Authentication method and authentication device based on NFC and zero trust mechanism
By using an authentication method based on NFC and zero-trust mechanisms, automated, secure, and efficient configuration of MODBUS RTU devices is achieved, solving the physical risks and inefficiencies associated with manual configuration. This method is applicable to a wide range of MODBUS RTU devices.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- INFORMATION & COMMNUNICATION BRANCH STATE GRID JIANGXI ELECTRIC POWER CO
- Filing Date
- 2026-03-16
- Publication Date
- 2026-07-10
AI Technical Summary
In the Industrial Internet of Things (IIoT), the parameter configuration of the MODBUS RTU protocol relies on manual operation, which poses high physical security risks, low configuration efficiency, high error rate, vulnerable network security, and compatibility issues.
It adopts an authentication method based on NFC and zero trust mechanism, performs secure authorization and activation through handheld devices, performs zero trust triple verification, configures MODBUS devices on behalf of others, and realizes automated configuration process by using blockchain notarization and cloud synchronization.
It significantly reduces the configuration time of a single device, lowers the configuration error rate, enhances network security, and is applicable to a wide range of MODBUS RTU devices without requiring any device modifications.
Smart Images

Figure CN122372239A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of Internet of Things and edge computing technology, and in particular to an authentication method and device based on NFC and zero-trust mechanism. Background Technology
[0002] In Industrial Internet of Things (IIoT) and traditional industrial automation scenarios, the MODBUS RTU protocol is a commonly used protocol, often used to provide client / server communication between devices connected to different types of buses or networks. However, its parameter configuration for field devices, especially the setting of the station number as a unique identifier for their network identity, has long relied on traditional manual operation. Manual operation has the following technical drawbacks: First, there is a high risk of physical safety issues. Existing operating procedures typically require technicians to open the equipment cabinet and configure parameters by connecting to a PC via a physical DIP switch or a dedicated serial cable. Referring to the scenario described in the instruction manual of a wireless communication smoke detector with application number CN201820123456, this process involves direct exposure to live terminals, which poses risks of electric shock, short circuit, electrostatic damage, and even arcing.
[0003] Secondly, the configuration efficiency is low. The process of manually connecting, configuring, and verifying each device is cumbersome. The average configuration time for a single device exceeds 3 minutes. If large-scale deployment configuration is required, manual configuration cannot meet the configuration requirements.
[0004] Secondly, the configuration error rate is high, and address conflicts are likely to occur when manually recording and assigning station numbers. Address conflicts are difficult to troubleshoot during the system debugging phase, which can easily lead to communication terminal and data corruption in the later stages, thereby increasing the later maintenance costs.
[0005] Secondly, the network security model is vulnerable. Referring to the technical scenario described in the specification of a method and system for establishing a wireless communication connection in application number CN2020114857487, communication is achieved through Bluetooth. However, when the communication distance of Bluetooth is relatively far, reaching several meters or tens of meters, the communication link is easily eavesdropped or subjected to man-in-the-middle attacks.
[0006] Secondly, compatibility issues are prominent. There are a large number of old MODBUS devices in industrial sites. These devices have simple hardware designs and do not have the active discovery or registration functions of modern devices, making them unable to be integrated into the existing automation configuration system.
[0007] Therefore, an authentication method and device based on NFC and zero-trust mechanism are proposed. Summary of the Invention
[0008] The purpose of this invention is to provide an authentication method and device based on NFC and zero-trust mechanism, which eliminates the physical operation risks, low configuration efficiency and low configuration security caused by manual parameter configuration of traditional Modbus RTU devices.
