A real network security access control method and system based on trusted identity authentication

By building an identity authentication layer and a policy control layer in the network security system, the system can register and dynamically evaluate the identities of access subjects and objects, issue digital identity credentials, and collect context information in real time. This solves the problem of insufficient identity credibility in the network security system and achieves highly secure and flexible access control.

CN122179170APending Publication Date: 2026-06-09FAST PAGE INFORMATION TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
FAST PAGE INFORMATION TECH CO LTD
Filing Date
2026-03-09
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing cybersecurity systems, with their ineffective boundary models, insufficient identity credibility, and weak audit and traceability capabilities, struggle to cope with internet exposure surface attacks and threats of digital identity abuse. Furthermore, the lack of strong binding and dynamic verification capabilities between subject and object identities leads to privacy breach risks and difficulties in defining responsibilities.

Method used

By establishing an identity authentication layer, the access subjects and objects are registered, a unique digital identity credential is issued, and the identity credential and attribute information are carried in the access request. Combined with the policy control layer, context information is collected in real time, the compliance of the access request is dynamically evaluated, and an encrypted communication channel is established.

Benefits of technology

It achieves two-way trusted identity verification for the access subject and object, improves the security and trust foundation of access control, dynamically adjusts authorization policies, prevents data leakage and tampering, balances security and flexibility, and improves the security level of access control in real network environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122179170A_ABST
    Figure CN122179170A_ABST
Patent Text Reader

Abstract

This invention relates to the fields of network security and information communication technology, specifically disclosing a real-world secure access control method and system based on trusted identity authentication. This invention establishes an identity authentication layer to uniformly register and verify the identities of access subjects and access objects, forming an initial identity dataset. Verification is performed on the access subject; upon successful verification, a trusted institution issues unique digital identity credentials to both parties and records their identity status. When an access subject initiates an access request, it carries the digital identity credential and necessary attribute information in the request and sends it to the policy control layer. The policy control layer constructs an access context dataset and invokes the access control policy engine to jointly match and dynamically evaluate the access policies on the subject side and the access conditions on the object side, generating an access decision result. Based on the access decision result, access control operations are executed to ensure the security and trustworthiness of the access process and data interaction.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of network security and information communication technology, and more specifically, to a real-world secure access control method and system based on trusted identity authentication. Background Technology

[0002] With the advancement of global digitalization, the internet has become deeply integrated into various critical infrastructures and social production and life scenarios. However, cybersecurity threats are becoming increasingly severe, with frequent and escalating cyberattacks. The traditional cybersecurity system, which relies on perimeter defense and IP address identification, is no longer adequately suited to the core assumption of "trustworthy internal networks and untrustworthy external networks" due to the widespread adoption of remote work, cloud-native architectures, the increasing number of IoT devices, and the prevalence of the zero-trust concept. The perimeter model has become completely ineffective, allowing attackers to easily launch anonymous attacks against exposed internet targets. Currently, cyberspace is divided into three layers: the surface web, the deep web, and the dark web. The surface web is open and transparent, but the authenticity of information is difficult to verify, making it vulnerable to cyberattacks and phishing threats. The deep web possesses a certain degree of trustworthiness but lacks a unified identity authentication mechanism, often leading to unauthorized access issues due to weak passwords and credential leaks. While the dark web is intended for privacy protection, it presents numerous security threats.

[0003] None of these three types of networks fundamentally solve the core issues of verifying the identity of the access subject, the access object, and the credibility. Faced with security threats such as internet exposure surface attacks, digital identity forgery, man-in-the-middle attacks, and session hijacking, the existing systems lack strong binding and dynamic verification capabilities for the identities of subjects and objects, which easily leads to privacy leakage risks. Furthermore, they lack effective means to minimize the disclosure of identity data during data sharing and cross-domain collaboration. On the other hand, access behavior records are scattered and logs are easily tampered with, making it difficult to achieve full-link auditability and accountability. Once a security incident occurs, it is difficult to determine responsibility and collect evidence afterward, making it difficult to protect user privacy rights while ensuring network security.

[0004] Therefore, it is necessary to provide a real-world network security access control method and system based on trusted identity authentication to solve the above-mentioned technical problems. In order to solve the above problems, a technical solution is provided. Summary of the Invention

[0005] To overcome the aforementioned deficiencies of existing technologies, this invention provides a real-world secure access control method and system based on trusted identity authentication. This system addresses the challenges faced by existing network security systems in dealing with internet exposure surface attacks and threats of digital identity abuse, given the limitations of boundary model failure, insufficient identity trustworthiness, and weak audit and traceability capabilities.

[0006] To achieve the above objectives, the present invention provides the following technical solution: A real-world secure access control method based on trusted identity authentication includes the following steps: By building an identity authentication layer, the identities of the access subjects and access objects are registered and verified to form an initial identity dataset. Based on the initial identity dataset, the access subject and the access object are verified separately. Once the verification is successful, a unique digital identity credential is issued to the access subject and the access object, and the corresponding identity status information is recorded. When an access subject initiates an access request to an access object, it carries the corresponding digital identity credentials and attribute information in the access request and sends the access request to the policy control layer. Upon receiving an access request, the policy control layer collects context information related to the access request in real time and constructs an access context dataset. Based on the access context dataset, the preset access control policy engine is invoked to jointly match the access policy configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of the access request, and generate access decision results. Access control operations are performed based on the access decision results. When an access request is granted, an encrypted secure communication channel is established for the access subject and the access object.

[0007] As a further aspect of the present invention, the initial identity dataset includes an initial identity dataset of the accessing subject and an initial identity dataset of the accessing object.

[0008] As a further aspect of the present invention, when an accessing subject initiates an access request to an accessing object, the access request carries the corresponding digital identity credential and attribute information, and is sent to the policy control layer. The specific steps are as follows: When an access subject needs to access a target access object, the access subject's terminal device triggers the access request generation process and determines the identification information and access type of the target access object. Before initiating an access request, the accessing entity retrieves its corresponding digital identity credential and performs a preliminary verification of the validity period and status of the digital identity credential. Extract access control-related attribute information from the digital identity credentials of the accessing subject. The attribute information includes, but is not limited to, subject role attributes, permission level attributes, organization attributes, or security level attributes. The access subject identification information, access object identification information, access type, digital identity credential, and attribute information are uniformly encapsulated to generate an access request message; The encapsulated access request message is protected for integrity and tamper-proof, and then sent to the policy control layer.

