CN101425903A - Trusted network architecture based on identity - Google Patents
Trusted network architecture based on identity Download PDFInfo
- Publication number
- CN101425903A CN101425903A CNA2008101406483A CN200810140648A CN101425903A CN 101425903 A CN101425903 A CN 101425903A CN A2008101406483 A CNA2008101406483 A CN A2008101406483A CN 200810140648 A CN200810140648 A CN 200810140648A CN 101425903 A CN101425903 A CN 101425903A
- Authority
- CN
- China
- Prior art keywords
- network
- data
- assembly
- user
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007246 mechanism Effects 0.000 claims abstract description 15
- 230000005540 biological transmission Effects 0.000 claims abstract description 6
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 5
- 238000012360 testing method Methods 0.000 claims abstract description 3
- 239000000306 component Substances 0.000 claims description 32
- 238000004891 communication Methods 0.000 claims description 22
- 238000012795 verification Methods 0.000 claims description 15
- 238000005516 engineering process Methods 0.000 claims description 14
- 238000013475 authorization Methods 0.000 claims description 12
- 238000007689 inspection Methods 0.000 claims description 12
- 241000700605 Viruses Species 0.000 claims description 10
- 238000000034 method Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 8
- 230000006378 damage Effects 0.000 claims description 6
- 239000012636 effector Substances 0.000 claims description 6
- 230000033228 biological regulation Effects 0.000 claims description 5
- 230000000694 effects Effects 0.000 claims description 4
- 230000006698 induction Effects 0.000 claims description 4
- 238000007726 management method Methods 0.000 claims description 4
- 230000002265 prevention Effects 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 4
- 230000015572 biosynthetic process Effects 0.000 claims description 3
- 238000002955 isolation Methods 0.000 claims description 3
- 241000052343 Dares Species 0.000 claims description 2
- 241001269238 Data Species 0.000 claims description 2
- 101000896740 Solanum tuberosum Cysteine protease inhibitor 9 Proteins 0.000 claims description 2
- 230000002547 anomalous effect Effects 0.000 claims description 2
- 238000012550 audit Methods 0.000 claims description 2
- 239000008358 core component Substances 0.000 claims description 2
- 238000013497 data interchange Methods 0.000 claims description 2
- 238000001514 detection method Methods 0.000 claims description 2
- 238000009826 distribution Methods 0.000 claims description 2
- 238000004519 manufacturing process Methods 0.000 claims description 2
- 230000007306 turnover Effects 0.000 claims description 2
- 238000012544 monitoring process Methods 0.000 abstract description 2
- 230000000712 assembly Effects 0.000 abstract 2
- 238000000429 assembly Methods 0.000 abstract 2
- 239000000463 material Substances 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 4
- 230000003612 virological effect Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 238000012856 packing Methods 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000003556 assay Methods 0.000 description 2
- 239000008280 blood Substances 0.000 description 2
- 210000004369 blood Anatomy 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000000052 comparative effect Effects 0.000 description 2
- 238000000151 deposition Methods 0.000 description 2
- 239000003999 initiator Substances 0.000 description 2
- 230000008929 regeneration Effects 0.000 description 2
- 238000011069 regeneration method Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
A credibility network framework based on identities belongs to the technical field of information security, which comprises three layers and three entities, wherein the three layers are a physical transmission layer, a network layer and an application program layer; and the three entities are a network access sponsor, a network access controller and a safety tactics server. The credibility network framework adopts a vector quantity encryption authentication mechanism based on the identifies of accessors, and guarantees that the requirements of all network accessors are the encryption data streams bound with accessor entities, as long as access controllers use personal identify labels and identify information of access requesting labels to obtain accurate proof test value through decrypting requesting data, bidirectional equipotent identify authentication is realized, then authority and content are evaluated and detected by access control assemblies and safety monitoring assemblies so as to guarantee that all access requirements are safe, and unsafe access requirements are refused, thereby the credibility network framework is realized.
Description
Technical field
The invention belongs to field of information security technology, be specifically related to a kind of credible network connecting construction based on identity.
Background technology
At present, known trustable network connection standard and framework have TCG-TNC (Trusted Network Connect) of the international credible TCG of computation organization (TrustedComputing Group), TNC has comprised that open terminal integrality framework and overlaps the technical standard of guaranteeing safe interoperability, this standard essence begins to set up trustable network from trusted terminal exactly and connects, it equips with arms all terminals and main frame by credible calculating platform module PTM, and in the credible metrology platform of the inner deployment of trustable network, security strategy platform and access control platform, at first the terminal of trustable network access is carried out equipment, authentication, collect the safe condition information of this terminal then, measure its credibility and fail safe, judge according to security strategy whether this terminal is allowed to access trustable network more at last, then take to isolate the measure of reparation for the terminal of breach of security strategy, till meeting security strategy.China compares early the research starting of trustable network, comparison system but really disclosed, influential successful technical specification is few in theory, patent 200710176091.4 and patent 200710019094.7 are open source literatures of the domestic two trusted network architecture aspect that can find at present, these two patents all are on the basis of TNC, use different strategies to realize the access control of trustable network.
By scrutinizing domestic and international research and framework about trustable network, can find, the definition trustable network all is always can expect with manageable with network and user's behavior and result thereof, this definition is lost biased, trustable network is a big notion, contain that to be covered with network-wide security credible, rather than in unsafe big net, create a believable little net.In Internet, at first be fail safe how to assess terminal so, how whom the safe condition information of collection terminal collected by, and whom security strategy formulated or the like problem and be one and be difficult for the problem implemented by; Second, the collection terminal security information is a relatively sensitive issue, involve privacy problem, moreover, even if the user passes over privacy concern, and trusted terminal is to be support with the PTM module, inner all information have all added close, want the security information of collection terminal only to adopt the report system, so this report system confidence level has how high, how does metrology platform confirm that these information are not false? the 3rd, trusted network architecture and technical specification are still used existing basic technology, there are not what innovation and breakthrough, can only the technology of old stuff be changed to a new form and has been given newname, realize really that secure and trusted is doubtful, and this may be exactly the basic reason that the TNC framework is put into effect does not have a decent product to come into the market so far.
Summary of the invention
The object of the present invention is to provide a kind of trusted network architecture based on user identity, to realize the believable macroreticular framework of the whole network, allow all terminals not inject unsafe factor to network, more do not allow unsafe factor to enter terminal or main frame, naturally realize the safe, credible of whole Internet, it can contain existing all-network infrastructure and unsafe terminal, allow the user obey the terminal security rule voluntarily, otherwise will become big marine Gu Zhou, can't exchange with others.Because the network behavior of all terminals all is and the strict binding of the entity that uses terminal, in case having malicious user to inject unsafe factor to network will be found immediately, and gone out network by summary expulsion, and dare not crime thereby form validated user, the trustable network environment that the disabled user can't crime.