[0009] The authentication method and apparatus based on NFC and zero-trust mechanism provided by this invention adopts the following technical solution: Firstly, an authentication method based on NFC and zero-trust mechanisms specifically includes: using a handheld device and performing the following steps through the handheld device: S1. Before performing on-site tasks, the handheld device requests the remote management platform to generate an NFC activation command containing device_id and sends it to the edge proxy gateway in the target area through a secure channel. The edge proxy gateway verifies the digital signature of the command, activates the NFC interface at the hardware layer of the edge gateway, and adds the device_id to the temporary trust whitelist. During this process, the NFC interface remains active and automatically shuts down after a timeout. S2. Perform zero-trust-based NFC authentication and data synchronization, including a request triggered by the handheld device. The request includes device_id, nonce, timestamp, and HMAC-SHA256 signature, where device_id is a unique device identifier, nonce is a 32-bit random number, timestamp is the current UTC millisecond-level timestamp, and HMAC-SHA256 signature is calculated by combining the handheld device hardware key with device_id, nonce, and timestamp. The request performs zero-trust triple verification. If authentication is successful, secure data is sent. If authentication fails, up to three automatic retries are performed. If three retries fail, the handheld device caches the synchronized data to local storage and prompts the operator of the handheld device through the human-machine interface. S3. Configure the MODBUS device through the handheld device agent. After the handheld device obtains the encrypted ledger, decrypts it and stores it locally, it disconnects from the edge agent gateway and configures the MODBUS device. S4, closed-loop verification and blockchain notarization, including result feedback, differential synchronization, blockchain notarization and cloud synchronization.
[0010] The zero-trust triple verification in S2 includes identity verification, physical trust verification, and authorization and session establishment. The identity verification includes checking whether the device_id in the request corresponds to a temporary trust whitelist and whether the format of the device_id conforms to the defined rules. If the device_id does not exist, the request is rejected.
[0011] Furthermore, the physical trust verification includes submitting the device_id contained in the request and the nonce corresponding to the request to the backend blockchain network of the edge proxy gateway through the edge proxy gateway, and requesting verification of the hardware PUF physical signature corresponding to the identifier through the blockchain network. The physical trust verification is passed when the verification matching degree is greater than 99%.
[0012] Furthermore, the authorization and session establishment include verifying the timestamp, ensuring that the time difference between the timestamp and the local time of the edge proxy gateway is less than 30 seconds, verifying the uniqueness of the nonce corresponding to the request, and confirming that the nonce has not been reused within 24 hours. If the above conditions are met, the edge proxy gateway combines the timestamp and the nonce to generate a 128-bit one-time dynamic session key through hash budgeting. The one-time dynamic session key is then used to encrypt the parameter ledger, i.e., the MODBUS station number, device type, and resource allocation strategy already existing in the network of the request, using the AES-128-CBC algorithm. Finally, it is transmitted to the handheld device through the NFC interface. After the transmission is completed, the one-time dynamic session key becomes invalid.
[0013] The configuration process in S3 includes the following steps: S31. MODBUS RTU device connection and response detection: The operator connects several MODBUS RTU devices to be configured to the RS485 interface of the handheld device. The handheld device senses the access of the MODBUS RTU devices by detecting the differential voltage change of RS485, and the handheld device detects the response of the MODBUS RTU devices by sending MODBUS broadcast commands. S32. Parameter allocation and writing of MODBUS RTU device: The operator will operate the handheld device connected to the MODBUS RTU device according to the preset or user-selected mode, which includes automatic allocation mode and manual allocation mode. S33. Writing and verifying the MODBUS RTU device: After determining the station number, the handheld device writes the determined station number to the MODBUS RTU device using the MODBUS write single register function code. To ensure successful operation, the handheld device performs a read operation using the determined station number. When the value read back by the handheld device matches the written value and the CRC check matches, the configuration is confirmed to be successful.
[0014] Furthermore, the operation process of the automatic allocation mode includes: The handheld device sends a MODBUS read command to the default address of the MODBUS RTU device, attempts to read a specific register to obtain the device type identifier of the MODBUS RTU device, and determines the device type of the MODBUS RTU device based on the read device type identifier. The handheld device then searches for the corresponding range of legal station numbers in the local resource allocation policy and uses a closed-loop conflict detection algorithm within the range of legal station numbers to find the first unoccupied legal station number for allocation. If there is no free station number within the range of legal station numbers, the search is expanded to the global range.