[0009] As a further aspect of the present invention, after receiving an access request, the policy control layer collects context information related to the access request in real time and constructs an access context dataset. The specific steps are as follows: Upon receiving an access request, the policy control layer parses the access request message, extracts the access subject identifier, access object identifier, access type, and carried digital identity credential information, and simultaneously obtains the context information related to the access request to construct an access context dataset; the context information includes subject identity attributes, terminal device status, access time, access location, and access scenario information.

[0010] As a further aspect of the present invention, based on the access context dataset, a preset access control policy engine is invoked to jointly match the access policy configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of the access request, and generate an access decision result. The specific steps are as follows: Load the access policies configured on the access subject side and the preset access conditions on the access object side from the policy storage module respectively. Based on the access context dataset, a joint matching analysis is performed on the access policy on the access subject side and the access conditions on the access object side to identify whether the access request simultaneously satisfies the subject policy constraint and the object condition constraint. During the joint matching process, it is necessary to detect whether there is a conflict between the subject-side access strategy and the object-side access conditions; Based on the joint matching results and conflict arbitration results, the compliance of access requests is dynamically assessed to form access compliance assessment results. Based on the access compliance assessment results, an access decision is generated.

[0011] As a further aspect of the present invention, based on the access context dataset, a joint matching analysis is performed on the access policy on the access subject side and the access conditions on the access object side to identify whether the access request simultaneously satisfies the subject policy constraint and the object condition constraint. The specific steps are as follows: The access context dataset is parsed and processed to extract access context data used for access control; Map the access policies configured on the access subject side to an executable set of policy constraints, and map the access conditions preset on the access object side to an executable set of condition constraints. Based on the access context dataset, a joint matching analysis is performed on the subject-side policy constraint set and the object-side condition constraint set to compare whether each access context element simultaneously satisfies the subject-side policy constraint and the object-side condition constraint. When the access context element satisfies both the subject-side policy constraint and the object-side condition constraint, the access request is determined to pass the joint matching; when either constraint is not satisfied, the access request is determined to fail the joint matching, and the type of constraint not satisfied is marked.

[0012] As a further aspect of the present invention, based on the access context dataset, a joint matching analysis is performed on the subject-side policy constraint set and the object-side condition constraint set. The steps for performing the joint matching analysis are as follows: Each access context element is compared to ensure that it simultaneously satisfies both the subject-side policy constraints and the object-side condition constraints. Based on the access context dataset, the context elements corresponding to the access requests are structured to form access context element vectors. , For the i-th access context element, Total number of access context data; The access policy configured on the access subject side is parsed into a set of subject-side policy constraints. The access conditions preset on the access object side are parsed into a set of object-side condition constraints. ; Based on access context element vector Set of policy constraints on the subject side With the set of object-side conditions and constraints By performing a joint matching analysis using a joint matching decision function, we can determine whether each access context element simultaneously satisfies both the subject-side policy constraints and the object-side condition constraints.

[0013] As a further aspect of the present invention, the specific steps for performing item-by-item joint matching analysis are as follows: By constructing a joint matching decision function, the joint matching decision result of the access request is output. The joint matching decision function is as follows: ; In the formula: The result of the joint matching determination of the access request. For access context elements The joint matching decision function, The decision function is the policy constraint function on the subject side. This is the objective-side condition constraint determination function. To access context elements Perform logical and joint determination of subject-side strategy constraints and object-side condition constraints; when When the access context elements as a whole simultaneously satisfy both the subject-side policy constraints and the object-side condition constraints, the access request is obtained through joint matching. when When this condition is met, it indicates that at least one context element does not satisfy the constraint, and the access request fails the union match.

[0014] A real-world secure access control system based on trusted identity authentication includes an initial identity data registration module, an identity verification management module, an access request generation module, an access context information collection module, a combined access policy matching and decision module, and an access control execution module. The initial identity data registration module is used to register the identities of access subjects and access objects by building an identity authentication layer, and form an initial identity dataset after verification; The identity verification management module is used to verify the access subject and the access object based on the initial identity dataset. When the verification is successful, a unique digital identity credential is issued to the access subject and the access object, and the corresponding identity status information is recorded. The access request generation module is used to carry the corresponding digital identity credentials and attribute information in the access request when the access subject initiates an access request to the access object, and send the access request to the policy control layer. The access context information collection module is used by the policy control layer to collect context information related to the access request in real time after receiving the access request, and to build an access context dataset. The joint access policy matching decision module is used to call the preset access control policy engine based on the access context dataset, jointly match the access policy configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of access requests, and generate access decision results. The access control enforcement module is used to perform access control operations based on the access decision results. When an access request is allowed, it establishes an encrypted secure communication channel for the access subject and the access object.

[0015] An electronic device includes a memory and a processor, wherein the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the steps of a real-world secure access control method and system based on trusted identity authentication as described above.

[0016] The technical effects and advantages of this invention, a real-world secure access control method and system based on trusted identity authentication, are as follows: This invention establishes an identity authentication layer to uniformly register and verify the identities of access subjects and access objects, forming a trusted initial identity dataset. Multi-dimensional verification is performed on both access subjects and access objects, and unique digital identity credentials are issued to both parties upon successful verification, while simultaneously recording and maintaining corresponding identity status information. When an access subject initiates an access request to an access object, it sends its digital identity credentials and necessary attribute information to the policy control layer. Upon receiving the access request, the policy control layer collects contextual information such as the access subject's status, terminal environment, and time / location in real time, constructs an access context dataset, and calls the access control policy engine based on this dataset to jointly match and dynamically evaluate the access policies on the subject and the access conditions on the object, ultimately generating an access decision result. Access control operations are executed according to the access decision result. When access is permitted, an encrypted secure communication channel is established between the access subject and the access object, ensuring the security and trustworthiness of subsequent business interactions.

