CN100358326C - Wide-band wireless IP network safety system structure and realizing method - Google Patents
Wide-band wireless IP network safety system structure and realizing method Download PDFInfo
- Publication number
- CN100358326C CN100358326C CNB2004100262119A CN200410026211A CN100358326C CN 100358326 C CN100358326 C CN 100358326C CN B2004100262119 A CNB2004100262119 A CN B2004100262119A CN 200410026211 A CN200410026211 A CN 200410026211A CN 100358326 C CN100358326 C CN 100358326C
- Authority
- CN
- China
- Prior art keywords
- security
- authentication
- engine
- avie
- bwip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种宽带无线IP网络安全体系结构及实现安全的方法,在网络层实现安全体制,包括BWIP安全系统、BWIP安全执行系统、BWIP网络管理系统和外部支撑系统。BWIP网络管理系统对BWIP安全系统进行策略设定、预置共享对称密钥、收费率和监测系统资源;BWIP安全执行系统调用BWIP安全系统各组件,对流入和流出网络的数据包和连接请求审查过滤;BWIP安全系统从外部安全支撑系统获取用户公钥证书、信用资料,与外部安全支撑系统配合为BWIP安全执行系统提供决策。基于密码学运算,通过对流入和流出网络数据包的控制实现对网络的机密性、完整性、认证授权记账和不可否认性服务。本发明具有功能全、开放性好,透明性好、通用性强特点,适用于未来宽带无线IP技术领域。
The invention discloses a broadband wireless IP network safety system structure and a method for realizing safety. The safety system is realized at the network layer, including a BWIP safety system, a BWIP safety execution system, a BWIP network management system and an external support system. The BWIP network management system sets policies, presets shared symmetric keys, charging rates and monitors system resources for the BWIP security system; the BWIP security execution system invokes components of the BWIP security system to review incoming and outgoing network data packets and connection requests Filtering; the BWIP security system obtains user public key certificates and credit information from the external security support system, and cooperates with the external security support system to provide decision-making for the BWIP security execution system. Based on cryptographic operations, the network's confidentiality, integrity, authentication, authorization, and accounting and non-repudiation services are realized through the control of incoming and outgoing network data packets. The invention has the characteristics of complete functions, good openness, good transparency and strong versatility, and is suitable for the future broadband wireless IP technical field.
Description
技术领域technical field
本发明涉及通信安全技术领域,具体是一种宽带无线IP(Broadband Wireless InternetProtocol,简称BWIP)网络安全体系结构及实现安全的方法,用于实现BWIP网络的整体安全,对未来移动电子商务、移动电子政务提供安全技术保障。The present invention relates to the technical field of communication security, specifically a broadband wireless IP (Broadband Wireless Internet Protocol, referred to as BWIP) network security system structure and a method for realizing security, which are used to realize the overall security of the BWIP network, and are beneficial to future mobile e-commerce, mobile electronic Government affairs provide security technical guarantees.
背景技术Background technique
现有安全体系结构方案有:OSI(开放系统互连)安全体系结构标准(ISO/IEC7498-2);IETF(Internet工程任务组)在1998年11月提出的IPsec(IP secureity,安全IP)安全体系结构(RFC2401,第2401号请求评论);WAP(Wireless Application Protocol,无线应用协议)论坛于1998年4月提出的WAP体系结构规范(文档编号为WAP-100-WAPArch-19980430-a);3GPP(第3代移动通信项目伙伴计划)于2002年12月提出的安全体系结构(3G Security,Security architecture,Release 5)。所这些安全体系普遍存在的问题如下:Existing security architecture solutions include: OSI (Open Systems Interconnection) security architecture standard (ISO/IEC7498-2); IPsec (IP security, secure IP) security proposed by IETF (Internet Engineering Task Force) in November 1998 Architecture (RFC2401, No. 2401 Request for Comments); WAP Architecture Specification (Document No. WAP-100-WAPArch-19980430-a) proposed by the WAP (Wireless Application Protocol, Wireless Application Protocol) Forum in April 1998; 3GPP (3G Security, Security architecture, Release 5) proposed in December 2002 by the 3rd Generation Mobile Communication Project Partnership Project. The common problems of these security systems are as follows:
1.OSI安全体系结构标准(ISO/IEC7498-2)是1989年ISO(国际标准化组织)提供的一个通用安全体系结构框架,称为“信息处理系统开放系统互连基本参考模型第2部分——安全体系结构”,该标准提供了安全服务与有关安全机制的一般描述,确定了在参考模型内部可以提供这些服务与机制的位置。该标准根据网络中可能存在的安全威胁将安全分为四级,即链路级安全、网络级安全、端到端级安全和应用级安全,具体实现时用户可以根据自己的安全需求任选一个或多个级别上实现安全功能。该安全框架具有指导意义,但并未给出具体的实现方法,因此是不能直接采用的。1. The OSI security architecture standard (ISO/IEC7498-2) is a general security architecture framework provided by ISO (International Organization for Standardization) in 1989, called "Information Processing System Open System Interconnection Basic Reference Model Part 2—— Security Architecture", which provides a general description of security services and related security mechanisms, and identifies where these services and mechanisms can be provided within the reference model. According to the security threats that may exist in the network, the standard divides security into four levels, namely, link-level security, network-level security, end-to-end level security, and application-level security. Users can choose one according to their own security requirements during specific implementation. or implement security functions at multiple levels. The security framework is instructive, but does not give a specific implementation method, so it cannot be directly adopted.
2.IPsec安全体系结构是针对固定网络中对称应用环境下的安全体系结构方案,主要考虑的是有线网络中的保密和认证功能,没有无线网络中的记账功能,不能直接用于移动环境下的低功耗、小内存、处理能力弱、带宽相对低和差错率高的特殊应用。2. The IPsec security architecture is a security architecture solution for a symmetrical application environment in a fixed network. It mainly considers the confidentiality and authentication functions in the wired network. It does not have the accounting function in the wireless network and cannot be directly used in the mobile environment. Special applications with low power consumption, small memory, weak processing capability, relatively low bandwidth and high error rate.
3.WAP无线应用协议是建立在新的体系结构上,其安全机制是通过WAP1.X协议栈的WTLS(无线传输层安全)层来实现,由于WTLS的非标准,存在与现有的TCP/IP(传输控制协议/网络互连协议)协议栈的兼容性问题,且WTLS存在许多安全漏洞。WAP2.X将WAP的安全机制改用SSL/TLS(安全套接层/传输层安全)方式,并提出配合PKI(Public Key Infrastructure,公钥基础设施)的方式来提供WAP协议的安全保障。这种解决方案主要是在传输层解决WAP的安全问题,是由手机等厂商倡议的一种无线移动IP协议,存在着与IEEE802.11(无线局域网标准)等其它主流无线IP技术的兼容性问题,因此不是一个通用的宽带无线IP安全体系结构。3. The WAP wireless application protocol is based on a new architecture, and its security mechanism is realized through the WTLS (Wireless Transport Layer Security) layer of the WAP1.X protocol stack. IP (Transmission Control Protocol/Internet Protocol) protocol stack compatibility issues, and there are many security holes in WTLS. WAP2.X changed the security mechanism of WAP to SSL/TLS (Secure Socket Layer/Transport Layer Security), and proposed to cooperate with PKI (Public Key Infrastructure, public key infrastructure) to provide the security guarantee of WAP protocol. This solution is mainly to solve the security problem of WAP at the transport layer. It is a wireless mobile IP protocol proposed by manufacturers such as mobile phones. It has compatibility problems with other mainstream wireless IP technologies such as IEEE802.11 (wireless local area network standard). , and thus is not a general broadband wireless IP security architecture.
3.3GPP安全体系结构是建立在第三代移动通信的基础上,其安全性主要集中在移动电话设备的认证、授权和记账(Authentication Authorization Accounting,简称AAA)功能上,安全技术是建立在接入级上,通用性差,不能满足未来移动IP的全部安全需求和IEEE802.11等无线移动PC(Personal Computer,个人计算机)下的AAA等问题。3. The security architecture of 3GPP is based on the third generation of mobile communication. In terms of classification, the versatility is poor, and it cannot meet all the security requirements of future mobile IP and the AAA under wireless mobile PC (Personal Computer, personal computer) such as IEEE802.11.
