CN103888477B - A kind of data transmission method suitable for credible connection - Google Patents
A kind of data transmission method suitable for credible connection Download PDFInfo
- Publication number
- CN103888477B CN103888477B CN201410149430.XA CN201410149430A CN103888477B CN 103888477 B CN103888477 B CN 103888477B CN 201410149430 A CN201410149430 A CN 201410149430A CN 103888477 B CN103888477 B CN 103888477B
- Authority
- CN
- China
- Prior art keywords
- credible
- data
- trusted
- mark
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of data transmission method suitable for credible connection, it is related to information security and network communication field, this method passes through the credible delivery of data between credible delivery protocol realization network node by disposing mutually isostructural credible delivery system on each network node.Credible delivery system provides trusted function for credible delivery agreement and supported, data are transmitted in the credible delivery protocol layer can attach multiple trusted-extension items to describe credible attribute cognition of the different user to it, each node users can forward other users to recognize the credible attribute for transmitting data, and the credible attribute cognition of oneself can be also added in transmission information.Relative to traditional Data Transport Protocol, the invention employs expansible, sliceable reliable information form, realize the credible connection with attribute between different nodes in network, for realize trust the forwarding trusted under source modules, transmit, the trusting relationship for handling complexity is provided and effectively supported.
Description
Technical field
The present invention relates to information security and network communication field, is provided using the thought of trust computing for heterogeneous networks node
A kind of data transmission method that can realize credible interconnection.
Background technology
21 century is the information-based epoch.IT industry fast development, have become one that current era develops
Main trend, and an information revolution centered on information technology is expanded in the world, informationization is guide in the whole world
In the range of realize.But then, while information technology develops rapidly, it is safe for information about the problem of it is also more and more,
Such as common data safety, content safety, behavior safety and equipment safety.To ensure the safety of information, security mechanism into
For the indispensable configuration of information system.
For the reliability service for the mechanism of ensuring safety, security mechanism itself must be believable.It is and popular in recent years credible
Computing technique is then the hardware and bottom from information system, credible measure is taken on the whole from information security, to protect
Hinder the believable technology of information system security mechanism.
The thought of trust computing is to set up a trusted root in computer systems, is used as believable basis, then
On the basis of trusted root, by credible measurement technology level metric one-level, first level verification one-level, a trust chain is built
Bar, by the application of Trust transitivity to information system, then by the credible connection between different information systems, extended trusting
To whole network environment.
The reliable computing technology of traditional reliable computing technology, such as Trusted Computing Group in the world, it is by system element letter
Credible and insincere two class singly is divided into, the trusted root approved jointly from everybody, passes through unified authentication system(It is such as micro-
Soft certification certificate), realize the transmission of credible measurement and chain-of-trust.But in emerging calculating such as real network environment particularly cloud computings
In the network environment of pattern, the trusting relationship of each inter-entity is difficult simply progress binary division.
By taking cloud computing environment as an example, basic role therein includes cloud tenant, cloud service provider and cloud monitoring party, in some fields
Conjunction will also add cloud retailer and cloud infrastructure provider.Relation between cloud environment role be a kind of multi-party including technology because
Element and human factor, transferable trusting relationship, each party have the trust source of oneself, are required for the trust related to itself
Strategy is managed independently, and simply can not be done by third party.Binary trust mode will be difficult to accurate table used by TCG
Up to the complicated trusting relationship in cloud environment.
The present invention proposes a kind of data transmission method suitable for credible connection, and this method passes through on each network node
The mutually isostructural credible delivery system of deployment, and pass through the credible delivery of data between credible delivery protocol realization network node.Can
Letter Transmission system provides trusted function for credible delivery agreement and supported, and agreement passes through expansible, sliceable reliable information lattice
Formula, realize the credible connection with attribute between different nodes in network.This credible connection can be realized under more trust source modules
The forwarding of trust, transmit, handle the trusting relationship of complexity, be the credible offer of information system under the emerging computation schemas such as cloud computing
Effectively support.
The content of the invention
In order to realize the credible delivery of heterogeneous networks internodal data, the invention provides a kind of suitable for credible connection
Data transmission method.In the present invention, the credible delivery system of identical structure is disposed on heterogeneous networks node, and passes through credible biography
The credible delivery of data between defeated protocol realization network node.Transmission data can attach multiple trusted-extension items to describe different user
Its credible attribute is recognized.The sender of data can forward other users to recognize the credible attribute for transmitting data, also may be used
The credible attribute cognition of oneself is added in transmission information, recipient then can verify that all trusted-extensions subsidiary in transmission data
, obtain different user and the credible attribute for transmitting data is recognized, and the cognition of these credible attributes and transmission data can be confirmed
Binding relationship, and these credible attributes cognition can not distort, undeniably.
To achieve the above object of the invention, the present invention is realized using following technological means:
A kind of data transmission method suitable for credible connection deployment architecture identical credible delivery on each network node
System, the credible delivery system on each network node are connected with each other, rely on credible delivery agreement, realize data between each network node
Credible delivery.
Credible delivery system on network node can be divided into three layers:Client layer, trusted processes layer and trusted service layer.User
Layer includes User Exploitation storehouse, is interacted for realizing with user;Trusted processes layer, including credible policy library, trusted module, are used for
Realize the encapsulation, deblocking and checking of credible delivery Protocol layer data;Trusted service layer includes trusted service module, there is provided credible biography
The trusted functions such as hash algorithm, signature and certification, encryption and decryption needed for defeated agreement.The construction method of credible delivery system is such as
Under:
Step 1.1:User Exploitation storehouse provides a user the biography of the trust data including credible attribute and transmission data
Defeated interface.User can input data waiting for transmission to User Exploitation storehouse by coffret or other nodes are read from development library
The trust data transmitted, User Exploitation built-in function are tentatively encapsulated to data, addition sending node, receiving node and data
Credible attribute information, and it is sent to trusted processes layer.