[0017] This invention, on the one hand, achieves two-way trusted identity verification for both the access subject and the access object, avoiding the security risks arising from relying solely on a single subject's identity as the basis for access control, thus enhancing the trust foundation of real-world network access from the source. On the other hand, by introducing access context data and jointly matching subject-side policies with object-side conditions, it realizes the transformation of access control from static authorization to dynamic and granular authorization, effectively addressing complex and ever-changing real-world network environments. Furthermore, establishing an end-to-end encrypted secure communication channel after access is granted ensures access flexibility while further preventing data leakage and tampering during transmission. This invention balances security, flexibility, and scalability, significantly improving the security level and operational reliability of access control in real-world network environments, and possesses significant engineering application value. Attached Figure Description

[0018] Figure 1 A flowchart illustrating a real-world secure access control method based on trusted identity authentication, provided as an embodiment of the present invention; Figure 2 This is a system block diagram of a real-world network security access control system based on trusted identity authentication, provided as an embodiment of the present invention. Detailed Implementation

[0019] The technical solutions of this invention will now be clearly and completely described with reference to the accompanying drawings. Obviously, the described technical solutions are only a part of this invention, and not all of it. All other technical solutions obtained by those skilled in the art based on the technical solutions of this invention without inventive effort are within the scope of protection of this invention.

[0020] Example 1 like Figure 1 The diagram shown is a flowchart of a real-world network security access control method based on trusted identity authentication provided by an embodiment of the present invention. Figure 1 The execution entity of the method shown can be a software and / or hardware device. The execution entity of this application can include, but is not limited to, at least one of the following: user equipment, network equipment, etc. User equipment can include, but is not limited to, computers, smartphones, personal digital assistants (PDAs), and the aforementioned electronic devices. Network equipment can include, but is not limited to, a single network server, a server group consisting of multiple network servers, or a cloud based on cloud computing consisting of a large number of computers or network servers. Cloud computing is a type of distributed computing, consisting of a super virtual computer composed of a group of loosely coupled computers. This embodiment does not limit this. Steps S1 to S6 are detailed as follows: Step S1 involves building an identity authentication layer by collecting or connecting with real-name information from authoritative institutions such as public security, human resources and social security, market supervision, industry and information technology, cyberspace administration, finance, telecom operators, government services, and third-party credit authentication platforms to register the identities of the access subjects and access objects, and forming an initial identity dataset after verification. Among them, the access subjects submit real-name information issued by authoritative institutions, and the access objects submit system filing information and service attribute information. The registration information is then checked for format and compliance. It should be noted that the real-name information of the access subject includes, but is not limited to, the following fields: Basic information: name, gender, date of birth, ethnicity, ID number, address, network ID, etc.; Biometric information: face, fingerprint, iris, etc.; Social security information: employer, working hours, social security agency, etc.; Education information: time, school, academic qualifications, degree, etc.; SIM card information: mobile phone number, phone number, WeChat ID, Alipay account, QQ number, Toutiao account, Google account, Facebook account, email, bank card number, etc.; Other access subject information: additional fields can be expanded.

[0021] The real-name information of the accessed object includes, but is not limited to, the following fields: Basic information: asset name, asset type, owner, address, domain name, etc.; IP information: IP address, location, latitude and longitude, operator, Aviation Safety Network (ASN), etc.; Domain information: domain name, registrar, owner, owner's contact email, registration date, expiration date, Domain Name System (DNS) server, etc.; Secure Sockets Layer (SSL) certificate information: issuing object, issuer, validity period, certificate, public key, etc.; Filing information: filing agency, name, IP, domain name, filing number, etc.; Evaluation information: evaluation agency, system name, system number, evaluation standard, evaluation conclusion, etc.; Organization information: organization name, unified social credit code, legal representative, registered capital, business term, registration status, registered address, mailing address, business scope, etc.; Other accessed object information: other fields can be expanded.

[0022] Step S2: Based on the initial identity dataset, verification is performed on the access subject and the access object respectively. When the verification is successful, a unique digital identity credential is issued to the access subject and the access object, and the corresponding identity status information is recorded. Multi-factor identity verification is performed on the access subject, including biometric recognition, real-name information comparison, and terminal trustworthiness verification. Code auditing, data source verification, and integrity verification are performed on the access object. A trusted identity management agency issues a unique digital identity credential to the access subject and the access object. Step S3: When the access subject initiates an access request to the access object, it carries the corresponding digital identity credential and attribute information in the access request and sends the access request to the policy control layer. Step S4: After receiving an access request, the policy control layer collects context information related to the access request in real time and constructs an access context dataset. The context information includes subject identity attributes, terminal device status, access time, access location, and access scenario information. Step S5: Based on the access context dataset, call the preset access control policy engine to jointly match the access policy configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of the access request, and generate access decision results. Step S6: Perform access control operations based on the access decision results. When the access request is allowed, establish an encrypted secure communication channel for the access subject and the access object.

[0023] Preferably, the initial identity dataset includes an initial identity dataset for the accessing subject and an initial identity dataset for the accessing object; wherein, the initial identity dataset for the accessing subject includes real-name identification information, biometric template, and terminal device identification information; the initial identity dataset for the accessing object includes system registration information, service attribute information, and code digest information.

[0024] Preferably, based on the initial identity dataset, verification is performed on both the access subject and the access object. Upon successful verification, a unique digital identity credential is issued to both the access subject and the access object, and the corresponding identity status information is recorded. The specific steps are as follows: Perform multi-dimensional identity verification on the access subject, including: comparing the access subject's real-name identification information with the authoritative identity source; matching the access subject's real-time biometrics with the pre-stored biometric template; performing trustworthiness detection on the hardware identification and operating environment of the terminal used by the access subject to confirm that the terminal has not been tampered with; when all verification results meet the preset threshold conditions, the access subject's identity verification is deemed to be successful. Perform compliance and integrity verification operations on the accessed object, including: verifying the validity of the accessed object's filing information to confirm that it meets the access conditions for accessing the real network; verifying the integrity of the accessed object's service code or interface code to verify that the code digest has not been tampered with; verifying the consistency of the accessed object's data source and processing flow to confirm that its data usage scope is legal and compliant; when all the above verifications are passed, the accessed object's identity verification is deemed to have passed. The verification results of the access subject and the access object are summarized and analyzed. The digital identity credential issuance process is only initiated when both the access subject's identity verification and the access object's identity verification are passed; otherwise, the credential issuance process is terminated. Based on the verified identity information, unique digital identity credentials are generated for the access subject and the access object respectively; the digital identity credentials include at least an identity identifier, an identity attribute digest, a credential validity period and an issuing authority identifier, and are uniquely bound to the corresponding subject or object through encryption. After the digital identity credential is issued, the identity status information corresponding to the digital identity credential is recorded. The identity status information includes at least the identity validity status, issuance time, expiration conditions and change records. The identity status information is synchronized to the identity management module to support subsequent identity verification and dynamic status updates.