由此可见,上述安全体系结构都不能满足未来BWIP网络的安全需求,需要设计新的安全体系结构和安全实现方法,不仅满足BWIP网络安全性能的需要,系统还应有很好的认证、授权和记账功能,并且在实现这些功能方面能很好地兼顾BWIP网络中移动设备处理能力相对弱的特点。It can be seen that none of the above security architectures can meet the security requirements of the future BWIP network. It is necessary to design a new security architecture and security implementation method, not only to meet the needs of BWIP network security performance, the system should also have good authentication, authorization and Accounting function, and can well take into account the relatively weak processing capability of mobile devices in the BWIP network in realizing these functions.
发明内容Contents of the invention
本发明的目的在于克服现有技术之不足,根据宽带无线IP网络安全需要,结合网络管理功能、密码学计算、公钥基础设施、安全IP、认证、授权和记账AAA等安全实现技术,采用软件工程中的组件重用思想,将安全体系中的各个功能有机地集合在一起,提供一种宽带无线IP网络安全体系结构及安全实现方法,从整体上解决未来BWIP网络安全问题,以满足宽带无线IP网络通信的需要。The purpose of the present invention is to overcome the deficiencies of the prior art, according to the security needs of broadband wireless IP networks, combined with security implementation technologies such as network management functions, cryptographic calculations, public key infrastructure, security IP, authentication, authorization and accounting AAA, using The idea of component reuse in software engineering organically integrates various functions in the security system, provides a broadband wireless IP network security architecture and security implementation method, and solves the future BWIP network security issues as a whole to meet the needs of broadband wireless IP networks. The need for IP network communication.
本发明的技术方案是在网络层上实现宽带无线IP网络整体安全机制,宽带无线IP网络安全体系结构包括BWIP安全系统、BWIP安全执行系统、BWIP网络管理系统、外部安全支撑系统;其中,BWIP安全系统是安全体系结构的核心系统,在网络中承担加解密、安全计算,认证、授权、记账及安全数据管理,由加密引擎CE、安全环境数据库SEDB、安全环境管理器SEM、认证、授权和记账引擎AAAE、策略数据库PDB、策略管理器PM、日志数据库ADB、日志管理器AM、信用数据库CDB、信用管理器CM组成;各组件的作用为:The technical solution of the present invention is to realize the overall security mechanism of the broadband wireless IP network on the network layer, and the security system structure of the broadband wireless IP network includes a BWIP security system, a BWIP security execution system, a BWIP network management system, and an external security support system; wherein, the BWIP security The system is the core system of the security architecture. It undertakes encryption and decryption, secure computing, authentication, authorization, accounting and security data management in the network. It consists of encryption engine CE, security environment database SEDB, security environment manager SEM, authentication, authorization and Accounting engine AAAE, policy database PDB, policy manager PM, log database ADB, log manager AM, credit database CDB, and credit manager CM; the functions of each component are:
加密引擎CE,用于提供不同的密码算法;Encryption engine CE, used to provide different cryptographic algorithms;
安全环境数据库SEDB,用于存贮各种加密密钥;The security environment database SEDB is used to store various encryption keys;
安全环境管理器SEM,管理SEDB中的密钥;Security Environment Manager SEM, which manages keys in SEDB;
认证、授权和记账引擎AAAE,对移动用户进行身份认证,根据不同的角色进行授权访问及记账操作,AAAE依赖于CE和SEDB进行必要的密码运算;Authentication, authorization and accounting engine AAAE, which authenticates mobile users, authorizes access and accounting operations according to different roles, and AAAE relies on CE and SEDB for necessary cryptographic operations;
策略数据库PDB,用于存放数据,控制不同角色对BWIP网络的操作的行为;The policy database PDB is used to store data and control the operation behavior of different roles on the BWIP network;
策略管理器PM,用于管理PDB;Policy Manager PM, used to manage PDB;
信用数据库CDB,用于存放用户的信用数据;Credit database CDB, used to store user credit data;
信用管理器CM,用于管理CDB;Credit Manager CM for managing CDB;
日志数据库ADB,用于存放与安全活动相关的日志记录;The log database ADB is used to store log records related to security activities;
日志管理器AM,用于处理安全功能组件的日志;Log Manager AM for processing logs of security functional components;
所述BWIP安全执行系统是安全体系结构的主系统,系安全体系结构与内外网络之间的安全处理接口,由强制策略控制引擎PEE、认证、验证和完整性检查引擎AVIE和资源控制框架RCF组成;各组件的作用为:The BWIP security execution system is the main system of the security architecture, which is the security processing interface between the security architecture and the internal and external networks, and is composed of the mandatory policy control engine PEE, the authentication, verification and integrity check engine AVIE, and the resource control framework RCF ;The role of each component is:
强制策略控制引擎PEE,用于对所有来自Internet的流入请求进行控制,作出接收或拦截的决定;对从Intranet流出到Internet的数据包进行过滤,作出丢弃、绕行或封装处理;Mandatory policy control engine PEE, used to control all incoming requests from the Internet, make a decision to receive or intercept; filter data packets flowing from the intranet to the Internet, and make discard, bypass or encapsulation processing;
认证、验证和完整性检查引擎AVIE,对从Internet流入的数据包进行数字签名的检查、数据来源认证、完整性检查,对流出的数据包进行安全封装;Authentication, Verification and Integrity Checking Engine AVIE, which checks the digital signature, data source authentication, and integrity check of the incoming data packets from the Internet, and securely encapsulates the outgoing data packets;
资源控制框架RCF,对系统资源进行控制、管理和监测,提供各种环境变量,为日志数据库ADB提供时间依据;The resource control framework RCF controls, manages and monitors system resources, provides various environment variables, and provides time basis for the log database ADB;
所述外部安全支撑系统是公钥基础设施PKI的组成部分,由证书机构CA、授权机构AA和公共信用数据库CP组成;其中:The external security support system is an integral part of the public key infrastructure PKI, which is composed of a certificate authority CA, an authorization authority AA and a public credit database CP; wherein:
证书颁发机构CA,用于接受在线证书请求,证书的签发、审核和制作,证书发布,证书的归档及撤销,证书的更新,密钥的备份与恢复,交叉认证,为AAAE的认证组件提供用户的真实性证明,CA独立于安全体系结构之外,是公认的安全可信机构;The certificate authority CA is used to accept online certificate requests, issue, review and produce certificates, issue certificates, archive and revoke certificates, update certificates, backup and restore keys, cross-certify, and provide users for AAAE authentication components Proof of the authenticity of CA, independent of the security architecture, is a recognized security and trustworthy institution;
授权机构AA,用于对合法用户授予使用系统资源的权力;Authorization agency AA, used to grant legal users the right to use system resources;
公共信用数据库CP,用于存放证明用户真实使用资源权利的相关信息;The public credit database CP is used to store relevant information proving the user's real right to use resources;
各系统之间的数据调用关系为:BWIP网络管理系统对BWIP安全系统进行策略设定、预置共享对称密钥、设置收费费率、优惠时段、用户信用资讯和对BWIP安全执行系统的资源控制框架进行监测;BWIP安全执行系统调用BWIP安全系统中的各组件,对所有流入和流出BWIP网络的数据包和连接请求进行审查、过滤,以决定允许或禁止;BWIP安全系统访问外部安全支撑系统,获取移动用户的公钥证书和信用资料,并将数据临时存放到安全环境数据库SEDB和信用数据库CDB备用,以提高系统的运行效率;BWIP安全系统和外部安全支撑系统共同为BWIP安全执行系统提供决策依据;The data call relationship between the various systems is: BWIP network management system sets policies for the BWIP security system, presets shared symmetric keys, sets charging rates, preferential time periods, user credit information and resource control for the BWIP security execution system The BWIP security execution system calls the components in the BWIP security system to review and filter all data packets and connection requests flowing into and out of the BWIP network to decide whether to allow or prohibit them; the BWIP security system accesses the external security support system, Obtain the public key certificate and credit information of mobile users, and temporarily store the data in the security environment database SEDB and the credit database CDB for backup, so as to improve the operating efficiency of the system; the BWIP security system and the external security support system jointly provide decision-making for the BWIP security execution system in accordance with;
利用BWIP网络安全体系结构实现宽带无线IP网络安全的方法,运用密码算法对流出和流入数据进行处理,实现对网络的机密性服务、完整性服务及认证、授权和记账AAA服务,所述机密性服务是对流出数据进行加密,对流入数据进行解密;所述完整性服务是对流出数据在AVIE进行封装,对流入数据由AVIE进行完整性检查;所述AAA服务是对流出和流入数据包进行双向认证、授权和记账。A method for realizing broadband wireless IP network security by utilizing the BWIP network security architecture, using cryptographic algorithms to process outgoing and incoming data, and realizing confidentiality services, integrity services, and AAA services for authentication, authorization, and accounting of the network. The nature service is to encrypt the outflow data and decrypt the inflow data; the integrity service is to encapsulate the outflow data in the AVIE, and the inflow data is checked by the AVIE for integrity; the AAA service is to outflow and inflow data packets Perform two-way authentication, authorization and accounting.