The present invention is based on the credible network connecting construction of reliable computing technology, adopts the encrypting vector authentication PTM module based on identity to support the trustable network connection, is a kind of credible network connecting construction of the TNC of being different from structure; Purpose is to guarantee any information first of circulating in network, can both be in the ins and outs of legal system's proof oneself, do not distorted and forged, do not carry unsafe factor secretly, also can't surmount the authority that network is given, and have a live entities that this information is responsible for, then such network is exactly a trustable network.
Credible platform module PTM of the present invention adopts the attitude that contains, do not go the fail safe of all component of scanning system inside, the smart trying ground of expense, do not admit external safety vindication yet, just watch like a hawk all data of discrepancy system, allow data oneself prove oneself, only otherwise breach of security principle, just allow data to come in and go out, in case breach of security principle except stoping data discrepancy, also gives a warning to data source, if the user does not listen advice, then close network service function and Network Isolation for internal system,, tell the dangerous tendency of user of certain identify label of the whole network for the then generation broadcast data newspaper of outside.Those do not adopt the terminal user of credible platform module PTM, owing to can not link up with the trustable network terminal and be isolated, then can't constitute a threat to trustable network.
A kind of trusted network architecture based on identity, it comprises three entities of three levels, three levels are: physical transport layer, internetwork layer and application layer; Three entities are: access to netwoks promoter, access to netwoks effector and security strategy server.The trusted network architecture of this programme adopts the encrypting vector authentication infrastructure technology based on visitor's identity, guarantee that the all-network access request all is the encrypting traffic that bundlees with visitor's entity, deciphering can access correct check value to request msg as long as use the identify label of oneself and the identity information of access request sign in access control side, just realized the identity discriminating of two-way equity, by access control components and safety supervision assembly authority and content are assessed then and checked, guarantee that the all-access request all is safely, unsafe access request is rejected, thereby realizes believable network-in-dialing framework.
1, basic trusted network architecture
A kind of trusted network architecture based on identity as shown in Figure 1.
This trusted network architecture has been stipulated based on the functional hierarchy of the trusted network architecture of identity and network entity at all levels, the simplest and the most direct trusted network architecture comprises three levels: physical link layer, internetwork layer and application layer, three network entities: access to netwoks promoter, access to netwoks effector and security strategy server; Each entity comprises some functional units, has some interfaces between each assembly.
2, level
Trusted network architecture based on identity is divided into three levels:
Physical link layer: this level only provides the data flow protection to the data flow in the physical circuit, stops because the threat that the transparency of chain cut-layer data causes network.This layer of employing be based on the encryption mechanism of network interface card, can realize that the confidentiality of data and the equipment identities of equity differentiate.
Internetwork layer: this level increases by three functional units on the basis of former network layer function, finish the two-way of network gate and guard.Its major function is, former IP bag carried out based on the encrypting vector of identity handled, and external access request IP bag is decrypted processing, realizes that by judging integrality the identity of equity differentiates and former discriminating of data; Judge according to the content of forcing accessing database whether this network access request is allowed to, the visit data content that allows is carried out safety inspection, the data of guaranteeing to enter terminal or main frame are safe, equally also to carry out safety inspection to the visit data of going out, prevent that unsafe factor from entering network, sending safety alarm can't prevent the time, will close network channel for the unsafe factor of inside, cut-out is connected with network, to guarantee network security.
Application layer: finish peer identity by network and third party's service entities and differentiate, the sharing of visitor's authentication and security strategy and prevention and cure of viruses database; Accept simple security strategy of user and authorization message setting; Provide authorization message and safety supervision strategy to network layer; The security incident of response to network layer produces safety alarm.
3, entity
The access to netwoks promoter: the entity of request access to netwoks, its function is to send access request, finishes with access control person's peer identity and differentiates and the discriminating of data sourcesink; It guarantees that by identity information and security strategy that the security strategy server obtains the interviewee accessing request information that sends is safe visit information.This entity comprises following assembly: communication traffic stream protection assembly, encrypting and authenticating assembly, access control components, safety supervision assembly and security policy manager assembly.
Access to netwoks effector: accessed network entity, its function is for receiving access to netwoks promoter's access request data, finish with the identity discriminating of visitor's equity and former discriminating of data and visitor's access rights and differentiate, if allow visit, also will check the fail safe of request msg content.It obtains visitor's identity information and security strategy by the security strategy server, and the accessing request information that guarantees to give the upper strata is safe.This entity comprises following assembly: communication traffic stream protection assembly, encrypting and authenticating assembly, access control components, safety supervision assembly and security policy manager assembly.
Security strategy server: this entity comprises following assembly: communication traffic stream protection assembly, encrypting and authenticating assembly, access control components, safety supervision assembly and security policy manager assembly, extra assembly also comprises rescue center's assembly, service centre's assembly and registers remote terminal.Security strategy server is that its effect is equivalent to the CA center of present PKIX by the third party authority entity website of area distribution in Internet, and it is divided into three parts, rescue center, service centre and registration mechanism.Be responsible for collecting and providing all legitimate network users' identity information and sincere class information to network, formulation and distributing network visit and virus prevent security strategy, response aid request information is implemented long-range rescue to the requestor, in time adjust registered user's level of security and observably indicate user's credit grade with color according to the network user's network behavior, repeatedly illegal black list user is deleted from registration database, those are sacked and remain impenitent, still continue the user terminal of harm trustable network and implement remote destroying, thoroughly expel it from trustable network.
4, functional unit
Service centre only accepts the writing or revising of registration data that each department authority registers mechanism, trustable network is only provided user identity, the user credit grade inquiry business of security policy manager entity and warns dangerous user, and regularly or in time provide security strategy and network blacklist for registering the user safety strategy management entity.The user is not by the security policy manager entity or can't not land this entity website through the user who registers.
Rescue center only accepts the aid request of security policy manager assembly, in time handles accident.
Register mechanism and be responsible for creating the network user's basic database, it will apply for user's the real identity information and the space code of the network identification card that this user holds, form a data-base recording and be uploaded to security strategy server entity site databases and open at the whole network, thereby, directly realize Real-name Registration with user's real identity and this user's network behavior binding.
The security policy manager assembly is a resident assembly of every station terminal or host system application layer in the trustable network, and it has two interfaces, and an interface is provided with admission policy, the security strategy of this terminal of visit simply for the terminal use; Another interface is realized sharing of security strategy, virus prevention after differentiating by network and security strategy server's process peer identity of authority, and inside then provides security strategy, access strategy, blacklist and in time handles anomalous event to access control entity, safety supervision entity.