[0025] In one specific embodiment of the present invention, based on the initial identity dataset constructed by the identity authentication layer, identity verification and credential issuance processes are performed on the access subject and the access object, respectively. First, a multi-dimensional identity verification operation is performed on the access subject, comparing the real-name identification information submitted by the access subject with the authoritative identity source for consistency. Simultaneously, the real-time collected biometric features of the access subject are matched with pre-stored biometric templates, and the hardware identifier and operating environment of the terminal used by the access subject are tested for trustworthiness to confirm that the terminal has not been tampered with or is abnormal. When all verification results meet the preset threshold conditions, the identity verification of the access subject is deemed successful.

[0026] Simultaneously, compliance and integrity verification operations are performed on the accessed entity. The validity of the accessed entity's registration information is verified to confirm that it meets the access requirements for accessing the real network environment; the integrity of the service code or interface code provided by the accessed entity is verified to confirm that the corresponding code digest has not been tampered with; and the consistency of the accessed entity's data source and data processing flow is verified to confirm that its data usage scope complies with established compliance requirements. When all the above compliance and integrity verifications pass, the accessed entity's identity verification is deemed successful.

[0027] After verifying the identities of the access subject and the access object, the verification results of both parties are summarized and analyzed. The issuance process of digital identity credential is only initiated when the identity verification of both the access subject and the access object is passed. If either party fails the verification, the issuance process of digital identity credential is terminated, thereby preventing untrusted entities from obtaining legitimate identity credentials.

[0028] During the digital identity credential issuance phase, unique digital identity credentials are generated for both the accessing subject and the accessing object based on the verified identity information. Each digital identity credential includes at least an identity identifier, an identity attribute digest, a credential validity period, and an issuing authority identifier. These credentials are uniquely bound to the corresponding accessing subject or accessing object using encryption to prevent forgery or misuse.

[0029] After the digital identity credential is issued, the identity status information corresponding to the digital identity credential is further recorded. The identity status information includes at least the identity validity status, issuance time, expiration conditions and historical change records. The identity status information is synchronized to the identity management module so that the identity status can be dynamically updated and managed in subsequent access control and identity verification processes, thereby ensuring the continuous credibility and traceability of the identity system.

[0030] Preferably, when an access subject initiates an access request to an access object, the access request carries the corresponding digital identity credential and attribute information, and is sent to the policy control layer. The specific steps are as follows: When an access subject needs to access a target access object, the access subject's terminal device triggers the access request generation process and determines the identification information and access type of the target access object. Before initiating an access request, the accessing entity retrieves its corresponding digital identity credential from the local secure storage module or trusted execution environment, and performs a preliminary verification of the validity period and status of the digital identity credential. Extract access control-related attribute information from the digital identity credentials of the accessing subject. The attribute information includes, but is not limited to, subject role attributes, permission level attributes, organization attributes, or security level attributes. The access subject identification information, access object identification information, access type, digital identity credential, and attribute information are uniformly encapsulated to generate an access request message; among them, the attribute information is the minimum set of attributes required to satisfy access control. The encapsulated access request message is protected for integrity and tamper-proof, and then sent to the policy control layer for subsequent access policy matching and decision-making.

[0031] Preferably, after receiving an access request, the policy control layer collects context information related to the access request in real time and constructs an access context dataset. The specific steps are as follows: Upon receiving an access request, the policy control layer parses the access request message, extracts the access subject identifier, access object identifier, access type, and carried digital identity credential information, and simultaneously obtains the context information related to the access request to construct an access context dataset; the context information includes subject identity attributes, terminal device status, access time, access location, and access scenario information.

[0032] In a specific embodiment of the present invention, in a scenario involving access to network assets exposed to the Internet, such as websites, web systems, mobile applications, and cloud computing resources, the accessing subject is a user terminal or business service instance with legitimate identity, and the accessed object is a protected application service, data interface, or core data resource. When the accessing subject needs to access the target accessed object, the terminal device corresponding to the accessing subject automatically triggers an access request generation process. First, it determines the unique identifier of the target accessed object and the access type corresponding to this access, such as data query, data write, or service call. Before initiating the access request, the accessing subject retrieves its bound digital identity credential from a local secure storage module or trusted execution environment and performs preliminary verification on the validity period and activation status of the digital identity credential to ensure that the identity credential used is trustworthy and usable. Subsequently, access control-related attribute information is extracted from the digital identity credential. The attribute information includes at least subject role attributes, permission level attributes, organization attributes, or security level attributes, and based on the principle of least privilege, only the minimum set of attributes required to satisfy the current access control decision is selected. Next, the access subject identification information, access object identification information, access type, digital identity certificate and corresponding attribute information are uniformly encapsulated to form a structured access request message. After encapsulation, the access request message is subjected to integrity protection and anti-tampering processing to prevent the access request from being illegally tampered with or forged during transmission. Finally, the access request message is sent to the policy control layer.

[0033] In this scenario, after receiving an access request from the accessing subject, the policy control layer parses the access request message, extracting the accessing subject identifier, accessing object identifier, access type, and the carried digital identity credential information. Based on this, it simultaneously collects contextual information related to the access request, constructing an access context dataset. Contextual information includes, but is not limited to, the accessing subject's identity attributes, terminal device operating status, access time, access location, and corresponding access scenario information, such as whether it is in an office network, a remote access environment, or a high-risk scenario. By uniformly integrating the identity and attribute information in the access request with the real-time acquired contextual information, the policy control layer can provide a complete and reliable contextual data foundation for subsequent joint matching of access policies and dynamic access decisions, thereby achieving fine-grained control and security assurance of access behavior.