上述安全实现方法包括对流出网络数据的安全处理、安全封装流程,对流入网络数据的安全处理流程及对流出和流入数据的认证、授权和记账AAA处理流程,通过上述安全处理流程,实现对宽带无线IP网络的机密性服务,完整性服务,认证、授权、记账AAA服务包括不可否认性服务。The above-mentioned security implementation method includes the security processing of outflowing network data, the security encapsulation process, the security processing process of inflowing network data and the authentication, authorization and accounting AAA processing process of outflowing and inflowing data. Through the above security processing process, the realization of Confidentiality service, integrity service, authentication, authorization, accounting AAA service of broadband wireless IP network including non-repudiation service.
本发明与现有的技术相比,具有以下特点:Compared with the prior art, the present invention has the following characteristics:
1.通用性强,本发明充分考虑到宽带无线IP网络的安全需求与安全功能,实现网络级的安全解决方案,在保持目前所有无线Internet技术的前提下,将它们都纳入本安全体系结构中,提高了宽带无线IP网络的安全性和实用性;1. Strong versatility, the present invention fully considers the security requirements and security functions of the broadband wireless IP network, realizes a network-level security solution, and incorporates them into the security system structure under the premise of maintaining all current wireless Internet technologies , improving the security and practicability of broadband wireless IP network;
2.功能全,目前的安全体系结构都是从不同的方面实现安全技术和安全需要,本发明着眼于未来宽带无线IP网络安全体系的发展,对其所应具备的功能进行了有机集成,并详细分析和提供了各个主要功能的实现过程;2. Full-featured, the current security system structure all realizes security technology and security needs from different aspects. The present invention focuses on the development of future broadband wireless IP network security system, organically integrates the functions it should have, and Analyze and provide the implementation process of each main function in detail;
3.开放性好,采用模块化设计思想,方便了各系统组件之间的软件重用,系统灵活性好,便于未来扩充新技术和新算法;3. Good openness, adopting modular design ideas, which facilitates software reuse among system components, and good system flexibility, which is convenient for future expansion of new technologies and new algorithms;
4.透明性好,本发明在网络层面实现宽带无线IP网络的安全,按网络基础设施进行设计,由网络供应商提供相应的安全服务,安全体系结构对用户是透明的;对应用层和传输层的安全机制直接应用,对上层是透明的;4. Good transparency, the present invention realizes the security of broadband wireless IP network at network level, designs according to network infrastructure, provides corresponding security service by network provider, and security system structure is transparent to user; To application layer and transmission The security mechanism of the upper layer is directly applied and is transparent to the upper layer;
5.本发明能达到标准要求,能对宽带无线IP网络提供机密性服务、完整性服务、认证、授权和记账AAA服务及包括不可否认性服务;5. The present invention can meet standard requirements, and can provide confidentiality service, integrity service, authentication, authorization and accounting AAA service and non-repudiation service to broadband wireless IP network;
本发明集成了AAA,PKI功能,兼顾移动用户、移动运营商、Internet供应商的要求,一旦投入使用,将会对未来的BWIP有很好的经济效益。The invention integrates AAA and PKI functions, and takes into account the requirements of mobile users, mobile operators and Internet providers. Once it is put into use, it will have good economic benefits for the future BWIP.
附图说明Description of drawings
图1是BWIP安全体系结构的实现位置;Figure 1 is the implementation location of the BWIP security architecture;
图2是BWIP网络安全体系结构模型;Figure 2 is the BWIP network security architecture model;
图3是BWIP安全体系结构的流出数据包处理流程图;Fig. 3 is the flow chart of outgoing packet processing of BWIP security architecture;
图4是BWIP安全体系结构流出数据封装处理流程;Figure 4 is the BWIP security architecture outflow data encapsulation processing flow;
图5是BWIP安全体系结构的流入数据包处理流程图;Fig. 5 is the flow chart of the incoming packet processing of the BWIP security architecture;
图6是BWIP安全体系结构中的AAA处理流程;Fig. 6 is the AAA processing flow in the BWIP security architecture;
具体实施方式Detailed ways
参见图1,传输控制协议/网络互连协议栈TCP/IP包括应用层、传输层、网络层、链路层。宽带无线IP网络安全体系结构在TCP/IP协议栈所处的位置在图1中的网络层,即网络级安全实现技术。最上两层是TCP/IP协议栈的应用层和传输层,本安全体系结构对这两层的安全机制直接应用,即对上层透明的。图1的底层对应于TCP/IP协议中的链路至主机层,支持现有的或未来的宽带无线接入技术,其代表技术有:无线个人网WPAN、无线局域网WLAN、无线城域网WMAN、无线广域网WWAN,本发明将上述宽带无线接入链路安全技术进行透明处理,纳入到本安全体系结构中,并保持各自接入技术的特色。采用标准的IPsec协议,不仅适用于IPv4(第4版IP地址方案),也适用未来IPv6(第6版IP地址方案)环境,使本发明具有良好的扩展性和兼容性,也相当于网络安全基础设施。Referring to Fig. 1, the transmission control protocol/Internet protocol stack TCP/IP includes an application layer, a transport layer, a network layer, and a link layer. The location of the broadband wireless IP network security architecture in the TCP/IP protocol stack is the network layer in Figure 1, that is, the network-level security implementation technology. The top two layers are the application layer and the transport layer of the TCP/IP protocol stack. This security architecture directly applies the security mechanisms of these two layers, that is, it is transparent to the upper layer. The bottom layer in Figure 1 corresponds to the link-to-host layer in the TCP/IP protocol, supporting existing or future broadband wireless access technologies, and its representative technologies include: wireless personal network WPAN, wireless local area network WLAN, wireless metropolitan
参见图2,本发明安全体系结构由BWIP安全系统、BWIP安全执行系统、BWIP网络管理系统和外部安全支撑系统组成。其中BWIP安全系统是BWIP安全体系结构的核心系统,承担宽带无线IP网络中的加解密,消息认证码MAC安全计算操作,认证、授权、记账,也是加密密钥、信任关系、安全策略管理响应系统,由加密引擎CE、安全环境数据库SEDB、安全环境管理器SEM、认证授权和记账引擎AAAE、策略数据库PDB、策略管理器PM、日志数据库ADB、日志管理器AM、信用数据库CDB、信用管理器CM组成;各组件的功能为:Referring to Fig. 2, the security architecture of the present invention consists of a BWIP security system, a BWIP security execution system, a BWIP network management system and an external security support system. Among them, the BWIP security system is the core system of the BWIP security architecture, responsible for encryption and decryption in the broadband wireless IP network, message authentication code MAC security calculation operation, authentication, authorization, accounting, and also encryption key, trust relationship, security policy management response The system consists of encryption engine CE, security environment database SEDB, security environment manager SEM, authentication authorization and accounting engine AAAE, policy database PDB, policy manager PM, log database ADB, log manager AM, credit database CDB, credit management The device CM is composed; the functions of each component are:
加密引擎CE(Crypto Engine,)提供不同的密码算法,如对称加/解密、非对称加/解密、哈希运算等,为系统中的其它组件提供加/解密运算服务;Encryption engine CE (Crypto Engine,) provides different cryptographic algorithms, such as symmetric encryption/decryption, asymmetric encryption/decryption, hash operation, etc., and provides encryption/decryption operation services for other components in the system;
安全环境数据库SEDB(Security Environment Database,)存贮各种加密密钥,如移动节点MN的公私钥对、MN与所有通信实体间通过密钥交换协议IKE协商的密钥(MN-FA、MN-HA等)以及不同节点协商的安全关联SA供CE使用;The security environment database SEDB (Security Environment Database,) stores various encryption keys, such as the public-private key pair of the mobile node MN, the keys negotiated by the key exchange protocol IKE between the MN and all communication entities (MN-FA, MN- HA, etc.) and security association SA negotiated by different nodes for use by CE;