The safety supervision assembly is a bidirectional safe assembly that is arranged in network layer, the data of all turnover terminals or main frame all must be through the safety supervision assembly, it is accepted the security strategy of upper strata security policy manager assembly and inherits the authentication information of encrypting and authenticating assembly, access control components transmission, the authorization message storehouse of coming then according to upper layer transfers, verify by checking data content whether this access request goes beyond one's commission, and whether is entrained with virus, wooden horse and other rogue programs.Once finding to start immediately the detailed content that audit recorder writes down this incident, in order to location and tracking, to implement reduce authority, disable access and this user's of removing punishment for validated user according to plot simultaneously, and produce an alarm data newspaper and feed back to the visitor system.For visit or the data sent out outside the inside, if find above-mentionedly to go beyond one's commission and carry situation secretly, the safety detection assembly has the right to close the service function of network layer under the invalid situation of warning, realize same Network Isolation, in order to avoid jeopardize whole network.Add then that for the access request of safety or data safety label gives the upper strata and handle or give outside the lower floor and send out.If receive the alarm data newspaper, then temporarily disconnect network and connect, submit a report asking for the security policy manager assembly and handle, if this machine security policy manager assembly can't be handled, then the security policy manager assembly will be to network rescue center plea for aid.
Access control components also is a bidirectional safe assembly that is arranged in network layer, accept the visitor's that the encrypting and authenticating entity passes over identity information and the authorization message that the security policy manager entity passes over, decide a concrete network requests whether to be rejected and to accept, the visitor who does not list in every access request that legal identity can't be provided and the authorization message storehouse completely is rejected, for the request of data of sending out outside the inside, also want verification msg recipient's identity whether legal, have or not and the authority of this internal user swap data etc.If the visitor can then give access request the safety supervision assembly and carry out the data security inspection or give outer of encrypting and authenticating entity encryption by legal checking.For unauthorized access person system certain patience is set, surpass this degree, force access control components will start an early warning mechanism, initiatively send an alarm broadcasting to network, tell certain user of network dangerous tendency, and the every IP bag that has this User Identity of notice lower floor is ignored.
The encrypting and authenticating assembly is the core component that makes up trustable network, it is exactly a PTM module for host computer system, for the network terminal in order to support user's flowability, it is divided into two parts, software section and hardware components, software is arranged in the direct and former IP agreement of network layer and plugs into, and also can embed IP agreement inside.Hardware then is that terminal use's identify label is a network identification card, and it is connected by USB interface or induction interface with terminal, and user's identify label and encryption and decryption key and enciphering and deciphering algorithm selection word is provided to software section.This assembly is by deciphering external access request or packet, obtain visitor's identity information, finish visitor's authentication and digital signature authentication by integrity verification, thereby decision abandons or gives the access control entity handles, for solicited message or the data message sent out outside the inside, only do encryption.
The PTM module is based on digital circuit, in the special digital chip of band intelligent processor and complete anti-tamper, anti-test and electric destruction circuit, possesses globally unique production sequence number, this sequence number and the binding of inner encrypting and authenticating circuit, determine the vector key formation range of this PTM module, it can be accepted long-range control command and start electric destruction circuit; During concrete the application, be arranged on the mainboard of terminal, formation is the credible calculating platform at center with equipment, and all inputoutput datas that it can control computer are necessary for the encrypting vector data of standard, and adopts digital relay baton technology to resist replay attack.
Network identification card is based on the anti-tamper of smart card and self-destruction hardware, has globally unique string number sign, this sign is the sequence numbering of the key generation/regenerator in the card, determining the key space scope that this key generation/regenerator can be exported, and cooperating digital relay baton technology to resist replay attack, it can be accepted long-range control command and start electric destruction circuit; This smart card and corresponding software system are supporting, can constitute the trustable network terminal based on the user.After the user obtains this network identification card, must just can become the real network identification card and the network pass to the registration of local registration office, without the network identification card of registration, it is mutual with it in trustable network to be that nobody dares.If the holder utilizes this identity card to do the business of harm network security, third party's entity can be that harmful grade is until destroying this network identification card by network publicity identity card holder.
Communication traffic stream protection assembly is a kind of pure security component that the present invention is arranged on physical interface layer specially; employing is based on the high-strength encryption mechanism of network interface card; realize confidentiality and simple peer-entities discriminating and former discriminating of data end to end; the confidentiality of communication traffic stream is intercepted with packet sniffer circuit and is failed in the protection physical circuit.
5, trusted network interface and database
Basic data is collected interface, this interface definition third party's entity Website server and register the exchanges data standard of mechanism's terminal room, this regulation and stipulation basic data is collected interface and is used high level encrypted authentication system and backward compatible general encrypted authentication system, guarantee that ordinary terminal and main frame can't be initiatively and this interface swap data, only whenever necessary by the active of third party's entity Website server and ordinary terminal or main frame realization exchanges data, to guarantee the fail safe and the authority of third party's entity website.
Strategy is shared and the data query interface, this interface definition the exchanges data rule of third party's entity Website server and normal hosts or terminal security tactical management inter-entity.
Network exchanging visit interface, this interface definition data interchange format and the safety regulation between visitor and the interviewee.
Security Policy Database: the notebook data storehouse is that all terminals and main frame all must be equipped with, and this database is shared by strategy and data query interface acquisition security strategy server provides system safety strategy and virus prevent strategy, are used by the safety supervision assembly.
The access control database: this database is all user lists of being visited this machine by the permission that the user is provided with control, the fields such as true identity information, network identification card number, credit grade, extent of competence, transmission relay key and reception relay key that comprise the user are by forcing access control components to be used.
The network identification card database: security strategy server has, and collects network user's information bank that interface obtains all registrations by basic data, uses for the all-network user inquiring.
Trusted network architecture of the present invention with existing technical scheme relatively has following advantage:
Technology realizes simple, need not make big structural modification to network and equipment.
Trusted network architecture is simple and direct efficient, and support technology is single, and credible target is accurate, and authentication means is simple, does not have unnecessary data flow to circulate at network, saves the network bandwidth.
Really realize the whole process binding of data message and user's identity, do not had key agreement and transmission, guaranteed credibility and availability that data generate, transmit and use.
Universality is strong, extensibility is good, and is safe, really realized can't crime the trustable network environment.
All basic technologies are all indigenous, do not have the security threat of pool product.
Description of drawings
Fig. 1 is the basic principle block diagram of trusted network architecture of the present invention
Fig. 2 is the information flow chart based on equipment of trusted network architecture of the present invention
Fig. 3 is the information flow chart with artificial master of trusted network architecture of the present invention
Embodiment
Below in conjunction with drawings and Examples trusted network architecture of the present invention is described further.Embodiment 1, be the trusted network architecture at center with equipment
With equipment be the center trusted network architecture as shown in Figure 2, in this trusted network architecture, all-network terminal and main frame, all adopt hardware mainboard structure with the PTM creditable calculation modules, systems soft ware is equipped with security policy manager person assembly, safety supervision and pressure access control components, forms the trusted network architecture that is made of credible computing terminal, trusted host and security strategy server.
Under the initial state, the user who has trusted terminal must arrive security strategy server registration center and register, then could trustable network access, obtain security strategy and antivirus protection state-of-the-art technology from security strategy service centre automatically, finish the initialization of trusted terminal.All apply for policy update when after this terminal starts at every turn from trend security strategy server.