[0034] Preferably, based on the access context dataset, a preset access control policy engine is invoked to jointly match the access policy configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of the access request, and generate an access decision result. The specific steps are as follows: The access policy configured on the subject side and the access conditions preset on the object side are loaded from the policy storage module respectively. The subject-side access policy is used to limit the scope of objects that the subject can access and the access method, while the object-side access conditions are used to limit the subject attributes and environmental requirements that allow access to the object. Based on the access context dataset, a joint matching analysis is performed on the access policy on the access subject side and the access conditions on the access object side to identify whether the access request simultaneously satisfies the subject policy constraint and the object condition constraint. During the joint matching process, the system detects whether there is a conflict between the subject-side access strategy and the object-side access conditions. When a strategy conflict is detected, the conflict strategy is arbitrated according to the preset conflict handling rules, which include at least priority rules, constraint strength rules, or security level priority rules. Based on the joint matching results and conflict arbitration results, the compliance of access requests is dynamically assessed. The dynamic assessment comprehensively considers the credibility of the subject's identity, access context risk factors, and the sensitivity level of the accessed resources to form an access compliance assessment result. Based on the access compliance assessment results, an access decision result is generated; the access decision result includes three types: allow access, restrict access, or deny access, and the access decision result is output to the policy execution module.

[0035] In one embodiment of the present invention, after the policy control layer completes the construction of the access context dataset, it invokes a preset access control policy engine to perform real-time decision processing on access requests. First, the policy control layer loads the access policy configured on the access subject side and the preset access conditions on the access object side from the policy storage module. The access policy on the access subject side is used to limit the scope of resources accessible to the subject, the types of access that can be performed, and the frequency of access, among other behavioral constraints. The access conditions on the access object side are used to limit the attribute characteristics of the subject allowed to access the object and the environmental conditions that must be met for access, such as security level, access time window, or network environment requirements.

[0036] In this specific scenario, the policy control layer, based on the constructed access context dataset, performs joint matching analysis on the access policy of the accessing subject and the access conditions of the accessing object. It compares each contextual element involved in the access request, such as the subject's identity attributes, terminal status, access time, access location, and access scenario, to determine whether the access request can simultaneously satisfy both the subject's policy constraints and the object's condition constraints. During the joint matching process, the policy control layer also detects whether there are constraint conflicts between the subject's access policy and the object's access conditions, such as situations where the subject's policy allows access while the object's conditions restrict access. When a policy conflict is detected, it arbitrates the conflicting policies according to preset conflict handling rules. These conflict handling rules may include policy priority rules, constraint strength rules, or security level priority rules, thereby ensuring that access decisions always adhere to higher security requirements.

[0037] After completing joint matching and conflict arbitration, the policy control layer dynamically assesses the compliance of access requests based on the joint matching results. This dynamic assessment process comprehensively considers the credibility of the accessing entity, the risk factors existing in the current access context, and the sensitivity level of the target access resource, forming a corresponding access compliance assessment result. Finally, the policy control layer generates an access decision result based on the access compliance assessment result. The access decision result can be specifically represented as allowing access, restricting access, or denying access. The generated access decision result is output to the policy execution module for subsequent specific control and execution of access requests, thereby achieving secure, dynamic, and controllable access management in real business scenarios.

[0038] Preferably, based on the access context dataset, a joint matching analysis is performed on the access policy on the access subject side and the access conditions on the access object side to identify whether the access request simultaneously satisfies the subject policy constraint and the object condition constraint. The specific steps are as follows: The access context dataset is parsed and processed to extract access context data used for access control; The access policies configured on the subject side are mapped to a set of executable policy constraints; the subject-side access policies include the types of objects that the subject can access, the allowed access time range, the allowed access methods, or the access permission levels. The access conditions preset on the access object side are mapped to an executable set of condition constraints; the access conditions on the object side include the subject attribute requirements, terminal security status requirements, and access environment requirements that allow access to the object. Based on the access context dataset, a joint matching analysis is performed on the subject-side policy constraint set and the object-side condition constraint set to compare whether each access context element simultaneously satisfies the subject-side policy constraint and the object-side condition constraint. When the access context element satisfies both the subject-side policy constraint and the object-side condition constraint, the access request is determined to pass the joint matching; when either constraint is not satisfied, the access request is determined to fail the joint matching, and the type of constraint not satisfied is marked.

[0039] Preferably, based on the access context dataset, a joint matching analysis is performed on the subject-side policy constraint set and the object-side condition constraint set. Each access context element is compared to ensure it simultaneously satisfies both the subject-side policy constraints and the object-side condition constraints. The steps for this joint matching analysis are as follows: Based on the access context dataset, the context elements corresponding to the access requests are structured to form access context element vectors. , For the i-th access context element, Total number of access context data; The access policy configured on the access subject side is parsed into a set of subject-side policy constraints. The subject-side policy constraint set is used to limit the scope of objects that an accessing subject can access and the access methods under different context conditions. The access conditions preset on the access object side are parsed into a set of object-side condition constraints. The object-side condition constraint set is used to limit the subject attributes, terminal status, and environmental conditions that allow access to the object. Based on access context element vector Set of policy constraints on the subject side With the set of object-side conditions and constraints By performing a joint matching analysis using a joint matching decision function, we determine whether each access context element simultaneously satisfies both the subject-side policy constraints and the object-side condition constraints. When accessing context elements, the set of policy constraints on the subject side is... With the set of object-side conditions and constraints If all constraints are satisfied, the access request is determined to pass the joint matching; if any constraint is not satisfied, the access request is determined to fail the joint matching, and the unsatisfied constraint is recorded.

[0040] More specifically, the steps for performing item-by-item joint matching analysis are as follows: By constructing a joint matching decision function, the joint matching decision result of the access request is output. The joint matching decision function is as follows: By constructing a joint matching decision function, the joint matching decision result of the access request is output. The joint matching decision function is as follows: ; In the formula: The result of the joint matching determination of the access request. For access context elements The joint matching decision function, The decision function is the policy constraint function on the subject side. This is the objective-side condition constraint determination function. To access context elements Perform logical and joint determination of subject-side strategy constraints and object-side condition constraints; when When the access context elements as a whole simultaneously satisfy both the subject-side policy constraints and the object-side condition constraints, the access request is obtained through joint matching. when When this condition is met, it indicates that at least one context element does not satisfy the constraint, and the access request fails the union match.