[0015] Furthermore, the operation process of the manual allocation mode includes: The operator selects a physical port of a connected device on the human-machine interface of the handheld device. The handheld device renders a list of available and valid station numbers on the human-machine interface based on the existing MODBUS station numbers, device types, and resource allocation policies in the network. After the user selects an available station number, the background performs a secondary real-time conflict check.
[0016] Furthermore, if a write verification error occurs in S33, the parameter rollback is executed to reset the allocated valid station number from the allocated state to the available state and record the error log. If two write failures occur consecutively in the automatic allocation mode, the handheld device prompts the operator whether to switch to manual mode for manual diagnosis and intervention.
[0017] The process of returning the result in S4 includes: after the MODBUS RTU device is configured, the operator brings the handheld device close to the edge proxy gateway and repeats the operation in S2.
[0018] Specifically, differential synchronization in S4 includes: the handheld device transmitting the change records generated during the configuration process back to the edge proxy gateway via encryption; the change records include the changed device, the station number assigned to the changed device, and the time of the change; and the edge proxy gateway records the differences in the change records.
[0019] Specifically, the blockchain verification in S4 includes: the edge proxy gateway forming a transaction from the change record and submitting the transaction to the backend blockchain network, and the transaction needs to obtain signature verification from at least three endorsing nodes on the blockchain network before it can be written into the blockchain network and form a log.
[0020] Specifically, the cloud synchronization in S4 includes: synchronizing the configuration results to the cloud management platform through the blockchain network to complete the configuration operation loop.
[0021] The beneficial effects of the authentication method based on NFC and zero-trust mechanism provided by this invention are as follows: by adopting an automated configuration process, the average configuration time of a single MODBUS device is significantly reduced from 3 minutes and 15 seconds manually to about 8 seconds. Furthermore, by avoiding MODBUS station number conflicts based on a global parameter ledger and a closed-loop conflict detection algorithm, the parameter conflict rate of manual configuration is reduced from 4.7% to zero. Moreover, the triple verification mechanism adopted by this method can effectively resist network attack security issues such as replay attacks, man-in-the-middle attacks, and device forgery. In addition, all key configuration change operations in this method are submitted to the blockchain for evidence storage through the edge gateway, forming a tamper-proof and traceable operation audit log, which meets the management requirements of high-security and compliance scenarios.
[0022] Secondly, an authentication device based on NFC and zero-trust mechanisms specifically includes: The authentication method based on NFC and zero-trust mechanism described in the first aspect above is used for authentication, including the handheld device, the handheld device comprising: Main control unit: The main control unit adopts the ESP32-WROOM-32 microcontroller, which is responsible for the core of the handheld device's operation and control, and is responsible for running the real-time operating system and all business logic; NFC communication module: The NFC communication module uses an NXP PN532 NFC chip and controls the communication distance of the NFC chip to within 10cm; MODBUS-RTU Communication Interface: The MODBUS-RTU communication interface uses several built-in electrically isolated RS485 transceivers. The RS485 transceiver model is TI SN65HVD72. Each interface of the RS485 transceiver is equipped with a differential voltage detection circuit to detect whether the physical port is effectively connected. Security processing unit: The security processing unit adopts a Microchip ATECC608B security chip. The security processing unit is responsible for performing the cryptographic operations, which include encryption, decryption, and signature generation and verification. The human-computer interaction interface includes a touch screen and several physical buttons. The functions of the physical buttons include confirmation, return, and mode switching. The human-computer interaction interface is used to display the status, configuration mode, and parameters to the operator and to receive operation instructions to realize manual intervention. The local storage unit: The local storage unit adopts a non-volatile memory with a specification of 64Mbit SPI Flash. The local storage unit is used for offline caching of the device parameter ledger, the resource allocation strategy and the log obtained from the edge proxy gateway; The triggering unit includes a magnetic field strength sensor and a physical trigger button. The magnetic field strength sensor is used to detect the NFC field strength to wake up the handheld device and the edge proxy gateway. The physical trigger button is used to manually trigger NFC communication to wake up the handheld device and the edge proxy gateway in a strong interference environment. The main control unit is electrically connected to the local storage unit, the human-machine interface, the security processing unit, the MODBUS-RTU interface, and the NFC communication module.