The trustable network exchange of information flow process of once safety as shown in Figure 2.
1, visit initiator terminal user is by the security policy manager component platform, be communicated with security strategy server's service platform, the background information and the equipment identities card number of access entity intended in inquiry, and this subscriber data is joined in the credible communication data storehouse of oneself.
2, the visit promoter gives the safety supervision assembly with accessing request information and the equipment identities card number of intending access entity and carries out safety inspection, add after qualified that safety label carries out the authority check by access control components then, authority after the assay was approved, data give that PTM module encrypt packing is outer to be sent out.
3, after the PTM module obtains intending visitor's equipment identities card number, the digital relay baton that takes out oneself earlier from credible communication data storehouse is attached to the request msg head, then to key generator application encryption key, request msg is encrypted, to intend at last the visitor equipment identities card number, this machine equipment identities card number and with the random key material of legal the other side's digital relay secret key encryption, full text verification and, mode of operation and header check and composition ciphertext head, give IP protocol packing together with ciphertext.For the trustable network primary stage, can pack earlier and afterwards encrypt to cover the sourcesink address.
4, the external IP bag of sending out of the communication traffic of physical link layer stream protection assembly carries out end-to-end encryption based on network interface card MAC, sends on the physical circuit then, is carried out relay and is encrypted by on the way switch, router, till the hardware MAC of arrival regulation.
5, after access control square tube news Business Stream protection assembly obtained the Frame of address to one's name, data decryption was given the IP layer and is handled.
6, after IP agreement in access control side is knitted processing with the IP package of receiving, transfer to the PTM module and be decrypted authentication processing.The PTM module is at first extracted the equipment identities card number of the stay of two nights and is demonstrate,proved number relatively with the equipment identities of oneself from the ciphertext head, finishes the stay of two nights and differentiates.
If identical extraction source device ID card No. is searched record by the source device ID card No. in credible communication data storehouse, if no record then proposes authentication request to access control components; Access control components is sent query requests by security policycomponents to the security strategy server, after security strategy server's response, will be by the inquiry feed back to the requestor for information about, whether allow this access request to visit this machine by access control person's assembly or system's decision, finish user's identity validation first.
If allow the visit promoter to visit this machine, then from credible communication data storehouse, take out the follow-up header data of deciphering relay secret key decryption of oneself, with source device ID card No. mode of operation and the regeneration of random key application of materials decryption key that obtains, decoding request information
Then according to verification in full and the destiny of correctness decision solicited message.Verification and incorrect illustrates that cipher-text information is not that the equipment identities card coding system of sign is sent out, or cipher-text information destroyed with distort, then abandon this solicited message.
Verification and correct, illustrate that this solicited message comes the equipment identities card coding system of tagging really, solicited message is complete, then take out relay baton from plaintext challenge information head, compare with the relay baton of depositing in the credible communication data storehouse, whether the checking relay baton is correct, if comparative result illustrates that correctly solicited message is fresh available, just with old relay baton in the newly-generated relay baton alternate data storehouse, finish continuing of anti-replay check and relay chain, also finished simultaneously the information source discriminating, authentication, the encrypt data that obtains just is equivalent to visitor's digital signature data.
Give access control person assembly with this solicited message, determine access level by access control components according to the equipment identities card number of visiting the promoter and background information, sincere grade, the person's assembly of giving the safety supervision with solicited message then, authority and data content are carried out safety inspection, safety label according to check result and visit promoter, judge the safe condition and the safe class of visit originator system, and determine visitors' authority according to these factors.At last solicited message being given the application system on upper strata handles.
For can not carrying out different processing by the safety supervision assembly according to the order of severity of situation by the access requestor of safety verification.
Carry viral wooden horse person secretly, temporarily forbid this user capture, the promoter sounds a warning to visit.
The attempt person of going beyond one's commission reduces this user's safe class and access rights, sounds a warning.
Do not have flesh and blood person, notice PTM module, refusal is handled the IP packet that this equipment identities card number sends, the basis of time user be provided be divided into 10 minutes, 1 hour, forever.
Attack attempt there is or carries the Malware person, forbid this user capture, as not preventing, then send the broadcast data newspaper, and access request content ciphertext and plaintext are sent to security service person website, in order to calling to account to network.
In the above-mentioned trustable network data exchange process, visit promoter and access control person do not fix, and all is the visit promoter so long as send data requester to other terminal or main frame, and accepting going forward side by side property of request of data safety inspection person all is access control person.Give the correct time when a terminal receives viral alarm data as the effector, the safety supervision assembly of this terminal should ask the security policy manager assembly to be handled immediately, and result is fed back to the alarm promoter, forbids with releasing.If this machine security policy manager assembly can't be handled, just ask long-range rescue to security strategy server rescue center.
Present embodiment as shown in Figure 3, the difference of it and embodiment 1 is, in the trustable network of this pattern, all terminals need not be replaced with the computer that creditable calculation modules PTM is housed, but take back dress security component software and the network identification card that separates, when network identification card separated with terminal, terminal was exactly a common computer, when USB that network identification card is inserted computer or induction interface, ordinary terminal has just become trusted terminal.So design and layout are flowability and compatible existing network infrastructure and the user's computer in order to support the user, make the user spend minimum cost to go to enjoy safety and the facility that trustable network brings.
Describe the implementation procedure of trusted network architecture focusing on people in detail below in conjunction with Fig. 3.
Under the initial state, the user who obtains network identification card and corresponding software must arrive security strategy server registration center and register, and software is installed in the terminal computer of preparation trustable network access, when network identification card hardware being inserted USB interface or being connected into terminal by the induction interface, terminal just becomes trusted terminal, automatically obtain security strategy and antivirus protection state-of-the-art technology from security strategy service centre, finish the initialization of trusted terminal.All apply for policy update when after this terminal starts at every turn from trend security strategy server.When with network identification card hardware when terminal disconnects, terminal just becomes dangerous terminal, even if still be connected network, also can't with trusted host or the terminal exchange of information in the network.
The trustable network exchange of information flow process of once safety as shown in Figure 3.
1, visit initiator terminal user is by the security policy manager component platform, be communicated with security strategy server's service platform, the background information and the network identification card number of access entity intended in inquiry, and this subscriber data is joined in the credible communication data storehouse of oneself.
2, the visit promoter gives the safety supervision assembly with accessing request information and the network identification card number of intending access entity and carries out safety inspection, add safety label after qualified, carry out the authority check by access control components then, authority after the assay was approved, data are given the encrypting and authenticating module, demonstrate,prove number by the encrypting and authenticating module according to the equipment identities of intending the visitor, from credible communication data storehouse, take out digital relay baton earlier, and relay baton is attached to the request msg head, then to network identification card application encryption key and sequence number.