[0041] The formula for the subject-side policy constraint decision function is as follows: ; The formula for the objective-side condition constraint determination function is expressed as follows: .

[0042] In one embodiment of the present invention, after an access subject initiates an access request to a target access object through its terminal device, the policy control layer enters the joint matching analysis stage after completing the construction of the access context dataset. At this time, the policy control layer first parses the access context dataset to extract key access context data for access control, including the access subject's identity attributes, role information, terminal security status, access time, access location, and current access scenario, etc., and performs normalization and structuring processing on the above information to provide a unified data foundation for subsequent joint matching analysis.

[0043] In this specific scenario, the policy control layer parses and maps the pre-configured access policies on the access subject side into an executable set of subject-side policy constraints. These subject-side access policies explicitly define the types of objects the accessing subject can access under different contexts, the allowed access time range, the allowed access methods, and the corresponding access permission levels. For example, only employees with specific roles are allowed to access specific business systems in read-only mode via trusted terminals during working hours. Simultaneously, the policy control layer also parses and maps the pre-defined access conditions on the access object side into an executable set of object-side condition constraints. These object-side access conditions limit the subject attributes, terminal security status, and access environment requirements for allowing access to the object. For example, they may require the accessing subject to belong to a designated organization, the terminal to be in a secure and compliant state, and the access environment to be located within a trusted network area.

[0044] After constructing the aforementioned constraint set, the policy control layer further structures the context elements corresponding to the access requests based on the access context dataset, forming an access context element vector. Subsequently, using the access context element vector as input, the policy control layer performs item-by-item joint matching analysis on the subject-side policy constraint set and the object-side condition constraint set. It judges each access context element using a joint matching decision function, calculates the subject-side policy constraint decision function and the object-side condition constraint decision function separately, and performs a logical AND operation on both to obtain the corresponding joint matching decision result.

[0045] In this real-world scenario, the joint matching judgment function performs a logical AND operation on the joint judgment results of all access context elements to obtain the overall joint matching judgment result of the access request. When R=1, it indicates that all access context elements involved in the access request simultaneously satisfy both the subject-side policy constraints and the object-side condition constraints. The access request is judged to have passed the joint matching and can proceed to the subsequent access compliance assessment or access execution stage. When R=0, it indicates that at least one access context element does not satisfy either the subject-side policy constraints or the object-side condition constraints. The policy control layer judges the access request as failing the joint matching and further records the specific unmet constraints and their corresponding constraint types for subsequent security audits, risk analysis, or policy optimization. Through the above joint matching analysis mechanism, fine-grained, interpretable, and highly secure dynamic access control of access requests can be achieved during real business operations.

[0046] Preferably, access control operations are performed based on the access decision result. When the access request is allowed, an encrypted secure communication channel is established for the access subject and the access object. In actual operation, after the policy control layer completes access policy joint matching, conflict arbitration, and compliance assessment based on the access context dataset, it generates a corresponding access decision result and sends it to the policy execution module. The policy execution module first parses the access decision result to confirm the decision type of the current access request. When the access decision result is "access allowed," the policy execution module triggers the access control execution process and enters the secure communication channel establishment phase.

[0047] At this point, the policy execution module sends access permission instructions to both the accessing subject and the accessing object, instructing both parties to initiate a secure communication channel negotiation process. Before establishing a communication channel, the accessing subject and the accessing object each invoke their respective identity management modules to verify the validity and trustworthiness of the digital identity credentials carried by the other party, including credential integrity verification, validity period verification, and identity status verification, ensuring that both communicating parties are trusted entities that have passed identity authentication and are in a valid state. After both-way identity verifications are successful, the accessing subject and the accessing object, based on a preset encryption protocol and key negotiation mechanism, collaboratively complete the generation of the session key and the negotiation of encryption parameters.

[0048] Subsequently, the accessing entity and the accessing entity establish an end-to-end encrypted secure communication channel based on the negotiated session key. All business data generated during the access process is transmitted within this secure communication channel, effectively preventing data from being eavesdropped on, tampered with, or replayed during transmission. After the secure communication channel is established, the policy enforcement module feeds back the channel establishment result to the policy control layer and the identity management module, and records the corresponding access logs and session state information to support subsequent access auditing, anomaly tracing, and session lifecycle management. Through the above methods, fine-grained access control based on access decision results and high-security real-world network communication assurance are achieved in real-world application scenarios.

[0049] Example 2 In this embodiment of the invention, step S1 first establishes a unified identity authentication layer to centrally register the identities of the access subjects and access objects intending to access the real network. For example, if the access subject is a government official or a company employee, they submit real-name identity information issued by an authoritative institution to the identity authentication layer during the registration phase; if the access object is a business system or data service, it submits corresponding system filing information and service attribute information. The identity authentication layer performs format and compliance checks on the above registration information, eliminating incomplete or non-compliant registration data, ultimately forming a reliable initial identity dataset, laying the foundation for subsequent access control.

[0050] Based on the initial identity dataset, a rigorous verification process is performed on both the access subject and the access object. In this scenario, the access subject must undergo multi-factor authentication, including matching their real-time collected biometric features with a pre-stored template, comparing their real-name information with an authoritative identity source, and verifying the trustworthiness of the hardware identifier and operating environment of their terminal to confirm that the terminal has not been tampered with. The access object must undergo code auditing, verification of the legality of the data source, and verification of the integrity of the service code to ensure that its service behavior and data processing comply with security and compliance requirements. Once all verifications are passed, a trusted identity management organization issues unique digital identity credentials to both the access subject and the access object, and simultaneously records the corresponding identity status information for subsequent identity verification and status management.

[0051] When an entity needs to access a business system or data service, its terminal device triggers an access request generation process, carrying its digital identity credentials and access control-related attribute information, such as role attributes, permission levels, or organizational affiliation, in the access request. The entity then sends the encapsulated access request to the policy control layer, which determines whether or not to allow the access.