安全环境管理器SEM(Security Environment Manager,)管理SEDB中的密钥,提供手工配置加密密钥和自动管理密钥的功能,启用IKE协商密钥和SA,并保存在SEDB中;Security Environment Manager SEM (Security Environment Manager,) manages the keys in SEDB, provides the functions of manually configuring encryption keys and automatically managing keys, enables IKE negotiation keys and SA, and saves them in SEDB;
认证、授权和记账引擎AAAE(Authentication,Authorization,and Accounting Engine,)对移动用户进行身份认证,根据不同的角色进行授权访问及进行记账操作,AAAE依赖于CE和SEDB进行必要的密码运算。根据目前AAA(认证、授权和记账)将作为无线网络基础设施的趋势,BWIP安全体系结构将AAAE作为一个引擎的形式实现,它相当一个代理部件,可以定期与网络中其它AAA进行交互,形成层次状的AAA管理体系,而非在线进行记账,这样有利于减经BWIP网络负载,提高网络的效率。将认证和授权放到BWIP安全体系结构中,便于进行认证和访问的细粒度控制,提高了BWIP安全管理体系的灵活性;Authentication, Authorization, and Accounting Engine AAAE (Authentication, Authorization, and Accounting Engine,) authenticates mobile users, authorizes access and performs accounting operations according to different roles, and AAAE relies on CE and SEDB for necessary cryptographic operations. According to the current trend that AAA (authentication, authorization, and accounting) will be used as the wireless network infrastructure, the BWIP security architecture implements AAAE as an engine. It is quite a proxy component and can interact with other AAAs in the network regularly to form Hierarchical AAA management system instead of online bookkeeping, which is conducive to reducing the load on the BWIP network and improving network efficiency. Putting authentication and authorization into the BWIP security architecture facilitates fine-grained control of authentication and access, improving the flexibility of the BWIP security management system;
策略数据库PDB(Policy Database)存放策略数据,用来控制不同角色对BWIP网络的操作的行为;Policy database PDB (Policy Database) stores policy data and is used to control the behavior of different roles on the BWIP network operation;
策略管理器PM(Policy Manager)管理PDB,向授权用户提供手工方式或自动方式实现策略数据库的编辑功能,如通过中心策略服务器下载策略数据;Policy Manager PM (Policy Manager) manages PDB, and provides authorized users with manual or automatic mode to realize the editing function of policy database, such as downloading policy data through central policy server;
信用数据库CDB(Credential Database)存放用户的信用数据,如公钥证书、属性证书;The credit database CDB (Credential Database) stores user credit data, such as public key certificates and attribute certificates;
信用管理器CM(Credential Manager)管理CDB,向授权用户提供对信用数据库的手工方式、自动方式编辑功能,如从外部信用库中查找或下载信用数据;Credential Manager CM (Credential Manager) manages CDB, and provides authorized users with manual and automatic editing functions for credit databases, such as searching or downloading credit data from external credit databases;
日志数据库ADB(Audit Database)存放与安全相关活动的日志记录;The log database ADB (Audit Database) stores log records of security-related activities;
日志管理器AM(Audit Manager)处理安全功能组件的日志,为分析问题和决策提供依据。The log manager AM (Audit Manager) processes the logs of security function components to provide a basis for analyzing problems and making decisions.
BWIP安全执行系统是主系统,为安全体系结构与内外网络间的安全处理接口,由强制策略控制引擎PEE、认证、验证和完整性检查引擎AVIE和资源控制框架RCF组成;各组件的功能为:The BWIP security execution system is the main system, which is the security processing interface between the security architecture and the internal and external networks. It is composed of the mandatory policy control engine PEE, the authentication, verification and integrity check engine AVIE, and the resource control framework RCF; the functions of each component are:
强制策略控制引擎PEE(Policy Enforcement Engine)是安全执行系统的主要部件,其作用是对所有来自Internet的流入请求进行控制,作出接收或拦截的决定;对从Intranet流出到Internet的数据包经PEE过滤器进行过滤,作出丢弃、绕行或封装处理;Enforcement policy control engine PEE (Policy Enforcement Engine) is the main component of the security execution system, its role is to control all incoming requests from the Internet, and make a decision to receive or intercept; the data packets flowing from the intranet to the Internet are filtered by PEE Filter, discard, bypass or encapsulate processing;
认证、验证和完整性检查引擎AVIE(Authentication Verification IntegrityEngine)对从Internet流入的数据包进行数字签名的检查、数据来源认证、完整性检查,对流出的数据包进行安全封装;Authentication, Verification and Integrity Inspection Engine AVIE (Authentication Verification IntegrityEngine) performs digital signature inspection, data source authentication, and integrity inspection on incoming data packets from the Internet, and securely encapsulates outgoing data packets;
资源控制框架RCF(Resource Control Frame)对系统资源进行控制、管理和监测,提供各种环境变量,如系统时钟,为日志数据库ADB提供时间依据;Resource Control Frame RCF (Resource Control Frame) controls, manages and monitors system resources, provides various environment variables, such as system clock, and provides time basis for log database ADB;
BWIP网络管理系统是内部安全管理人员的人机接口,由配置管理、安全管理、容错管理、记账管理和性能管理组件组成;本发明对安全管理、记账管理和性能管理组件进行了扩充,上述五个管理组件相当于用户界面接口,通过这些管理接口,用户采用可视化的方法,容易对网络实施有效地管理。这种管理模式使得网络管理系统与安全系统层分离,便于模块化实现,也使得BWIP安全体系结构的实现变得更加灵活,便于更新新算法。The BWIP network management system is the man-machine interface of the internal security management personnel, and is composed of configuration management, security management, fault tolerance management, accounting management and performance management components; the present invention expands the security management, accounting management and performance management components, The above five management components are equivalent to user interface interfaces. Through these management interfaces, users can easily and effectively manage the network by adopting a visualized method. This management mode separates the network management system from the security system layer, which is convenient for modular implementation, and also makes the implementation of BWIP security architecture more flexible and easy to update new algorithms.
外部安全支撑系统是公钥基础设施PKI的组成部分,由证书机构CA、授权机构AA和公共信用数据库CP组成;其中:The external security support system is an integral part of the public key infrastructure PKI, which is composed of the certificate authority CA, the authorization authority AA and the public credit database CP; among them:
证书颁发机构CA(Certification Authority)是PKI系统中的核心部件,接受在线证书请求,证书的签发、审核和制作,证书发布,证书的归档及撤销,证书的更新,密钥的备份与恢复,交叉认证,为AAAE中的认证组件提供用户的真实性证明,CA独立于安全体系结构之外,是公认的安全可信机构;CA (Certification Authority) is the core component of the PKI system, accepting online certificate requests, issuing, reviewing and making certificates, issuing certificates, archiving and revoking certificates, updating certificates, backing up and restoring keys, and interleaving Authentication, which provides user authenticity proof for the authentication components in AAAE, CA is independent of the security architecture and is a recognized security and trustworthy institution;
授权机构AA(Authorization Authority)对合法用户授予使用系统资源的权力,通常是以属性证书的形式进行授权;Authorization Authority AA (Authorization Authority) grants legal users the right to use system resources, usually in the form of attribute certificates;
公共信用数据库CP(Credentialre Pository,)存放证明用户真实性使用资源权利的相关信息,可以存放公钥证书、属性证书、证书撤消列表CRL。The public credit database CP (Credentialre Posory,) stores relevant information that proves the user's authenticity in using resource rights, and can store public key certificates, attribute certificates, and certificate revocation lists (CRL).
