These improvements and modifications should also be considered within the scope of protection of the present invention. Therefore, the appended claims are intended to be interpreted as including both the preferred embodiments and all changes and modifications falling within the scope of the embodiments of the present invention.
Claims
1. A lightweight security authentication system for edge devices, characterized in that, include: Device registration module: used to collect basic information about edge devices and obtain security certificates and private keys from the authentication server; Request generation module: used to detect the status information of edge devices, combine security certificates and private keys to generate authentication requests and send them to the authentication server; Request verification module: Used to verify the identity and certificate of authentication requests and obtain the verification result; Behavior assessment module: Used to perform behavior analysis and anomaly detection on edge devices to obtain behavior assessment information; Authorization module: Used to perform trust assessment and authorization decisions for edge devices based on verification results and behavior evaluation information; Certificate Management Module: Used to manage and update security certificates for edge devices; Audit module: Used to collect log information, audit the log information, and generate audit reports; The request generation module includes a status detection submodule, an information management submodule, a request generation and encryption submodule, and a log recording submodule; The status detection submodule is used to detect the status information of the edge device in real time through the self-testing mechanism of the edge device. The status information includes the operating status, network connection status and fault status of the edge device. The information management submodule is used to read the basic information, security certificate and private key of the edge device from the device's local database, and to perform hash verification on the read basic information, security certificate and private key of the edge device; The request generation and encryption submodule is used to encapsulate the basic information and security certificate of the edge device into an authentication request, digitally sign the authentication request with a private key, encrypt the authentication request with a lattice-based lightweight encryption algorithm, and finally send the encrypted authentication request to the authentication server through the CoAP protocol. The log recording submodule is used to record the operation process of status detection, information management, request generation and encryption as log information of the request generation module, and store the log information in the device's local database and blockchain network; The authorization module is deployed on the authentication server and includes a trust assessment submodule, an authorization policy management submodule, an authorization decision submodule, and a log recording submodule. The trust assessment submodule is used to comprehensively assess the trust level of the edge device based on the verification results and behavioral assessment information using a multi-factor weighted method, and generate a trust assessment result. The trust assessment result includes a trust assessment standard and a trust score for the edge device. The authorization policy management submodule is used to define authorization policies based on the type of edge device and the trust assessment results. The authorization policy includes the operation permissions and resource usage corresponding to the edge device, and dynamically updates the authorization policy based on the device status information using a time window method. The authorization decision submodule is used to generate and send a lightweight authorization token to the edge device according to the authorization policy, and to receive feedback information from the edge device; The logging submodule is used to record the operation process of trust assessment, authorization policy management and authorization decision as the log information of the authorization module, and to store the trust assessment results, authorization policies, feedback information and log information in the server-side lightweight database SQLite and blockchain network.
2. The lightweight security authentication system for edge devices according to claim 1, characterized in that, The device registration module includes an information collection submodule, a key registration submodule, a certificate generation submodule, and an information storage submodule; The information collection submodule is used to collect basic information through the self-testing mechanism of the edge device. The basic information includes the type of edge device, hardware identifier, manufacturer information and operating system version. The hardware identifier includes MAC address and device serial number. The key registration submodule is used to encapsulate the basic information into a standardized registration request when the edge device is first started, and send the standardized registration request to the authentication server. The certificate generation submodule is used to receive a security certificate and private key from the authentication server via the CoAP protocol after the authentication server verifies the legality of the standardized registration request. The information storage submodule is used to store the basic information and security certificate of the edge device in the local database and blockchain network of the edge device, and to store the private key of the edge device in HSM.