[0023] The beneficial effects of the authentication device based on NFC and zero-trust mechanism provided by this invention are that it adopts NFC contactless interaction, which eliminates physical safety risks such as electric shock and short circuit caused by opening the cover and connecting wires. It reduces the risk points in high-risk operation scenarios from 6 to 1, with only the risk of NFC distance spoofing. Furthermore, by using the handheld device as a proxy to actively communicate with MODBUS devices in this invention, no software or hardware modifications are required for the field equipment. It is 100% compatible with all devices that comply with the MODBUS RTU standard, including older devices without active registration capabilities, and has a wide range of applications. Attached Figure Description
[0024] Figure 1 This is a schematic diagram of the method flow of the present invention; Figure 2 This is a schematic diagram of the dual-mode parameter allocation process in this invention; Figure 3 This is a schematic diagram of the parameter configuration and change record synchronization process in this invention; Figure 4 This is a schematic diagram of the exception handling process in this invention; Figure 5 This is a schematic diagram of the device architecture in this invention. Detailed Implementation
[0025] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention. Unless otherwise defined, the technical or scientific terms used herein should have the ordinary meaning understood by those skilled in the art. The terms "comprising" and similar expressions used herein mean that the element or object preceding the word covers the element or object listed after the word and its equivalents, but does not exclude other elements or objects.
[0026] See Figures 1 to 5 As shown, embodiments of the present invention provide an authentication method and apparatus based on NFC and zero-trust mechanisms.
[0027] Among them, such as Figure 1 As shown, in this embodiment, an authentication method based on NFC and zero-trust mechanism uses a handheld device and operates the following steps through the handheld device: S1. Before performing on-site tasks, the handheld device requests the remote management platform to generate an NFC activation command containing device_id and sends it to the edge proxy gateway in the target area through a secure channel. The edge proxy gateway verifies the digital signature of the command, activates the NFC interface at the hardware layer of the edge gateway, and adds the device_id to the temporary trust whitelist. During this process, the NFC interface remains active and automatically shuts down after a timeout. S2. Perform zero-trust-based NFC authentication and data synchronization, including a request triggered by the handheld device. The request includes device_id, nonce, timestamp, and HMAC-SHA256 signature, where device_id is a unique device identifier, nonce is a 32-bit random number, timestamp is the current UTC millisecond-level timestamp, and HMAC-SHA256 signature is calculated by combining the handheld device hardware key with device_id, nonce, and timestamp. The request performs zero-trust triple verification. If authentication is successful, secure data is sent. If authentication fails, up to three automatic retries are performed. If three retries fail, the handheld device caches the synchronized data to local storage and prompts the operator of the handheld device through the human-machine interface. S3. Configure the MODBUS device through the handheld device agent. After the handheld device obtains the encrypted ledger, decrypts it and stores it locally, it disconnects from the edge agent gateway and configures the MODBUS device. S4, closed-loop verification and blockchain notarization, including result feedback, differential synchronization, blockchain notarization and cloud synchronization.
[0028] In this embodiment, as Figure 1 As shown, the zero-trust triple verification in S2 includes identity verification, physical trust verification, and authorization and session establishment. The identity verification includes checking whether the device_id in the request corresponds to a temporary trust whitelist and whether the format of the device_id conforms to the defined rules. If the device_id does not exist, the request is rejected.