图2中各个虚线框之间表示各系统通过接口进行数据调用的服务关系,其中BWIP安全执行系统是整个安全体系结构对外服务的窗口,负责对所有流入和流出BWIP网络的数据包和连接请求进行审查过滤,以决定是否允许或禁止;BWIP安全执行系统调用BWIP安全系统中的各个部件,使之为BWIP安全执行系统提供安全服务;在BWIP安全系统提供服务的过程中,当数据包采用公钥密码体制提供保密和认证等服务时,则BWIP安全系统还需要访问外部安全支撑系统,由其提供移动用户的公钥证书和信用资料,并将这资料提供给AAAE、同时将这些数据临时存放到安全环境数据库SEDB和信用数据库CDB中,其目的是BWIP安全体系结构在有效时间内再次为移动用户提供服务时,无需再次访问外部安全支撑系统,以提高系统的运行效率;通过BWIP安全系统和外部安全支撑系统的配合,为BWIP安全执行系统提供了可靠的决策依据。The dotted boxes in Figure 2 indicate the service relationship of each system for data call through the interface. The BWIP security execution system is the window for the external service of the entire security architecture, and is responsible for all data packets and connection requests flowing into and out of the BWIP network. Review and filter to decide whether to allow or prohibit; the BWIP security execution system invokes various components in the BWIP security system to provide security services for the BWIP security execution system; When the cryptographic system provides services such as confidentiality and authentication, the BWIP security system also needs to access the external security support system, which provides the mobile user's public key certificate and credit information, and provides this information to AAAE, and temporarily stores these data in In the security environment database SEDB and the credit database CDB, the purpose is that when the BWIP security architecture provides services for mobile users again within the effective time, there is no need to visit the external security support system again, so as to improve the operating efficiency of the system; through the BWIP security system and the external The cooperation of the safety support system provides a reliable decision-making basis for the BWIP safety execution system.
BWIP网络管理系统是为提高BWIP安全体系结构的灵活性而设置的人机接口,通过BWIP网络管理系统,安全管理人员可以方便地为安全系统设定策略、预置共享对称密钥、设置收费费率与优惠方式、设定用户的信用资讯和对系统的资源进行监测。The BWIP network management system is a human-machine interface set up to improve the flexibility of the BWIP security system structure. Through the BWIP network management system, security managers can easily set policies for the security system, preset shared symmetric keys, and set charging fees Rates and discounts, setting user credit information and monitoring system resources.
本发明通过BWIP网络管理系统、BWIP安全系统、BWIP安全执行系统和外部安全支撑系统的互相配合,实现宽带无线IP网络的机密性服务,完整性服务,AAA(认证、授权、记账)服务包括不可否认性服务等各项安全服务。The present invention realizes the confidentiality service of the broadband wireless IP network, the integrity service, and the AAA (authentication, authorization, accounting) service through the mutual cooperation of the BWIP network management system, the BWIP security system, the BWIP security execution system and the external security support system. Various security services such as non-repudiation services.
BWIP网络的安全服务是通过对网络系统中流入和流出数据包的处理实现的,安全体系结构中的各组件也是根据安全功能的需要合理地组织到一起,下面结合附图对通过BWIP网络安全体系结构实现安全的方法进行说明。在图3至图6的各附图中,用实线表示BWIP安全体系结构中的控制流程,虚线表示不同的系统组件间进行的数据调用和数据交互关系。The security service of the BWIP network is realized by processing the incoming and outgoing data packets in the network system. The components in the security architecture are also organized together reasonably according to the needs of security functions. The method of structure realization security is described. In each drawing of FIG. 3 to FIG. 6 , the control flow in the BWIP security architecture is represented by a solid line, and the data call and data interaction relationship between different system components are represented by a dotted line.
参见图3,当系统节点的传输层或Intranet网络转交来的数据报文向外网传递时,BWIP网络安全体系结构对从网络流出的数据包的处理流程如下:Referring to Figure 3, when the data packets forwarded by the transport layer of the system node or the Intranet network are transmitted to the external network, the BWIP network security architecture processes the data packets flowing out from the network as follows:
1.强制策略控制引擎PEE中的过滤器对数据库包进行过滤,其操作过程是过滤器请求策略管理器PM根据该数据包的IP地址和端口查询策略数据库PDB,得到处理策略;1. The filter in the mandatory policy control engine PEE filters the database packet, and its operation process is that the filter requests the policy manager PM to query the policy database PDB according to the IP address and port of the packet to obtain the processing strategy;
2.进行策略略处理:若安全策略为丢弃,则强制策略控制引擎PEE只需简单的丢弃该数据包,并将处理信息传给日志管理器AM,通过AM记录到日志数据库ADB中;若安全策略为绕行,则表明这种类型的数据包是不需要进行安全处理,如部分BWIP网络中的管理信令等,则PEE只需要将该数据包直接交给IP层进行IP封装,并由IP层进行IP转发操作即可;若安全策略为封装处理,则PEE就将该数据包交给认证、验证和完整性检查引擎AVIE;2. Perform strategy processing: if the security policy is discarded, the mandatory policy control engine PEE only needs to simply discard the packet, and pass the processing information to the log manager AM, and record it in the log database ADB through AM; if it is safe If the policy is bypass, it indicates that this type of data packet does not require security processing, such as management signaling in some BWIP networks, etc., then PEE only needs to directly hand over the data packet to the IP layer for IP encapsulation, and the The IP layer can perform IP forwarding operations; if the security policy is encapsulation processing, PEE will hand over the data packet to the authentication, verification and integrity checking engine AVIE;
3.AVIE进行安全封装处理,AVIE先请求安全环境管理器SEM,在安全环境数据库SEDB中查询该通信实体是否存在相应的安全关联SA,若无SA存在或SA失效,则通过SEM启用密钥协商协议IKE进行相应的SA、加解密密钥、Hash密钥、加密算法、认证算法等协商;若安全协商失败则丢弃数据包,并将协商结果信息传给日志管理器AM,通过AM记录到日志数据库ADB中;当协商成功时,就先保存该协商的数据到安全环境数据库SEDB,并将处理结果返回给认证、验证和完整性检查引擎AVIE;3. AVIE performs security encapsulation processing. AVIE first requests the security environment manager SEM to query whether there is a corresponding security association SA for the communication entity in the security environment database SEDB. If there is no SA or the SA is invalid, the key negotiation is enabled through the SEM The protocol IKE negotiates the corresponding SA, encryption and decryption key, Hash key, encryption algorithm, authentication algorithm, etc.; if the security negotiation fails, the data packet is discarded, and the negotiation result information is sent to the log manager AM, which is recorded in the log through AM In the database ADB; when the negotiation is successful, the negotiated data is first saved to the security environment database SEDB, and the processing result is returned to the authentication, verification and integrity checking engine AVIE;
4.AVIE请求认证、授权和记账引擎AAAE进行相应的认证、授权和记账AAA操作,AAAE将操作结果信息返回给AVIE。由于AAA操作是一个复杂的过程,在图3中用底纹表示。AVIE在收到认证、授权和记账引擎AAAE操作返回结果后,先将AAAE的返回结果传给日志管理器AM,通过AM记录到日志数据库ADB中,以供系统安全管理人员查看日志,改进安全策略;4. AVIE requests authentication, authorization and accounting engine AAAE to perform corresponding authentication, authorization and accounting AAA operation, and AAAE returns the operation result information to AVIE. Since the AAA operation is a complex process, it is represented by shading in Figure 3. After receiving the return result of the AAAE operation of the authentication, authorization and accounting engine, AVIE first sends the AAAE return result to the log manager AM, and records it into the log database ADB through AM, so that the system security management personnel can view the log and improve security Strategy;
5.认证、验证和完整性检查引擎AVIE对认证、授权和记账引擎AAAE的返回结果进行处理:若是AAA操作失败,则AVIE只需丢弃该数据包,并记录到日志数据库ADB中;若AAA操作成功,表明系统允许该数据包流出网络;5. The authentication, verification and integrity checking engine AVIE processes the return result of the authentication, authorization and accounting engine AAAE: if the AAA operation fails, the AVIE only needs to discard the data packet and record it in the log database ADB; The operation is successful, indicating that the system allows the data packet to flow out of the network;
6.AVIE请求安全环境管理器SEM调用加密引擎CE,CE根据安全环境数据库SEDB中的安全关联SA参数进行相应的安全封装处理操作。CE操作也是一个复杂的过程,图3中用底纹表示,CE完成数据封装后,将结果返回给认证、验证和完整性检查引擎AVIE;6. AVIE requests the security environment manager SEM to call the encryption engine CE, and CE performs corresponding security encapsulation processing operations according to the security association SA parameters in the security environment database SEDB. CE operation is also a complex process, which is represented by shading in Figure 3. After CE completes data encapsulation, it returns the result to the authentication, verification and integrity checking engine AVIE;
7.AVIE将封装后的数据包直接交给IP层,由IP层再添加新的IP头,并加入到IP转发队列之中,或者是直接发送到Internet网络中。7. AVIE directly delivers the encapsulated data packet to the IP layer, and the IP layer adds a new IP header and adds it to the IP forwarding queue, or sends it directly to the Internet network.