[0052] After receiving an access request, the policy control layer not only parses the subject and object information carried in the request, but also collects context information related to the access request in real time to build an access context dataset. This context information includes the identity attributes of the access subject, the security status of the current terminal device, the time and geographical location of the access, and the specific access scenario information, thereby comprehensively depicting the real environment in which this access behavior takes place.

[0053] Based on the constructed access context dataset, the policy control layer invokes a preset access control policy engine to perform joint matching analysis between the access policies configured on the access subject side and the preset access conditions on the access object side. For example, the system will determine whether the current access time is within an allowed period, whether the terminal meets the security level requirements, and whether the access subject has the permission to access the object. Based on this, the system will dynamically evaluate the compliance of the access request and finally generate the corresponding access decision result.

[0054] Based on the generated access decision results, corresponding access control operations are executed. When an access request is determined to be allowed, the policy enforcement module guides the access subject and the access object to establish an encrypted secure communication channel. During the channel establishment process, necessary identity verification and key negotiation are completed, enabling subsequent business data to be transmitted in an end-to-end encrypted communication environment. This effectively ensures the security, trustworthiness, and controllability of the real-world network access process in real-world application scenarios.

[0055] Example 3 A real-world secure access control system based on trusted identity authentication includes an initial identity data registration module, an identity verification management module, an access request generation module, an access context information collection module, a combined access policy matching and decision module, and an access control execution module. The initial identity data registration module is connected to the identity verification management module, the identity verification management module is connected to the access request generation module, the access request generation module is connected to the access context information collection module, the access context information collection module is connected to the combined access policy matching and decision module, and the combined access policy matching and decision module is connected to the access control execution module. The initial identity data registration module is used to register the identities of access subjects and access objects by building an identity authentication layer, and form an initial identity dataset after verification; The identity verification management module is used to verify the access subject and the access object based on the initial identity dataset. When the verification is successful, a unique digital identity credential is issued to the access subject and the access object, and the corresponding identity status information is recorded. The access request generation module is used to carry the corresponding digital identity credentials and attribute information in the access request when the access subject initiates an access request to the access object, and send the access request to the policy control layer. The access context information collection module is used by the policy control layer to collect context information related to the access request in real time after receiving the access request, and to build an access context dataset. The joint access policy matching decision module is used to call the preset access control policy engine based on the access context dataset, jointly match the access policy configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of access requests, and generate access decision results. The access control enforcement module is used to perform access control operations based on the access decision results. When an access request is allowed, it establishes an encrypted secure communication channel for the access subject and the access object.

[0056] like Figure 2 The diagram shown is a system block diagram of a real-world secure access control system based on trusted identity authentication according to an embodiment of the present invention, which can be used to execute... Figure 1 The steps in the method embodiments shown are implemented in a similar manner and have similar technical effects, and will not be repeated here.

[0057] Example 4 An electronic device includes a memory and a processor, wherein the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the steps of a real-world secure access control method and system based on trusted identity authentication as described above. The memory is used to store the computer program, and the memory may also be flash memory. The computer program is, for example, an application program or functional module that implements the above method.

[0058] The processor is used to execute the computer program stored in the memory to implement the various steps performed by the device in the above method. For details, please refer to the relevant descriptions in the preceding method embodiments.

[0059] Alternatively, the memory can be either standalone or integrated with the processor.

[0060] When the memory is a device independent of the processor, it may further include: A bus is used to connect the memory and the processor.

[0061] This invention establishes an identity authentication layer to uniformly register and verify the identities of both the access subject and the access object, forming a trusted initial identity dataset. Multi-dimensional verification is performed on both the access subject and the access object, and a unique digital identity credential is issued to both parties upon successful verification. Simultaneously, the corresponding identity status information is recorded and maintained. When an access subject initiates an access request to an access object, it sends its digital identity credential and necessary attribute information to the policy control layer. Upon receiving the access request, the policy control layer collects contextual information such as the access subject's status, terminal environment, time, and location in real time, constructs an access context dataset, and calls the access control policy engine based on this dataset to jointly match and dynamically evaluate the access policies on the subject and the access conditions on the object, ultimately generating an access decision result. Access control operations are executed according to the access decision result. When access is permitted, an encrypted secure communication channel is established between the access subject and the access object, ensuring the security and trustworthiness of subsequent business interactions.

[0062] This invention, on the one hand, achieves two-way trusted identity verification for both the access subject and the access object, avoiding the security risks arising from relying solely on a single subject's identity as the basis for access control, thus enhancing the trust foundation of real-world network access from the source. On the other hand, by introducing access context data and jointly matching subject-side policies with object-side conditions, it realizes the transformation of access control from static authorization to dynamic and granular authorization, effectively addressing complex and ever-changing real-world network environments. Furthermore, establishing an end-to-end encrypted secure communication channel after access is granted ensures access flexibility while further preventing data leakage and tampering during transmission. This invention balances security, flexibility, and scalability, significantly improving the security level and operational reliability of access control in real-world network environments, and possesses significant engineering application value.

[0063] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any changes or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application.

[0064] Finally: The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.

Claims

1. A real-world network security access control method based on trusted identity authentication, characterized in that, Includes the following steps: By building an identity authentication layer, the identities of the access subjects and access objects are registered and verified to form an initial identity dataset. Based on the initial identity dataset, the access subject and the access object are verified separately. Once the verification is successful, a unique digital identity credential is issued to the access subject and the access object, and the corresponding identity status information is recorded. When an access subject initiates an access request to an access object, it carries the corresponding digital identity credentials and attribute information in the access request and sends the access request to the policy control layer. Upon receiving an access request, the policy control layer collects context information related to the access request in real time and constructs an access context dataset. Based on the access context dataset, the preset access control policy engine is invoked to jointly match the access policy configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of the access request, and generate access decision results. Access control operations are performed based on the access decision results. When an access request is granted, an encrypted secure communication channel is established for the access subject and the access object.

2. The real-world network security access control method based on trusted identity authentication according to claim 1, characterized in that, The initial identity dataset includes the initial identity dataset of the accessing subject and the initial identity dataset of the accessing object.