[0029] The physical trust verification includes submitting the device_id contained in the request and the nonce corresponding to the request to the backend blockchain network of the edge proxy gateway through the edge proxy gateway, and requesting verification of the hardware PUF physical signature corresponding to the identifier through the blockchain network. The physical trust verification is passed when the verification matching degree is greater than 99%.
[0030] The authorization and session establishment process includes verifying the timestamp, ensuring that the time difference between the timestamp and the local time of the edge proxy gateway is less than 30 seconds, verifying the uniqueness of the nonce corresponding to the request, and confirming that the nonce has not been reused within 24 hours. If the above conditions are met, the edge proxy gateway combines the timestamp and the nonce to generate a 128-bit one-time dynamic session key through hash budgeting. The one-time dynamic session key is then used to encrypt the parameter ledger, i.e., the MODBUS station number, device type, and resource allocation policy already existing in the network of the request, using the AES-128-CBC algorithm. Finally, it is transmitted to the handheld device through the NFC interface. After the transmission is completed, the one-time dynamic session key becomes invalid.
[0031] In this embodiment, as Figure 3 As shown, the configuration process in S3 includes the following steps: S31. MODBUS RTU device connection and response detection: The operator connects several MODBUS RTU devices to be configured to the RS485 interface of the handheld device. The handheld device senses the access of the MODBUS RTU devices by detecting the differential voltage change of RS485, and the handheld device detects the response of the MODBUS RTU devices by sending MODBUS broadcast commands. S32. Parameter allocation and writing of MODBUS RTU device: The operator will operate the handheld device connected to the MODBUS RTU device according to the preset or user-selected mode, which includes automatic allocation mode and manual allocation mode. S33. Writing and verifying the MODBUS RTU device: After determining the station number, the handheld device writes the determined station number to the MODBUS RTU device using the MODBUS write single register function code. To ensure successful operation, the handheld device performs a read operation using the determined station number. When the value read back by the handheld device matches the written value and the CRC check matches, the configuration is confirmed to be successful.
[0032] The operation process of the automatic allocation mode includes: The handheld device sends a MODBUS read command to the default address of the MODBUS RTU device, attempting to read a specific register to obtain the device type identifier of the MODBUS RTU device. Based on the read device type identifier, the handheld device determines the device type of the MODBUS RTU device and searches for a corresponding range of legal station numbers in its local resource allocation policy. Within this range, a closed-loop conflict detection algorithm is used to find the first unoccupied legal station number for allocation. If there are no free stations within this range, the search is expanded to the global range. The aforementioned closed-loop conflict detection algorithm refers to a method for identifying and handling keyframe conflicts in closed or loop-bound systems. A closed loop refers to the system returning to the same physical location at different times, requiring the detection and fusion of duplicate keyframes. Conflict detection refers to identifying the similarity between new key information and historical information to avoid data duplication or redundancy. Existing closed-loop conflict detection methods mainly utilize timestamp and pose difference detection, feature descriptor matching, etc. In this invention, the occupancy status of legal station numbers is used as a feature for closed-loop conflict detection.
[0033] The operation process of the manual allocation mode includes: The operator selects a physical port of a connected device on the human-machine interface of the handheld device. The handheld device renders a list of available and valid station numbers on the human-machine interface based on the existing MODBUS station numbers, device types, and resource allocation policies in the network. After the user selects an available station number, the background performs a secondary real-time conflict check.
[0034] In this embodiment, if a write verification error occurs in S33, the parameter rollback is executed to reset the allocated valid station number from the allocated state to the available state and record the error log. If two write failures occur consecutively in the automatic allocation mode, the handheld device prompts the operator whether to switch to manual mode for manual diagnosis and intervention.
[0035] In this embodiment, the result feedback process in S4 includes: after the MODBUS RTU device is configured, the operator brings the handheld device close to the edge proxy gateway and repeats the S2 operation.