参见图4,对图3中允许流出网络或安全系统的数据包进行安全封装过程如如下:认证、验证和完整性检查引擎AVIE将所需封装的传输层数据包送给安全环境管理器SEM,SEM调用加密引擎CE对该数据包进行安全封装;Referring to Fig. 4, the process of encapsulating the data packets allowed to flow out of the network or security system in Fig. 3 is carried out as follows: the authentication, verification and integrity check engine AVIE sends the transport layer data packets of required encapsulation to the security environment manager SEM, SEM invokes the encryption engine CE to securely encapsulate the data packet;
1.加密引擎CE先对数据进行预处理,这是因为加密技术以分组进行之故,需加上初始向量IV和填充字符,以形成加密块的整数倍,经预处理的消息用M(Message)表示;1. The encryption engine CE preprocesses the data first. This is because the encryption technology is carried out in groups. It is necessary to add the initial vector IV and padding characters to form an integer multiple of the encrypted block. The preprocessed message is represented by M (Message )express;
2.CE从安全环境数据库SEDB中取出该安全关联SA对应的安全处理参数,包括加密密钥K1、哈希密钥K2、签名密钥K3、序列号SN、安全参数索引SPI;2. CE retrieves the security processing parameters corresponding to the security association SA from the security environment database SEDB, including encryption key K1, hash key K2, signature key K3, serial number SN, and security parameter index SPI;
3.CE对消息M进行加密操作,用f(M,K1)表示加密后的封装负载,并将序列号SN和安全参数索引SPI填入封装协议的头部格式中,形成封装头部。通过对封装头部和封装负载的拼接,实现了BWIP安全体系结构的机密性服务;3. CE encrypts the message M, uses f(M, K1) to represent the encrypted encapsulated payload, and fills the serial number SN and security parameter index SPI into the header format of the encapsulation protocol to form the encapsulation header. By splicing the encapsulation header and the encapsulation payload, the confidentiality service of the BWIP security architecture is realized;
4.在图4中加密引擎CE继续用哈希密钥K2和安全关联SA中指定的哈希算法对封装数据进行哈希操作,以实现完整性服务,用MAC=h(封装头部,封装负载,K2)表示;4. In Fig. 4, the encryption engine CE continues to carry out the hash operation to the encapsulated data with the hash algorithm specified in the hash key K2 and the security association SA, so as to realize the integrity service, use MAC=h (encapsulation header, encapsulation load, K2) means;
5.鉴于有些协议还要对消息进行数字签名,加密引擎CE还需要用签名密钥K3对生成的消息认证码MAC值进行签名;由于签名服务是可选的,用S(MAC,K3)表示MAC值的签名,实现了不可否认性;5. Considering that some protocols need to digitally sign the message, the encryption engine CE also needs to use the signature key K3 to sign the generated message authentication code MAC value; since the signature service is optional, it is represented by S(MAC, K3) The signature of the MAC value realizes non-repudiation;
6.加密引擎CE完成上述安全封装后,将生成封装头部、封装负载和签名后的MAC拼接到一起,交给IP层进行相应的IP封装,即加上新的IP头部,形成IP数据包,再加入到IP转发队列之中,等待数据转发操作。6. After the encryption engine CE completes the above security encapsulation, it will generate the encapsulation header, encapsulation payload and signed MAC together, and hand it over to the IP layer for corresponding IP encapsulation, that is, add a new IP header to form IP data The packet is added to the IP forwarding queue and waits for the data forwarding operation.
至此,BWIP安全体系结构完成了流出数据包的安全处理过程。So far, the BWIP security architecture has completed the security processing of outgoing data packets.
BWIP网络安全体系结构中消息的发送方在对数据包进行安全处理后,则接收方也需要进行相应的安全操作。In the BWIP network security architecture, after the sender of the message performs security processing on the data packet, the receiver also needs to perform corresponding security operations.
参见图5,BWIP网络安全体系结构在接收方的数据流入处理步骤如下:Referring to Figure 5, the data inflow processing steps of the BWIP network security architecture at the receiver are as follows:
1.认证、验证和完整性检查引擎AVIE从Internet接收到一个IP包,根据IP包封装头部中的安全参数索引SPI,请求安全环境管理器SEM查询安全环境数据库SEDB;1. The authentication, verification and integrity check engine AVIE receives an IP packet from the Internet, and requests the security environment manager SEM to query the security environment database SEDB according to the security parameter index SPI in the IP packet encapsulation header;
2.判断该SPI是否有效:若该安全参数索引SPI不存在或已经超过有效期,则AVIE将直接丢弃该数据包,并记录该处理信息到日志数据库ADB之中;2. Determine whether the SPI is valid: if the security parameter index SPI does not exist or has expired, the AVIE will directly discard the data packet and record the processing information in the log database ADB;
3.若该SPI有效,则AVIE就请求SEM调用加密引擎CE先进行完整性检查,判断该数据包在传输过程中是否受到过主动攻击。AVIE对数据包进行完整性检查由三步构成:3. If the SPI is valid, the AVIE requests the SEM to call the encryption engine CE to perform an integrity check to determine whether the data packet has been actively attacked during transmission. AVIE's integrity check of data packets consists of three steps:
第一步是请求加密引擎CE进行密码计算,解密出用于消息认证码MAC保护的标记,为了完成这一操作,CE需要从安全环境数据库SEDB中获取解密密钥,解密结果返回一个发送方发送的HASH值;若协议中规定MAC是进行了数字签名,则安全环境管理器SEM还需要调用外部安全支撑系统,从证书机构CA中获取移动用户的有效证书,利用证书中的公钥对消息认证码MAC进行签名验证,若验证失败则通知认证、验证和完整性检查引擎AVIE,并给出失败原因;若验证成功,则将解密后的MAC返回给AVIE;The first step is to request the encryption engine CE to perform password calculation and decrypt the mark used for message authentication code MAC protection. In order to complete this operation, CE needs to obtain the decryption key from the security environment database SEDB, and the decryption result is returned to the sender to send HASH value; if the protocol stipulates that the MAC is digitally signed, the security environment manager SEM also needs to call the external security support system to obtain the valid certificate of the mobile user from the certificate authority CA, and use the public key in the certificate to authenticate the message Signature verification with code MAC, if the verification fails, the authentication, verification and integrity check engine AVIE will be notified, and the failure reason will be given; if the verification is successful, the decrypted MAC will be returned to AVIE;
第二步是AVIE请求CE根据协商的HASH函数计算该数据包的HASH值,并返回给AVIE;The second step is that AVIE requests CE to calculate the HASH value of the data packet according to the negotiated HASH function and return it to AVIE;
第三步是AVIE对解密得到的HASH值与重新计算出的HASH值比较,如果相等,表明数据包的完整性检查成功,反之是失败。The third step is that the AVIE compares the decrypted HASH value with the recalculated HASH value. If they are equal, it indicates that the integrity check of the data packet is successful, otherwise it is a failure.