3. The real-world network security access control method based on trusted identity authentication according to claim 1, characterized in that, When an access subject initiates an access request to an access object, the access request carries the corresponding digital identity credentials and attribute information, and is sent to the policy control layer. The specific steps are as follows: When an access subject needs to access a target access object, the access subject's terminal device triggers the access request generation process and determines the identification information and access type of the target access object. Before initiating an access request, the accessing entity retrieves its corresponding digital identity credential and performs a preliminary verification of the validity period and status of the digital identity credential. Extract access control-related attribute information from the digital identity credentials of the accessing subject. The attribute information includes, but is not limited to, subject role attributes, permission level attributes, organization attributes, or security level attributes. The access subject identification information, access object identification information, access type, digital identity credential, and attribute information are uniformly encapsulated to generate an access request message; The encapsulated access request message is protected for integrity and tamper-proof, and then sent to the policy control layer.

4. The real-world network security access control method based on trusted identity authentication according to claim 3, characterized in that, Upon receiving an access request, the policy control layer collects context information related to the access request in real time and constructs an access context dataset. The specific steps are as follows: Upon receiving an access request, the policy control layer parses the access request message, extracts the access subject identifier, access object identifier, access type, and carried digital identity credential information, and simultaneously obtains the context information related to the access request to construct an access context dataset; the context information includes subject identity attributes, terminal device status, access time, access location, and access scenario information.

5. A real-world network security access control method based on trusted identity authentication according to claim 4, characterized in that, Based on the access context dataset, a preset access control policy engine is invoked to jointly match the access policies configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of access requests, and generate access decision results. The specific steps are as follows: Load the access policies configured on the access subject side and the preset access conditions on the access object side from the policy storage module respectively. Based on the access context dataset, a joint matching analysis is performed on the access policy on the access subject side and the access conditions on the access object side to identify whether the access request simultaneously satisfies the subject policy constraint and the object condition constraint. During the joint matching process, it is necessary to detect whether there is a conflict between the subject-side access strategy and the object-side access conditions; Based on the joint matching results and conflict arbitration results, the compliance of access requests is dynamically assessed to form access compliance assessment results. Based on the access compliance assessment results, an access decision is generated.

6. A real-world network security access control method based on trusted identity authentication according to claim 5, characterized in that, Based on the access context dataset, a joint matching analysis is performed between the access subject's access policy and the access object's access conditions to identify whether the access request simultaneously satisfies both the subject policy constraint and the object condition constraint. The specific steps are as follows: The access context dataset is parsed and processed to extract access context data used for access control; Map the access policies configured on the access subject side to an executable set of policy constraints, and map the access conditions preset on the access object side to an executable set of condition constraints. Based on the access context dataset, a joint matching analysis is performed on the subject-side policy constraint set and the object-side condition constraint set to compare whether each access context element simultaneously satisfies the subject-side policy constraint and the object-side condition constraint. When the access context element satisfies both the subject-side policy constraint and the object-side condition constraint, the access request is determined to pass the joint matching; when either constraint is not satisfied, the access request is determined to fail the joint matching, and the type of constraint not satisfied is marked.

7. A real-world network security access control method based on trusted identity authentication according to claim 6, characterized in that, Based on the access context dataset, a joint matching analysis is performed on the subject-side policy constraint set and the object-side condition constraint set. Each access context element is compared to ensure it simultaneously satisfies both the subject-side policy constraints and the object-side condition constraints. The steps for this joint matching analysis are as follows: Based on the access context dataset, the context elements corresponding to the access requests are structured to form access context element vectors. , For the i-th access context element, Total number of access context data; The access policy configured on the access subject side is parsed into a set of subject-side policy constraints. The access conditions preset on the access object side are parsed into a set of object-side condition constraints. ; Based on access context element vector Set of policy constraints on the subject side With the set of object-side conditions and constraints By performing a joint matching analysis using a joint matching decision function, we can determine whether each access context element simultaneously satisfies both the subject-side policy constraints and the object-side condition constraints.

8. A real-world network security access control method based on trusted identity authentication according to claim 7, characterized in that, The specific steps for performing item-by-item joint matching analysis are as follows: By constructing a joint matching decision function, the joint matching decision result of the access request is output. The joint matching decision function is as follows: ; In the formula: The result of the joint matching determination of the access request. For access context elements The joint matching decision function, The decision function is the policy constraint function on the subject side. This is the objective-side condition constraint determination function. To access context elements Perform logical and joint determination of subject-side strategy constraints and object-side condition constraints; when When the access context elements as a whole simultaneously satisfy both the subject-side policy constraints and the object-side condition constraints, the access request is obtained through joint matching. when When this condition is met, it indicates that at least one context element does not satisfy the constraint, and the access request fails the union match.

9. A real-world network security access control system based on trusted identity authentication, applied to a real-world network security access control method based on trusted identity authentication as described in any one of claims 1-8, characterized in that, It includes an initial identity data registration module, an identity verification management module, an access request generation module, an access context information collection module, a combined access policy matching and decision-making module, and an access control enforcement module; The initial identity data registration module is used to register the identities of access subjects and access objects by building an identity authentication layer, and form an initial identity dataset after verification; The identity verification management module is used to verify the access subject and the access object based on the initial identity dataset. When the verification is successful, a unique digital identity credential is issued to the access subject and the access object, and the corresponding identity status information is recorded. The access request generation module is used to carry the corresponding digital identity credentials and attribute information in the access request when the access subject initiates an access request to the access object, and send the access request to the policy control layer. The access context information collection module is used by the policy control layer to collect context information related to the access request in real time after receiving the access request, and to build an access context dataset. The joint access policy matching decision module is used to call the preset access control policy engine based on the access context dataset, jointly match the access policy configured on the subject side with the preset access conditions on the object side, dynamically evaluate the compliance of access requests, and generate access decision results. The access control enforcement module is used to perform access control operations based on the access decision results. When an access request is allowed, it establishes an encrypted secure communication channel for the access subject and the access object.

10. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor runs the computer program stored in the memory, the processor performs the steps of a real-world secure access control method and system based on trusted identity authentication as described in any one of claims 1-8.