3, after network identification card is received the encryption key application, start key generator generation encryption key and export to the encrypting and authenticating module, by the encrypting and authenticating module request msg is encrypted, to intend then the visitor network identification card number, this machine the network identification card number and with the random key material of the other side's numeral relay secret key encryption, mode of operation, in full verification and and header check and composition ciphertext head, give IP protocol packing together with ciphertext, and deposit the relay key of this generation in credible communication data storehouse.For the trustable network primary stage, can pack earlier and afterwards encrypt to cover the sourcesink address.
4, the external IP bag of sending out of the communication traffic of physical link layer stream protection assembly carries out end-to-end encryption based on network interface card MAC, sends on the physical circuit then, is carried out relay and is encrypted by on the way switch, router, till the hardware MAC of arrival regulation.
5, after access control square tube news Business Stream protection assembly obtained the Frame of address to one's name, data decryption was given the IP layer and is handled.
6, after IP agreement in access control side is knitted processing with the IP package of receiving, transfer to the encrypting and authenticating module and be decrypted authentication processing.The encrypting and authenticating module is at first isolated the ciphertext head from the ciphertext sequence, from the ciphertext head extract the stay of two nights the network identification card number and with own network identification card number relatively, finish stay of two nights discriminating.
If 7 is identical then extract the network identification card number of information source, in credible communication data storehouse, search record by information source network identification card number then.
If 8 no records then propose authentication request to access control components; Access control components is sent query requests by security policycomponents to the security strategy server, after security strategy server's response, will be by the inquiry feed back to the requestor for information about, whether allow this access request to visit this machine by access control components or system's decision, finish user's identity validation first.
If 9 allow the visit promoter to visit this machine, then from credible communication data storehouse, take out relay secret key decryption ciphertext head, obtain header data and verification and, if header check and correct, with accessing request information with the information source network identification card number of sign and random key material to native network identity card application regeneration decryption key, decoding request information, and according to verification in full and the destiny of correctness decision solicited message.Verification and incorrect, illustrate cipher-text information be not the sign the network identification card coding system send out, or cipher-text information destroyed with distort, then abandon this solicited message.
10, verification and correct, illustrate that this solicited message comes the network identification card coding system of tagging really, solicited message is complete, then take out relay baton from plaintext challenge information head, compare with the relay baton of depositing in the credible communication data storehouse, whether the checking relay baton is correct, if comparative result illustrates that correctly solicited message is fresh available, just with old relay baton in the newly-generated relay baton alternate data storehouse, finish continuing of anti-replay check and relay chain, also finished simultaneously the information source discriminating, authentication, the encrypt data that obtains just is equivalent to visitor's digital signature data.
11, give access control person assembly with this solicited message, determine access level by access control components according to the network identification card number of visiting the promoter and background information, sincere grade, the person's assembly of giving the safety supervision with solicited message then, authority and data content are carried out safety inspection, safety label according to check result and visit promoter, judge the safe condition and the safe class of visit originator system, and determine visitors' authority according to these factors.At last solicited message being given the application system on upper strata handles.
12, for can not carrying out different processing by the safety supervision assembly according to the order of severity of situation by the access requestor of safety verification.
Carry viral wooden horse person secretly, temporarily forbid this user capture, the promoter sounds a warning to visit.
The attempt person of going beyond one's commission reduces this user's safe class and access rights, sounds a warning.
Do not have flesh and blood person, notice encrypting and authenticating module, refusal is handled the IP packet that this equipment identities card number sends, the basis of time user be provided be divided into 10 minutes, 1 hour, forever.
Attack attempt there is or carries the Malware person, forbid this user capture, as not preventing, then send the broadcast data newspaper, and access request content ciphertext and plaintext are sent to security service person website, in order to calling to account to network.
In the above-mentioned trustable network data exchange process, visit promoter and access control person do not fix, and all is the visit promoter so long as send data requester to other terminal or main frame, and accepting going forward side by side property of request of data safety inspection person all is access control person.Give the correct time when a terminal receives viral alarm data as the effector, the safety supervision assembly of this terminal should ask the security policy manager assembly to be handled immediately, and result is fed back to the alarm promoter, forbids with releasing.If this machine security policy manager assembly can't be handled, just ask long-range rescue to security strategy server rescue center.
In the present embodiment, support user's mobility, when the user arrives the strange land and need use Internet resources, can under the situation that obtains the strange land subscriber authorisation, use strange land user's terminal to cooperate own network identification card hardware use Internet resources.At authorization stages, the all-network behavior of terminal is held user oneself by network identification card and is responsible for, and can not influence former terminal use but this user should be jointly and severally liable.
Security strategy server is in trustable network, the effect of security strategy and proof user identity authenticity just is provided to network on the surface, and have neither part nor lot in the process that safety connects, in fact, security strategy server is constantly monitoring the safe condition of network, it receives and handles the broadcast warning that all terminals are sent, adjust security strategy in good time, and illegal user's network behavior identified, in time make reduction user security rank and credit grade until expelling this user from network, continue to endanger network security if find this terminal use, just start the remote destroying program, this user's PTM module or network identification card are destroyed, made it can't endanger trustable network again.
Claims (5)
1, a kind of trusted network architecture based on identity, its major technique feature is: this trusted network architecture adopts the encrypting vector authentication infrastructure technology based on visitor's identity, guarantee that the all-network access request all is the encrypting traffic that bundlees with visitor's entity, deciphering can access correct check value to request msg as long as use the identify label of oneself and the identity information of access request sign in access control side, just realized the identity discriminating of two-way equity, by access control components and safety supervision assembly authority and content are assessed then and checked, guarantee that the all-access request all is safely, unsafe access request is rejected, thereby realizes believable network-in-dialing framework.
2, a kind of trusted network architecture as claimed in claim 1 based on identity, it is characterized in that: it comprises three levels,
Physical link layer: this layer employing is based on the encryption mechanism of network interface card; can realize the equipment identities discriminating of the confidentiality and the equity of data; provide the data flow protection to the data flow in the physical circuit, stop because the threat that the transparency of chain cut-layer data causes network.
Internetwork layer: this level is on the basis of former network layer function, increase by three functional units, execution is handled based on the encrypting vector of identity to former IP bag, external access request IP bag is decrypted processing, by judging that integrality realizes identity discriminating and former discriminating of data of equity, judge according to the content of forcing accessing database whether this network access request is allowed to, the visit data content that allows is carried out safety inspection, the data of guaranteeing to enter terminal or main frame are safe, equally also to carry out safety inspection to the visit data of going out, prevent that unsafe factor from entering network, sending safety alarm can't prevent the time for the unsafe factor of inside, to close network channel, cut-out is connected with network, to guarantee network security.
Application layer: the security policy manager assembly is set, finishing peer identity by network and third party's service entities differentiates, sharing of visitor's authentication and security strategy and prevention and cure of viruses database, accept simple security strategy of user and authorization message setting, provide authorization message and safety supervision strategy to network layer, answer the security incident of network layer to produce safety alarm.