若完整性检查失败,认证、验证和完整性检查引擎AVIE将自动丢弃该流入的数据包,并将相应的完整性检查信息记录到日志数据库ADB之中;If the integrity check fails, the authentication, verification and integrity check engine AVIE will automatically discard the incoming data packet, and record the corresponding integrity check information into the log database ADB;
4.整性检查成功,则AVIE将请求调用认证、授权和记账引擎AAAE,进行相应的AAA操作,AVIE收到认证、授权和记账引擎AAAE操作返回结果;4. If the integrity check is successful, AVIE will request to call the authentication, authorization and accounting engine AAAE to perform corresponding AAA operations, and AVIE will receive the return result of the authentication, authorization and accounting engine AAAE operation;
5.将AAAE的返回结果传给日志管理器AM,通过AM记录到日志数据库ADB中,以供系统安全管理人员查看日志,改进安全策略;5. Pass the return result of AAAE to the log manager AM, and record it into the log database ADB through AM, so that the system security management personnel can view the log and improve the security strategy;
6.AVIE对认证、授权和记账引擎AAAE的返回结果进行处理,若是AAA操作失败,则AVIE只需丢弃该数据包,并记录到ADB中;若AAA操作成功,表明系统允许该数6. AVIE processes the results returned by the authentication, authorization, and accounting engine AAAE. If the AAA operation fails, AVIE only needs to discard the data packet and record it in ADB; if the AAA operation is successful, it indicates that the system allows the data packet.
据包访问网络,AVIE才请求安全环境管理器SEM调用加密引擎CE;According to the packet access network, AVIE requests the security environment manager SEM to call the encryption engine CE;
7.CE根据安全环境数据库SEDB中的安全关联SA参数对封装负载进行相应的解密操作(将解密放到流程后面,这是因为解密消息比较大,占用时间多,目的是提高系统的处理效率),AVIE将解密后的消息明文传递给强制策略控制引擎PEE;7. CE performs a corresponding decryption operation on the encapsulated payload according to the security association SA parameters in the security environment database SEDB (put the decryption behind the process, because the decryption message is relatively large and takes up a lot of time, the purpose is to improve the processing efficiency of the system) , AVIE passes the decrypted message plaintext to the enforcement policy control engine PEE;
8.PEE请求调用策略管理器PM查询策略数据库PDB,PEE将所查询的安全处理策略与访问方式进行核对;8. The PEE requests to call the policy manager PM to query the policy database PDB, and the PEE checks the queried security processing policy with the access method;
9.若符合本地策略,则向内部Intranet网络或向网络协议高层进行转发,否则就丢弃该消息明文,并将处理信息记录到日志数据库ADB中。至此,也实现了对流入数据的机密性、完整性服务。9. If it conforms to the local policy, forward it to the internal intranet network or to the upper layer of the network protocol; otherwise, discard the plain text of the message and record the processing information in the log database ADB. So far, confidentiality and integrity services for incoming data have also been realized.
本发明的强制策略控制引擎PEE对消息明文进行策略核对,有利于对数据包进行内容过滤并提高BWIP网络系统的安全性。The mandatory policy control engine PEE of the present invention checks the policy of the plain text of the message, which is beneficial to filter the content of the data packet and improve the security of the BWIP network system.
本发明对流入和流出的数据包都进行AAA操作,目的是针对BWIP网络中双向流量统计的需要,同时也可以更好地实现访问控制,有利于提高BWIP安全体系结构的可用性。The present invention performs AAA operation on both the inflow and outflow data packets, aiming at the requirement of two-way traffic statistics in the BWIP network, and at the same time can better realize access control, and is beneficial to improving the usability of the BWIP security system structure.
参见图6,BWIP安全体系结构的认证、授权和记账AAA处理按以下步骤实施:Referring to Figure 6, the authentication, authorization and accounting AAA processing of the BWIP security architecture is implemented in the following steps:
一.认证1. Certification
1.认证、验证和完整性检查引擎AVIE请求认证、授权和记账引擎AAAE进行认证、授权和记账AAA操作;1. The authentication, verification and integrity check engine AVIE requests the authentication, authorization and accounting engine AAAE to perform authentication, authorization and accounting AAA operations;
2.当AAAE收到该请求后,认证组件通过加密引擎CE对请求包中包含的安全参数索引SPI进行数据包的来源认证、用户身份验证操作,认证可采用以下实施方式:2. After the AAAE receives the request, the authentication component performs the source authentication of the data packet and the user identity verification operation on the security parameter index SPI contained in the request packet through the encryption engine CE. The following implementation methods can be used for authentication:
认证实施方式一.采用预置共享对称密钥的认证方法
加密引擎CE根据安全关联SA从安全环境数据库SEDB中取出预先协商的对称密钥和算法,进行相应的密码运算,从而确定用户身份和消息来源的真实性;The encryption engine CE takes out the pre-negotiated symmetric key and algorithm from the security environment database SEDB according to the security association SA, and performs corresponding cryptographic operations to determine the authenticity of the user identity and the source of the message;
认证实施方式二.采用公钥体制的认证方法Authentication implementation mode 2. Authentication method using public key system
加密引擎CE先查询安全环境数据库SEDB,当不存在相关的公钥等信息时,CE通过安全环境管理器SEM访问外部安全支撑系统,从外部安全支撑系统中的证书机构CA、公共信用数据库CP和授权机构AA处获取移动用户的公钥证书、移动用户的信用资料和用户的授权信息,安全环境管理器SEM在保存这些数据到安全环境数据库SEDB的同时,还请求信用管理器CM将移动用户的信用资料保存到信用数据库CDB中,目的是加快后续的授权过程或加快BWIP安全体系结构在有效时间内再次为移动用户提供AAA服务的进程。加密引擎CE获取用户的公钥信息后,根据用户的公钥对签名信息进行密码学计算,并将计算结果返回给认证、授权和记账引擎AAAE的认证组件,由认证组件进行数字签名的验证比较,实现了对用户的认证或数据源的认证。The encryption engine CE first queries the security environment database SEDB. When there is no relevant public key and other information, CE accesses the external security support system through the security environment manager SEM. From the external security support system, the certificate authority CA, public credit database CP and The authority AA obtains the mobile user's public key certificate, the mobile user's credit data and the user's authorization information. While saving these data to the security environment database SEDB, the security environment manager SEM also requests the credit manager CM to transfer the mobile user's The credit information is stored in the credit database CDB for the purpose of accelerating the subsequent authorization process or accelerating the process of BWIP security architecture providing AAA service for mobile users again within the effective time. After the encryption engine CE obtains the user's public key information, it performs cryptographic calculation on the signature information according to the user's public key, and returns the calculation result to the authentication component of the authentication, authorization and accounting engine AAAE, which verifies the digital signature Compared, the authentication of the user or the authentication of the data source is realized.
3.若认证失败,则认证组件终止AAA操作过程,并通过认证、授权和记账引擎AAAE将认证失败信息返回认证、验证和完整性检查引擎AVIE;3. If the authentication fails, the authentication component terminates the AAA operation process, and returns the authentication failure information to the authentication, verification, and integrity check engine AVIE through the authentication, authorization, and accounting engine AAAE;
4.若认证成功且需要继续授权操作,则由授权组件进行授权操作。授权服务的目的是为了防止对资源的非授权使用,包括网络实体未经许可,不能将保密信息发送给其它网络实体;以及未经授权的用户不能获取网络内部的保密信息和网络资源。4. If the authentication is successful and the authorization operation needs to be continued, the authorization component performs the authorization operation. The purpose of the authorization service is to prevent unauthorized use of resources, including that network entities cannot send confidential information to other network entities without permission; and unauthorized users cannot obtain confidential information and network resources inside the network.