3. The lightweight security authentication system for edge devices according to claim 1, characterized in that, The request verification module is deployed on the authentication server and includes a certificate extraction submodule, an identity verification submodule, a certificate verification submodule, and a log recording submodule. The certificate extraction submodule is used to decode the authentication request through a JSON parser and extract the basic information of the edge device, security certificate and digital signature from the authentication request; The authentication submodule is used to authenticate the edge device based on its basic information using an elliptic curve-based ECDSA algorithm, and obtain the authentication result. The certificate verification submodule is used to verify the format, integrity, and validity of the security certificate sequentially using the X.509 certificate verification method, then verify the validity of the digital signature, and finally check whether the extended fields of the security certificate conform to the predefined certificate policy to obtain the certificate verification result. The logging submodule is used to record the certificate extraction, authentication, and certificate verification processes as log information of the request verification module, and to store the authentication results, certificate verification results, and log information in the server-side lightweight database SQLite and the blockchain network.
4. The lightweight security authentication system for edge devices according to claim 1, characterized in that, The behavior assessment module is deployed on the authentication server and includes a behavior detection submodule, an anomaly detection submodule, and a log recording submodule. The behavior detection submodule is used to detect the authentication request frequency and network behavior patterns of edge devices using the K-means clustering algorithm to obtain behavior detection results. The anomaly detection submodule is used to evaluate whether the behavior of the edge device is abnormal based on the behavior detection result and a method based on a predefined threshold, so as to obtain the anomaly detection result. The logging submodule is used to record the operation process of behavior detection and anomaly detection as log information of the behavior evaluation module, and to store the behavior detection results, anomaly detection results and log information in the server-side lightweight database SQLite and blockchain network.
5. The lightweight security authentication system for edge devices according to claim 1, characterized in that, The certificate management module includes a revocation check submodule, a response check submodule, a certificate update submodule, and a log recording submodule. The revocation check submodule is used to define the revocation conditions of security certificates, perform certificate revocation operations on security certificates that meet the revocation conditions through the CA of the authentication server, and record the revocation information in the Certificate Revocation List (CRL). The response inspection submodule is used to detect the historical response frequency of edge devices that are not in the Certificate Revocation List (CRL). Based on the historical response frequency, a response frequency standard for the edge device is defined. The response frequency of the edge device is checked using a time window-based method. If the response frequency does not meet the response frequency standard, the edge device is marked and a notification is sent to the administrator. The certificate update submodule is used to update the security certificate of the edge device through differential update technology, and send a notification to the edge device after the update. The logging submodule is used to record the revocation check, response check, and certificate update operation process as log information of the certificate management module, and store the log information in the server-side lightweight database SQLite and the blockchain network.
6. The lightweight security authentication system for edge devices according to claim 1, characterized in that, The audit module includes a log extraction submodule, a log analysis submodule, a log auditing submodule, and a blockchain interface submodule; The log extraction submodule is used to extract log information of the authorization management process from the blockchain network. The log information of the authorization management process includes log information of the request generation module, log information of the request verification module, log information of the behavior evaluation module, log information of the authorization module, and log information of the certificate management module. The log analysis submodule is used to clean and standardize the log information of the authorization management process, and to compress the preprocessed log information using the Huffman coding algorithm to obtain compressed log information. The log auditing submodule is used to perform security and compliance audits on the compressed log information using an auditing method based on predefined rules, and periodically generate audit reports and send them to administrators. The blockchain interface submodule is used to upload operation records of log extraction, log analysis, and log auditing to the blockchain network.
7. A lightweight security authentication method for edge devices, applicable to the lightweight security authentication system for edge devices as described in any one of claims 1-6, characterized in that, The method includes the following steps: Step S1: Collect basic information about the edge device through the device registration module, and obtain the security certificate and private key from the authentication server; Step S2: The request generation module detects the status information of the edge device, and generates an authentication request by combining the security certificate and private key, and sends the authentication request to the authentication server; Step S3: The authentication request is verified by the request verification module to obtain the verification result; Step S4: Perform behavior analysis and anomaly detection on the edge device through the behavior assessment module to obtain behavior assessment information; Step S5: Based on the verification results and behavior assessment information, perform trust assessment and authorization decisions for the edge device through the authorization module; Step S6: Manage and update the security certificates of edge devices through the certificate management module; Step S7: Collect log information through the audit module, audit the log information, and generate an audit report.