3, a kind of trusted network architecture as claimed in claim 1 based on identity, it is characterized in that: this trusted network architecture comprises three entities,
The access to netwoks promoter: the entity of request access to netwoks, its function is to send access request, finishes with access control person's peer identity and differentiates and the discriminating of data sourcesink; It guarantees that by identity information and security strategy that the security strategy server obtains the interviewee accessing request information that sends is safe visit information.This entity comprises following assembly: communication traffic stream protection assembly, encrypting and authenticating assembly, access control components, safety supervision assembly and security policy manager assembly.
Access to netwoks effector: accessed network entity, its function is for receiving access to netwoks promoter's access request data, finish with the identity discriminating of visitor's equity and former discriminating of data and visitor's access rights and differentiate, if allow visit, also will check the fail safe of request msg content.It obtains visitor's identity information and security strategy by the security strategy server, and the accessing request information that guarantees to give the upper strata is safe.This entity comprises following assembly: communication traffic stream protection assembly, encrypting and authenticating assembly, access control components, safety supervision assembly and security policy manager assembly.
Security strategy server: security strategy server is by the third party authority entity website of area distribution in Internet, its effect is equivalent to the CA center of present PKIX, it is divided into three parts, rescue center, service centre and registration mechanism.Be responsible to define with distributing network visit and virus and prevent security strategy, collect and provide all legitimate network users' identity information and sincere class information, respond aid request information the requestor is implemented long-range rescue to network.
4, the trusted network architecture based on identity as claimed in claim 1 is characterized in that it has the following function assembly:
Service centre only accepts the writing or revising of registration data that each department authority registers mechanism, trustable network is only provided user identity, the user credit grade inquiry business of security policy manager entity and warns dangerous user, and regularly or in time provide security strategy and network blacklist for registering the user safety strategy management entity.The user is not by the security policy manager entity or can't not land this entity website through registering.
Rescue center only accepts the aid request of security policy manager assembly, in time handles accident.
Register mechanism and be responsible for creating the network user's basic database, it will apply for user's the real identity information and the space code of the network identification card that this user holds, form a data-base recording and be uploaded to security strategy server entity site databases and open at the whole network, thereby, directly realize Real-name Registration with user's real identity and this user's network behavior binding.
The security policy manager assembly is a resident assembly of every station terminal or host system application layer in the trustable network, and it has two interfaces, and an interface is provided with admission policy, the security strategy of this terminal of visit simply for the terminal use; Another interface is realized sharing of security strategy, virus prevention after differentiating by network and security strategy server's process peer identity of authority, and inside then provides security strategy, access strategy, blacklist and in time handles anomalous event to access control entity, safety supervision entity.
The safety supervision assembly is a bidirectional safe assembly that is arranged in network layer, the data of all turnover terminals or main frame all must be through the safety supervision assembly, it is accepted the security strategy of upper strata security policy manager assembly and inherits the authentication information of encrypting and authenticating assembly, access control components transmission, the authorization message storehouse of coming then according to upper layer transfers, verify by checking data content whether this access request goes beyond one's commission, and whether is entrained with virus, wooden horse and other rogue programs.Once finding to start immediately the detailed content that audit recorder writes down this incident, in order to location and tracking, to implement reduce authority, disable access and this user's of removing punishment for validated user according to plot simultaneously, and produce an alarm data newspaper and feed back to the visitor system.For visit or the data sent out outside the inside, if find above-mentionedly to go beyond one's commission and carry situation secretly, the safety detection assembly has the right to close the service function of network layer under the invalid situation of warning, realize same Network Isolation, in order to avoid jeopardize whole network.Add then that for the access request of safety or data safety label gives the upper strata and handle or give outside the lower floor and send out.If receive the alarm data newspaper, then temporarily disconnect network and connect, submit a report asking for the security policy manager assembly and handle, if this machine security policy manager assembly can't be handled, then the security policy manager assembly will be to network rescue center plea for aid.
Access control components also is a bidirectional safe assembly that is arranged in network layer, accept the visitor's that the encrypting and authenticating entity passes over identity information and the authorization message that the security policy manager entity passes over, decide a concrete network requests whether to be rejected and to accept, the visitor who does not list in every access request that legal identity can't be provided and the authorization message storehouse completely is rejected, for the request of data of sending out outside the inside, also want verification msg recipient's identity whether legal, have or not and the authority of this internal user swap data etc.If the visitor can then give access request the safety supervision assembly and carry out the data security inspection or give outer of encrypting and authenticating entity encryption by legal checking.For unauthorized access person system certain patience is set, surpass this degree, force access control components will start an early warning mechanism, initiatively send an alarm broadcasting to network, tell certain user of network dangerous tendency, and the every IP bag that has this User Identity of notice lower floor is ignored.
The encrypting and authenticating assembly is the core component that makes up trustable network, it is exactly a PTM module for host computer system, for the network terminal in order to support user's flowability, it is divided into two parts, software section and hardware components, software is arranged in the direct and former IP agreement of network layer and plugs into, and also can embed IP agreement inside.Hardware then is that terminal use's identify label is a network identification card, and it is connected by USB interface or induction interface with terminal, and user's identify label and encryption and decryption key and enciphering and deciphering algorithm selection word is provided to software section.This assembly is by deciphering external access request or packet, obtain visitor's identity information, finish visitor's authentication and digital signature authentication by integrity verification, thereby decision abandons or gives the access control entity handles, for solicited message or the data message sent out outside the inside, only do encryption.
The PTM module is based on digital circuit, the special digital chip of interior band intelligent processor and complete anti-tamper, anti-test circuit, possess globally unique production sequence number, this sequence number and inner encrypting and authenticating circuit bundle, and determine the vector key formation range of this PTM module.During concrete the application, be arranged on the mainboard of terminal, constituting with equipment is the credible calculating platform at center, and all inputoutput datas that it can control computer are necessary for the encrypting vector data of standard.
Network identification card is the tamper resistant hardware based on smart card, has globally unique string number sign, and this sign is the sequence numbering of the key generation/regenerator in the card, is determining the key space scope that this key generation/regenerator can be exported.This smart card and corresponding software system are supporting, can constitute the trustable network terminal based on the user.After the user obtains this network identification card, must just can become the real network identification card and the network pass to the registration of local registration office, without the network identification card of registration, it is mutual with it in trustable network to be that nobody dares.If the holder utilizes this identity card to do the business of harm network security, third party's entity can be that harmful grade is until destroying this network identification card by network publicity identity card holder.
Communication traffic stream protection assembly is a kind of pure security component that the present invention is arranged on physical interface layer specially; employing is based on the high-strength encryption mechanism of network interface card; realize confidentiality and simple peer-entities discriminating and former discriminating of data end to end; the confidentiality of communication traffic stream is intercepted with packet sniffer circuit and is failed in the protection physical circuit.