二.授权2. Authorization
1.授权组件根据移动请求对象的名称及AVIE提供的信息来进行授权判决,并将这些信息分别以“索引码”的形式从策略数据库PDB和信用数据库CDB或公共信用数据库CP提取相应的策略和信用量,授权组件还请求移动设施提供环境变量,包括资源控制框架RCF内的系统时钟和资源监控组件;1. The authorization component makes an authorization decision based on the name of the mobile request object and the information provided by the AVIE, and extracts the corresponding policies and policies from the policy database PDB, credit database CDB or public credit database CP in the form of "index codes" respectively. Credits, the authorization component also requests the mobile facility to provide environment variables, including the system clock and resource monitoring components within the Resource Control Framework RCF;
2.在收集所有需要的信息之后,授权组件根据内部规则处理数据的授权操作,并以“请求授权成功”或者“授权拒绝”这种简洁形式作为授权结果;2. After collecting all the required information, the authorization component processes the data authorization operation according to the internal rules, and takes the concise form of "request authorization success" or "authorization rejection" as the authorization result;
3.若授权失败,则授权组件将“授权拒绝”信息通过认证、授权和记账引擎AAAE返回给认证、验证和完整性检查引擎AVIE,AVIE将“授权拒绝”信息记录到ADB之中并丢弃该数据包;3. If the authorization fails, the authorization component returns the "authorization rejection" information to the authentication, verification and integrity checking engine AVIE through the authentication, authorization and accounting engine AAAE, and the AVIE records the "authorization rejection" information into ADB and discards it the packet;
4.若授权成功且要进行记账操作,则将系统的控制权交给记账模块,继续进行相应的记账过程。4. If the authorization is successful and the bookkeeping operation is to be performed, the control right of the system is handed over to the bookkeeping module, and the corresponding bookkeeping process is continued.
三.记账3. Bookkeeping
1.记账操作根据请求者ID的身份,生成一条带有用户ID、访问时间、访问的目的地、访问信息量等信息的记录,并存入认证、授权和记账引擎AAAE的记账数据库中,完成了AAA服务中的记账服务;1. Accounting operation According to the identity of the requester ID, a record with user ID, access time, access destination, access information volume and other information is generated, and stored in the accounting database of the authentication, authorization and accounting engine AAAE In the process, the bookkeeping service in the AAA service is completed;
2.认证、授权和记账引擎AAAE在记账组件完成对用户的记账任务后,将处理结果信息返回给认证、验证和完整性检查引擎AVIE,AVIE将操作信息同时也记录到日志数据库ADB中,这种采用双份记录的优势是有利于解决记费的纠纷。2. After the accounting component completes the accounting tasks for users, the authentication, authorization and accounting engine AAAE returns the processing result information to the authentication, verification and integrity checking engine AVIE, and AVIE also records the operation information to the log database ADB Among them, the advantage of adopting double records is that it is beneficial to resolve billing disputes.
经过上述的流入和流出安全处理方法,BWIP网络安全体系结构可以很好地实现目前BWIP网络所需要的各种不同安全服务目的。Through the above-mentioned inflow and outflow security processing methods, the BWIP network security architecture can well realize various security service purposes required by the current BWIP network.
Claims (6)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100262119A CN100358326C (en) | 2004-06-04 | 2004-06-04 | Wide-band wireless IP network safety system structure and realizing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100262119A CN100358326C (en) | 2004-06-04 | 2004-06-04 | Wide-band wireless IP network safety system structure and realizing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1585405A CN1585405A (en) | 2005-02-23 |
| CN100358326C true CN100358326C (en) | 2007-12-26 |
Family
ID=34601254
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100262119A Expired - Fee Related CN100358326C (en) | 2004-06-04 | 2004-06-04 | Wide-band wireless IP network safety system structure and realizing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100358326C (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100512313C (en) * | 2007-08-08 | 2009-07-08 | 西安西电捷通无线网络通信有限公司 | A trusted network connection system for security enhancement |
| CN101399698A (en) * | 2007-09-30 | 2009-04-01 | 华为技术有限公司 | Safety management system, device and method |
| CN101594229B (en) * | 2009-06-30 | 2011-06-22 | 华南理工大学 | System and method for connecting credible network based on combined public key |
| CN102724173A (en) * | 2011-07-28 | 2012-10-10 | 北京天地互连信息技术有限公司 | System and method for realizing IKEv2 protocol in MIPv6 environment |
| EP3365807B1 (en) * | 2015-10-23 | 2019-08-07 | Oracle International Corporation | Application containers for container databases |
| CN105897748B (en) * | 2016-05-27 | 2019-05-10 | 飞天诚信科技股份有限公司 | Symmetric key transmission method and device |
| CN115701145A (en) * | 2021-07-31 | 2023-02-07 | 华为技术有限公司 | Traffic management method, device, equipment and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1352434A (en) * | 2001-11-29 | 2002-06-05 | 上海维豪信息安全技术有限公司 | Electronic government affairs safety platform system based on trust and authorization service |
| US20030035548A1 (en) * | 2001-08-17 | 2003-02-20 | Netscape Communications Corporation | Client controlled data recovery management |
| CN1444386A (en) * | 2001-12-31 | 2003-09-24 | 西安西电捷通无线网络通信有限公司 | Safe inserting method of wide-band wireless IP system mobile terminal |
| CN1457587A (en) * | 2000-08-15 | 2003-11-19 | 维亚克沃公司 | Method and apparatus for web-based application service model for security management |
-
2004
- 2004-06-04 CN CNB2004100262119A patent/CN100358326C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1457587A (en) * | 2000-08-15 | 2003-11-19 | 维亚克沃公司 | Method and apparatus for web-based application service model for security management |
| US20030035548A1 (en) * | 2001-08-17 | 2003-02-20 | Netscape Communications Corporation | Client controlled data recovery management |
| CN1352434A (en) * | 2001-11-29 | 2002-06-05 | 上海维豪信息安全技术有限公司 | Electronic government affairs safety platform system based on trust and authorization service |
| CN1444386A (en) * | 2001-12-31 | 2003-09-24 | 西安西电捷通无线网络通信有限公司 | Safe inserting method of wide-band wireless IP system mobile terminal |
Non-Patent Citations (2)
| Title |
|---|
| 一种新的主动网络安全体系的设计 黎忠文,李乐民,李美蓉.通信学报,第25卷第1期 2004 * |
| 宽带无线IP实验系统 李建东,刘乃安,黄振海,翁继伟.高技术通讯,第7期 2001 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1585405A (en) | 2005-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109088870B (en) | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform | |
| Nakhjiri et al. | AAA and network security for mobile access: radius, diameter, EAP, PKI and IP mobility | |
| EP1538779B1 (en) | Identification information protection method in wlan interconnection | |
| EP1997292B1 (en) | Establishing communications | |
| CN101409619B (en) | Flash memory card and realization method of virtual private network key exchange | |
| CN101156352B (en) | Authentication method, system and authentication center based on mobile network end-to-end communication | |
| CN114726523A (en) | Password application service system and quantum security capability open platform | |
| CN116633576B (en) | Secure and reliable NC-Link agent, control method, device and terminal | |
| CN101370007B (en) | Method for reinforcing security and protecting privacy right of positioning service in Wimax network | |
| CN101267303B (en) | Communication method between service nodes | |
| CN100358326C (en) | Wide-band wireless IP network safety system structure and realizing method | |
| CA2197548C (en) | A system for securing the flow of and selectively modifying packets in a computer network | |
| Borselius | Multi-agent system security for mobile communication | |
| CN100401706C (en) | Access method and system for client end of virtual private network | |
| CN101478389B (en) | A mobile IPSec transmission authentication method supporting multi-level security | |
| KR101695050B1 (en) | Method and system for service flow encrypton processing | |
| Ventura | Diameter: Next generations AAA protocol | |
| Mitrou et al. | NETWORKING 2004: Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications: Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Third International IFIP-TC6 Networking Conference Athens, Greece, May 9–14, 2004, Proceedings | |
| Meyer | Secure roaming and handover procedures in wireless access networks | |
| Markovic | Data protection techniques, cryptographic protocols and pki systems in modern computer networks | |
| CN113473470A (en) | Charging pile networking communication system based on 5G and bidirectional communication method | |
| Schنfer et al. | Current Approaches to Authentication in Wireless and Mobile Communications Networks | |
| Blåberg Kristoffersson | Zero Trust in Autonomous Vehicle Networks Utilizing Automotive Ethernet | |
| Casoni et al. | Security issues in emergency networks | |
| Tsenov et al. | Advanced authentication and authorization for quality of service signaling |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20071226 Termination date: 20110604 |