[0036] In this embodiment, the differential synchronization in S4 includes: the handheld device transmitting the change record generated during the configuration process back to the edge proxy gateway via encryption. The change record includes the changed device, the station number assigned to the changed device, and the time when the change occurred. The edge proxy gateway records the difference portion of the change record.
[0037] In this embodiment, the blockchain verification in S4 includes: the edge proxy gateway forming a transaction from the change record and submitting the transaction to the backend blockchain network, and the transaction needs to obtain signature verification from at least three endorsing nodes on the blockchain network before it can be written into the blockchain network to form a log.
[0038] In this embodiment, the cloud synchronization in S4 includes: synchronizing the configuration results to the cloud management platform through the blockchain network to complete the configuration operation loop.
[0039] Furthermore, an authentication device based on NFC and zero-trust mechanism, employing the aforementioned authentication method based on NFC and zero-trust mechanism, includes the handheld device, which comprises: Main control unit: The main control unit adopts the ESP32-WROOM-32 microcontroller, which is responsible for the core of the handheld device's operation and control, and is responsible for running the real-time operating system and all business logic. The ESP32-WROOM-32 microcontroller has the advantages of low power consumption and high performance, ensuring the smoothness of agent configuration. NFC communication module: The NFC communication module uses an NXP PN532 NFC chip and controls the communication distance of the NFC chip to within 10cm. By using a contactless NFC chip, physical safety risks such as electric shock and short circuit caused by opening the cover and connecting wires during manual configuration are avoided. MODBUS-RTU Communication Interface: The MODBUS-RTU communication interface uses several built-in electrically isolated RS485 transceivers. The RS485 transceiver model is TI SN65HVD72. Each interface of the RS485 transceiver is equipped with a differential voltage detection circuit to detect whether the physical port is effectively connected. Each interface is isolated from the main control unit through a high-speed optocoupler to resist surges and common-mode interference in the industrial field. Security processing unit: The security processing unit adopts a Microchip ATECC608B security chip. The security processing unit is responsible for performing the cryptographic operations, which include encryption, decryption, and signature generation and verification. The Microchip ATECC608B security chip has a unique hardware key that is physically unclonable, providing a hardware root of trust for zero-trust authentication. The human-computer interaction interface includes a touch screen and several physical buttons. The functions of the physical buttons include confirmation, return, and mode switching. The human-computer interaction interface is used to display the status, configuration mode, and parameters to the operator and to receive operation instructions to realize manual intervention. The local storage unit: The local storage unit adopts a non-volatile memory with a specification of 64Mbit SPI Flash. The local storage unit is used for offline caching of the device parameter ledger, the resource allocation strategy and the log obtained from the edge proxy gateway; The triggering unit includes a magnetic field strength sensor and a physical trigger button. The magnetic field strength sensor is used to detect the NFC field strength to wake up the handheld device and the edge proxy gateway. The physical trigger button is used to manually trigger NFC communication to wake up the handheld device and the edge proxy gateway in a strong interference environment. The main control unit is electrically connected to the local storage unit, the human-machine interface, the security processing unit, the MODBUS-RTU interface, and the NFC communication module, respectively. The main control unit can control the local storage unit, the human-machine interface, the security processing unit, the MODBUS-RTU interface, and the NFC communication module in a unified manner.
[0040] While embodiments of the present invention have been described in detail above, it will be apparent to those skilled in the art that various modifications and variations can be made to these embodiments. However, it should be understood that such modifications and variations fall within the scope and spirit of the invention as set forth in the claims. Furthermore, the invention described herein may have other embodiments and can be implemented or carried out in various ways.