5, the trusted network architecture based on identity as claimed in claim 1, it is characterized in that: it comprises following interface and database
Basic data is collected interface, this interface definition third party's entity Website server and register the exchanges data standard of mechanism's terminal room.
Strategy is shared and the data query interface, this interface definition the exchanges data rule of third party's entity Website server and normal hosts or terminal security tactical management inter-module.
Network exchanging visit interface, this interface definition data interchange format and the safety regulation between visitor and the interviewee.
Security Policy Database: the notebook data storehouse is that all terminals and main frame all must be equipped with, and this database is shared by strategy and data query interface acquisition security strategy server provides system safety strategy and virus prevent strategy, are used by the safety supervision assembly.
The access control database: this database is all user lists of being visited this machine by the permission that the user is provided with control, the fields such as true identity information, network identification card number, credit grade, extent of competence, transmission relay key and reception relay key that comprise the user are by forcing access control components to be used.
The network identification card database: security strategy server has, and collects network user's information bank that interface obtains all registrations by basic data, uses for the all-network user inquiring.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101406483A CN101425903A (en) | 2008-07-16 | 2008-07-16 | Trusted network architecture based on identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101406483A CN101425903A (en) | 2008-07-16 | 2008-07-16 | Trusted network architecture based on identity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101425903A true CN101425903A (en) | 2009-05-06 |
Family
ID=40616259
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101406483A Pending CN101425903A (en) | 2008-07-16 | 2008-07-16 | Trusted network architecture based on identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101425903A (en) |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035837A (en) * | 2010-12-07 | 2011-04-27 | 中国科学院软件研究所 | Method and system for hierarchically connecting trusted networks |
| CN102307197A (en) * | 2011-08-29 | 2012-01-04 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
| CN102402871A (en) * | 2010-09-09 | 2012-04-04 | 上海优盟信息技术有限公司 | Distance education and test system and method |
| CN103078832A (en) * | 2011-10-26 | 2013-05-01 | 阿里巴巴集团控股有限公司 | Internet business security defending method and internet business security defending system |
| CN103329587A (en) * | 2010-09-14 | 2013-09-25 | 沃达方Ip许可有限公司 | Method and device for controlling access to mobile telecommunications networks |
| CN103916397A (en) * | 2014-04-13 | 2014-07-09 | 北京工业大学 | Safety monitoring method under distributed network environment |
| CN103944884A (en) * | 2014-03-24 | 2014-07-23 | 瑞达信息安全产业股份有限公司 | Hierarchical sub-domain control method and system based on network label communication |
| CN101764742B (en) * | 2009-12-30 | 2015-09-23 | 福建星网锐捷网络有限公司 | A kind of network resource visit control system and method |
| CN105376220A (en) * | 2011-11-30 | 2016-03-02 | 阿里巴巴集团控股有限公司 | Service implementation method and system and server |
| CN106681999A (en) * | 2015-11-05 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Data table inquiry method and equipment |
| CN106688220A (en) * | 2014-09-19 | 2017-05-17 | 微软技术许可有限责任公司 | Conditional access to services based on device claims |
| CN108270737A (en) * | 2016-12-30 | 2018-07-10 | 中国移动通信集团公司 | A kind of method and device of guarding network attack |
| CN108701276A (en) * | 2015-10-14 | 2018-10-23 | 剑桥区块链有限责任公司 | Systems and methods for managing digital identities |
| CN108881327A (en) * | 2018-09-29 | 2018-11-23 | 德州职业技术学院(德州市技师学院) | A kind of computer internet information safety control system based on cloud computing |
| CN108923923A (en) * | 2018-07-31 | 2018-11-30 | 淮北师范大学 | A kind of design and its implementation of the code key agreement protocol based on trusted third party |
| WO2019096086A1 (en) * | 2017-11-14 | 2019-05-23 | 钉钉控股(开曼)有限公司 | Access method for shared space, and permission management method and apparatus |
| CN110622490A (en) * | 2017-03-09 | 2019-12-27 | M·S·古尔布兰德森 | Core network access provider |
| CN111476640A (en) * | 2020-04-13 | 2020-07-31 | 江苏思特瑞信息技术有限公司 | Authentication method, system, storage medium and big data authentication platform |
| CN112312389A (en) * | 2019-07-29 | 2021-02-02 | 中国移动通信集团广东有限公司 | Communication information transmission method, device, storage medium, and electronic device |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
| CN113329408A (en) * | 2021-04-20 | 2021-08-31 | 北京连山科技股份有限公司 | Multi-channel concurrent system for military LTE (Long term evolution) and civil wireless dialing network hybrid networking |
| CN114826785A (en) * | 2022-06-29 | 2022-07-29 | 湖北芯擎科技有限公司 | Dynamic protection method, system-on-chip, electronic device and medium |
| CN115242490A (en) * | 2022-07-19 | 2022-10-25 | 北京计算机技术及应用研究所 | Group key secure distribution method and system under trusted environment |
| CN115514585A (en) * | 2022-11-23 | 2022-12-23 | 北京数字众智科技有限公司 | Database security management method and system |
| CN115563113A (en) * | 2022-09-29 | 2023-01-03 | 黄恋雅 | Database index establishing method and system based on artificial intelligence |
-
2008
- 2008-07-16 CN CNA2008101406483A patent/CN101425903A/en active Pending
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101764742B (en) * | 2009-12-30 | 2015-09-23 | 福建星网锐捷网络有限公司 | A kind of network resource visit control system and method |
| CN102402871A (en) * | 2010-09-09 | 2012-04-04 | 上海优盟信息技术有限公司 | Distance education and test system and method |
| CN103329587A (en) * | 2010-09-14 | 2013-09-25 | 沃达方Ip许可有限公司 | Method and device for controlling access to mobile telecommunications networks |
| CN103329587B (en) * | 2010-09-14 | 2017-07-11 | 沃达方Ip许可有限公司 | Method and apparatus for controlling to access mobile telecom network |
| CN102035837A (en) * | 2010-12-07 | 2011-04-27 | 中国科学院软件研究所 | Method and system for hierarchically connecting trusted networks |
| CN102035837B (en) * | 2010-12-07 | 2013-06-05 | 广东金赋信息科技有限公司 | Method and system for hierarchically connecting trusted networks |
| CN102307197B (en) * | 2011-08-29 | 2014-02-19 | 浙江中烟工业有限责任公司 | Trust Enhancement Subsystem of Multilevel Security Interconnection Platform |
| CN102307197A (en) * | 2011-08-29 | 2012-01-04 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
| CN103078832A (en) * | 2011-10-26 | 2013-05-01 | 阿里巴巴集团控股有限公司 | Internet business security defending method and internet business security defending system |
| CN103078832B (en) * | 2011-10-26 | 2016-05-18 | 阿里巴巴集团控股有限公司 | A kind of Internet service safety defense method and system |
| CN105376220A (en) * | 2011-11-30 | 2016-03-02 | 阿里巴巴集团控股有限公司 | Service implementation method and system and server |
| CN103944884A (en) * | 2014-03-24 | 2014-07-23 | 瑞达信息安全产业股份有限公司 | Hierarchical sub-domain control method and system based on network label communication |
| CN103944884B (en) * | 2014-03-24 | 2017-05-31 | 瑞达信息安全产业股份有限公司 | A kind of multilevel and multi-domain access control method and system based on web tab communication |
| CN103916397A (en) * | 2014-04-13 | 2014-07-09 | 北京工业大学 | Safety monitoring method under distributed network environment |
| CN103916397B (en) * | 2014-04-13 | 2017-09-29 | 北京工业大学 | Method for safety monitoring under a kind of distributed network environment |
| CN106688220B (en) * | 2014-09-19 | 2020-03-31 | 微软技术许可有限责任公司 | Method, computer system and storage device for providing access to a resource |
| CN106688220A (en) * | 2014-09-19 | 2017-05-17 | 微软技术许可有限责任公司 | Conditional access to services based on device claims |
| CN108701276B (en) * | 2015-10-14 | 2022-04-12 | 剑桥区块链有限责任公司 | System and method for managing digital identities |
| CN108701276A (en) * | 2015-10-14 | 2018-10-23 | 剑桥区块链有限责任公司 | Systems and methods for managing digital identities |
| US11777953B2 (en) | 2015-10-14 | 2023-10-03 | Cambridge Blockchain, Inc. | Systems and methods for managing digital identities |
| US12261852B2 (en) | 2015-10-14 | 2025-03-25 | Blockchains, Inc. | Systems and methods for managing digital identities |
| US11212296B2 (en) | 2015-10-14 | 2021-12-28 | Cambridge Blockchain, Inc. | Systems and methods for managing digital identities |
| CN106681999A (en) * | 2015-11-05 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Data table inquiry method and equipment |
| CN108270737B (en) * | 2016-12-30 | 2021-03-16 | 中移动信息技术有限公司 | A method and device for preventing network attacks |
| CN108270737A (en) * | 2016-12-30 | 2018-07-10 | 中国移动通信集团公司 | A kind of method and device of guarding network attack |
| CN110622490A (en) * | 2017-03-09 | 2019-12-27 | M·S·古尔布兰德森 | Core network access provider |
| WO2019096086A1 (en) * | 2017-11-14 | 2019-05-23 | 钉钉控股(开曼)有限公司 | Access method for shared space, and permission management method and apparatus |
| CN108923923A (en) * | 2018-07-31 | 2018-11-30 | 淮北师范大学 | A kind of design and its implementation of the code key agreement protocol based on trusted third party |
| CN108881327A (en) * | 2018-09-29 | 2018-11-23 | 德州职业技术学院(德州市技师学院) | A kind of computer internet information safety control system based on cloud computing |
| CN112312389A (en) * | 2019-07-29 | 2021-02-02 | 中国移动通信集团广东有限公司 | Communication information transmission method, device, storage medium, and electronic device |
| CN111476640A (en) * | 2020-04-13 | 2020-07-31 | 江苏思特瑞信息技术有限公司 | Authentication method, system, storage medium and big data authentication platform |
| CN111476640B (en) * | 2020-04-13 | 2023-08-04 | 江苏思特瑞信息技术有限公司 | Authentication method, system, storage medium and big data authentication platform |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
| CN113010911B (en) * | 2021-02-07 | 2024-05-10 | 腾讯科技(深圳)有限公司 | Data access control method, device and computer readable storage medium |
| CN113329408A (en) * | 2021-04-20 | 2021-08-31 | 北京连山科技股份有限公司 | Multi-channel concurrent system for military LTE (Long term evolution) and civil wireless dialing network hybrid networking |
| CN114826785A (en) * | 2022-06-29 | 2022-07-29 | 湖北芯擎科技有限公司 | Dynamic protection method, system-on-chip, electronic device and medium |
| CN115242490B (en) * | 2022-07-19 | 2023-09-26 | 北京计算机技术及应用研究所 | Group key secure distribution method and system in trusted environment |
| CN115242490A (en) * | 2022-07-19 | 2022-10-25 | 北京计算机技术及应用研究所 | Group key secure distribution method and system under trusted environment |
| CN115563113A (en) * | 2022-09-29 | 2023-01-03 | 黄恋雅 | Database index establishing method and system based on artificial intelligence |
| CN115563113B (en) * | 2022-09-29 | 2023-08-22 | 北京信智特科技有限公司 | Database index establishment method and system based on artificial intelligence |
| CN115514585A (en) * | 2022-11-23 | 2022-12-23 | 北京数字众智科技有限公司 | Database security management method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101425903A (en) | Trusted network architecture based on identity | |
| CN109729180B (en) | Whole system intelligent community platform | |
| US7506166B2 (en) | Method of communications and communication network intrusion protection methods and intrusion attempt detection system | |
| JP3967550B2 (en) | Method and system for protecting communication devices from intrusion | |
| US20080052527A1 (en) | method and system for authenticating and validating identities based on multi-modal biometric templates and special codes in a substantially anonymous process | |
| CN107517221A (en) | A kind of acentric secure and trusted auditing system | |
| JP2002342279A (en) | Filtering device, filtering method, and program for causing computer to execute this method | |
| CN106887060A (en) | Hotel guest room fingerprint door lock control system and method | |
| CN105518689A (en) | Method and system related to authentication of users for accessing data networks | |
| RU2163745C2 (en) | Protective system for virtual channel of corporate network using authentication router and built around shared communication network channels and switching facilities | |
| TW201421936A (en) | Method for distinguishing and blocking off network node | |
| CN102316119B (en) | Security control method and equipment | |
| WO2024147292A1 (en) | Machine learning data management system | |
| RU2163744C2 (en) | Protective system for virtual channel of corporate- network using fiscal data access control and built around channels and switching facilities of shared communication network | |
| JPH11289328A (en) | Authentication management device | |
| WO2014073948A1 (en) | System and method for managing public network | |
| Xie et al. | TOA: a tag‐owner‐assisting RFID authentication protocol toward access control and ownership transfer | |
| KR101314695B1 (en) | Intranet Security Management System, Blocking Server therefor, and Security Method thereof | |
| EP1533700A2 (en) | Method and system for protecting a communication device from intrusion | |
| CN118659938A (en) | Communication method and device based on data security, electronic device and storage medium | |
| CN115270197A (en) | Intelligent city personal information data storage method, system, equipment and medium based on alliance chain | |
| Pradhan | Topics in Mobile Security | |
| CN119211267A (en) | A cross-chain data transmission system based on blockchain | |
| AU2008201287B2 (en) | Method of communications and communication network intrusion protection methods and intrusion attempt detection system | |
| Yap et al. | SUCAS: An architecture for secure user centric attestation in location-based services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090506 |