Claims
1. An authentication method based on NFC and zero-trust mechanism, characterized in that, Using a handheld device and performing the following steps via the handheld device: S1. Before performing on-site tasks, the handheld device requests the remote management platform to generate an NFC activation command containing device_id and sends it to the edge proxy gateway in the target area through a secure channel. The edge proxy gateway verifies the digital signature of the command, activates the NFC interface at the hardware layer of the edge gateway, and adds the device_id to the temporary trust whitelist. During this process, the NFC interface remains active and automatically shuts down after a timeout. S2. Perform zero-trust-based NFC authentication and data synchronization, including a request triggered by the handheld device. The request includes device_id, nonce, timestamp, and HMAC-SHA256 signature, where device_id is a unique device identifier, nonce is a 32-bit random number, timestamp is the current UTC millisecond-level timestamp, and HMAC-SHA256 signature is calculated by combining the handheld device hardware key with device_id, nonce, and timestamp. The request performs zero-trust triple verification. If authentication is successful, secure data is sent. If authentication fails, up to three automatic retries are performed. If three retries fail, the handheld device caches the synchronized data to local storage and prompts the operator of the handheld device through the human-machine interface. S3. Configure the MODBUS device through the handheld device agent. After the handheld device obtains the encrypted ledger, decrypts it and stores it locally, it disconnects from the edge agent gateway and configures the MODBUS device. S4, closed-loop verification and blockchain notarization, including result feedback, differential synchronization, blockchain notarization and cloud synchronization.
2. The authentication method based on NFC and zero-trust mechanism according to claim 1, characterized in that, The zero-trust triple verification in S2 includes identity verification, physical trust verification, and authorization and session establishment. The identity verification includes checking whether the device_id in the request corresponds to a temporary trust whitelist and whether the format of the device_id conforms to the defined rules. If the device_id does not exist, the request is rejected.
3. The authentication method based on NFC and zero-trust mechanism according to claim 2, characterized in that, The physical trust verification includes submitting the device_id contained in the request and the nonce corresponding to the request to the backend blockchain network of the edge proxy gateway through the edge proxy gateway, and requesting verification of the hardware PUF physical signature corresponding to the identifier through the blockchain network. The physical trust verification is passed when the verification matching degree is greater than 99%.
4. The authentication method based on NFC and zero-trust mechanism according to claim 3, characterized in that, The authorization and session establishment process includes verifying the timestamp, ensuring that the time difference between the timestamp and the local time of the edge proxy gateway is less than 30 seconds, verifying the uniqueness of the nonce corresponding to the request, and confirming that the nonce has not been reused within 24 hours. If the above conditions are met, the edge proxy gateway combines the timestamp and the nonce to generate a 128-bit one-time dynamic session key through hash budgeting. The one-time dynamic session key is then used to encrypt the parameter ledger, i.e., the MODBUS station number, device type, and resource allocation policy already existing in the requested network, using the AES-128-CBC algorithm. Finally, it is transmitted to the handheld device through the NFC interface. After the transmission is completed, the one-time dynamic session key becomes invalid.
5. The authentication method based on NFC and zero-trust mechanism according to claim 1, characterized in that, The configuration process in S3 includes the following steps: S31. MODBUS RTU device connection and response detection: The operator connects several MODBUS RTU devices to be configured to the RS485 interface of the handheld device. The handheld device senses the access of the MODBUS RTU devices by detecting the differential voltage change of RS485, and the handheld device detects the response of the MODBUS RTU devices by sending MODBUS broadcast commands. S32. Parameter allocation and writing of MODBUS RTU device: The operator will operate the handheld device connected to the MODBUS RTU device according to the preset or user-selected mode, which includes automatic allocation mode and manual allocation mode. S33. Writing and verifying the MODBUS RTU device: After determining the station number, the handheld device writes the determined station number to the MODBUS RTU device using the MODBUS write single register function code. To ensure successful operation, the handheld device performs a read operation using the determined station number. When the value read back by the handheld device matches the written value and the CRC check matches, the configuration is confirmed to be successful.
6. The authentication method based on NFC and zero-trust mechanism according to claim 5, characterized in that, The operation process of the automatic allocation mode includes: The handheld device sends a MODBUS read command to the default address of the MODBUS RTU device, attempts to read a specific register to obtain the device type identifier of the MODBUS RTU device, and determines the device type of the MODBUS RTU device based on the read device type identifier. The handheld device then searches for the corresponding range of legal station numbers in the local resource allocation policy and uses a closed-loop conflict detection algorithm within the range of legal station numbers to find the first unoccupied legal station number for allocation. If there is no free station number within the range of legal station numbers, the search is expanded to the global range.
7. The authentication method based on NFC and zero-trust mechanism according to claim 6, characterized in that, The operation process of the manual allocation mode includes: The operator selects a physical port of a connected device on the human-machine interface of the handheld device. The handheld device renders a list of available and valid station numbers on the human-machine interface based on the existing MODBUS station numbers, device types, and resource allocation policies in the network. After the user selects an available station number, the background performs a secondary real-time conflict check.
8. The authentication method based on NFC and zero-trust mechanism according to claim 7, characterized in that, If a write verification error occurs in S33, the parameter rollback will be executed to reset the allocated valid station number from the allocated state to the available state and record the error log. If two write failures occur consecutively in the automatic allocation mode, the handheld device will prompt the operator whether to switch to manual mode for manual diagnosis and intervention.
9. The authentication method based on NFC and zero-trust mechanism according to claim 1, characterized in that, The result feedback process in S4 includes: after the MODBUS RTU device is configured, the operator brings the handheld device close to the edge proxy gateway and repeats the S2 operation; The differential synchronization in S4 includes: the handheld device transmitting the change records generated during the configuration process back to the edge proxy gateway in encrypted form. The change records include the changed device, the station number assigned to the changed device, and the time when the change occurred. The edge proxy gateway records the differences in the change records. The blockchain verification in S4 includes: the edge proxy gateway forming a transaction from the change record and submitting the transaction to the backend blockchain network, and the transaction needs to obtain signature verification from at least three endorsing nodes on the blockchain network before it can be written into the blockchain network and form a log; The cloud synchronization in S4 includes: synchronizing the configuration results to the cloud management platform through the blockchain network to complete the configuration operation loop.
10. An authentication device based on NFC and zero-trust mechanism, characterized in that, The authentication method based on NFC and zero-trust mechanism as described in claims 1 to 9 is used for authentication, including the handheld device, the handheld device comprising: Main control unit: The main control unit adopts the ESP32-WROOM-32 microcontroller, which is responsible for the core of the handheld device's operation and control, and is responsible for running the real-time operating system and all business logic; NFC communication module: The NFC communication module uses an NXP PN532 NFC chip and controls the communication distance of the NFC chip to within 10cm; MODBUS-RTU Communication Interface: The MODBUS-RTU communication interface uses several built-in electrically isolated RS485 transceivers. The RS485 transceiver model is TI SN65HVD72. Each interface of the RS485 transceiver is equipped with a differential voltage detection circuit to detect whether the physical port is effectively connected. Security processing unit: The security processing unit adopts a Microchip ATECC608B security chip. The security processing unit is responsible for performing the cryptographic operations, which include encryption, decryption, and signature generation and verification. The human-computer interaction interface includes a touch screen and several physical buttons. The functions of the physical buttons include confirmation, return, and mode switching. The human-computer interaction interface is used to display the status, configuration mode, and parameters to the operator and to receive operation instructions to realize manual intervention. The local storage unit: The local storage unit adopts a non-volatile memory with a specification of 64Mbit SPI Flash. The local storage unit is used for offline caching of the device parameter ledger, the resource allocation strategy and the log obtained from the edge proxy gateway; The triggering unit includes a magnetic field strength sensor and a physical trigger button. The magnetic field strength sensor is used to detect the NFC field strength to wake up the handheld device and the edge proxy gateway. The physical trigger button is used to manually trigger NFC communication to wake up the handheld device and the edge proxy gateway in a strong interference environment. The main control unit is electrically connected to the local storage unit, the human-machine interface, the security processing unit, the MODBUS-RTU interface, and the NFC communication module.