Step 1.2:Credible policy library is used for storing default credible strategy, including specifies the trust data envelope of credible type
Form is filled, credible strategy is provided for trusted module.
Step 1.3:Trusted module receives the trust data for the preliminary encapsulation that User Exploitation storehouse is sent, according in trust data
Credible attribute, inquire about default credible strategy, determine trust data encapsulation format, and call the credible work(of trusted service module
The trusted identity mark of transmission data can be completed, realizes the encapsulation to credible delivery Protocol layer data.
Step 1.4:Trusted service module provides the calling interface of trusted function, and calling interface by trusted function is to can
Believe that module provides credible support, trusted function includes hash algorithm, key, signature and identifying algorithm, algorithms for encryption and decryption.
It is a kind of to be credible delivery on different nodes according to band suitable for the data transmission method of credible connection its feature
The credible delivery agreement of credible attribute is communicated, including credible attribute and credible delivery agreement two parts.Credible attribute uses
The rule of key words sorting describes the credible dependence of heterogeneous networks internodal data, according to transmitting data in present node
Credible attribute generates present node and identified for transmitting the trusted identity of data, trusts suitable for transmission data between different nodes
Establishment of connection, specific markers step are divided into level flag, user identity mark, authorization mark and credible type mark four
Point, construction method is as follows:
Step 2.1:User the trusting degree according to user to transmission data, completes to the degree of belief level flag of data
Level flag to transmitting data, degree of belief is higher, and level flag is higher;
Degree of belief rank is represented with signless integer.User marks to the complete trust for transmitting data for highest level,
Represented with 0.
Step 2.2:User identity mark is completed using the unique identifier of user, user identity mark is used for describing user
Identity, the different user in same node point can be made a distinction;
Step 2.3:Authorization mark represents whether user allows other users to forward trust of the user to transmission data, uses
Relation is forwarded to the trust for transmitting data to describe different user;
User agrees to that other users forward the user to represent the trust of transmission data with 0;User disagrees other use
Family forwards the user to represent the trust of transmission data with 1.
Step 2.4:The data type identified according to the trusted identity of transmission data, completes credible type mark, for retouching
Authentic authentication relation of the trusted identity mark to transmission data is stated, including realizes the data type mark of signature authentication and realizes and add
The data type mark of close certification.
Credible type mark is represented using credible tactful type.Credible strategy is the credible body for describing transmission data
The data format of part mark, include realizing the encryption certification of the credible strategy, realization transmission data of the signature authentication of transmission data
Credible strategy.
A kind of data transmission method suitable for credible connection, its feature are trusted module according to the credible of transmission data
Attribute can generate the trusted identity mark of transmission data, and transmission data and its trusted identity mark are encapsulated into credible delivery
In Protocol layer data, the binding of transmission data and its trusted identity mark is realized.Credible delivery agreement includes header information, transmission
Data and extension information, protocol format are as follows:
Step 3.1:Header information is used for describing the essential information of current credible delivery protocol data, for realizing credible biography
The encapsulation and deblocking of defeated Protocol layer data and the integrity verification for transmitting data.
Header information includes the type identification of credible delivery agreement, sender's identity, recipient's identity, biography
Transmission of data type identification, transmission total length of data, extension information total length and digest value.Credible delivery protocol type mark is used for
Credible delivery agreement is marked, credible delivery agreement and other agreements are made a distinction;Sender's identity sending node
Unique identifier marks, for marking the identity of sending node;The unique identifier of recipient's identity receiving node
To mark, for marking the identity of receiving node;Wire data type mark is marked with the data type of transmission data, is used for
Indicate the type of data structure of transmission data;Transmission total length of data is used for describing the total length of all data to be transmitted;Extension
For describing to transmit data, how many plants trusted identity mark to item number;Extension information total length is used for describing to extend institute in information
There is the total length of extension;Digest value is used for depositing the digest value of transmission data.
Step 3.2:Data are transmitted, for storing data waiting for transmission.
Step 3.3:Information is extended, for describing to transmit the trusted identity mark of data, including one or more extension,
Every extension is used for describing the trusted identity mark of the transmission data generated according to a credible attribute, and extension is to splice
Mode, it is arranged in order and is stored in extension information.
Extension includes extension length, credible type and trusted identity mark.Extension length is used for describing currently
The total length of extension;Credible type is used for the credible tactful type for describing generation trusted identity mark, with credible attribute
In credible type mark it is consistent;Trusted identity mark be transmit data according to the credible strategy generating of credible type mark can
Letter data, represent the trusted identity for meeting the transmission data of credible attribute.
The present invention proposes a kind of data transmission method suitable for credible connection, and completing band by credible delivery system can
Believe encapsulation, deblocking and the checking of the credible delivery Protocol layer data of attribute.Credible attribute describes transmission data in different nodes
Between credible dependence, credible delivery system rely on trust computing provide function, calculate the transmission data with credible attribute
Trusted identity mark;The trusted identity mark of transmission data is carried in credible delivery Protocol layer data, according to credible delivery
The extension information of Protocol layer data is just able to verify that the credible attribute of transmission data, realizes the credible delivery with attribute between network.
Credible delivery agreement proposed by the present invention uses expansible, sliceable reliable information form to header information, extension information, this
Connection transmission that kind is credible can realize forwarding, the transmission trusted under more trust source modules, handle the trusting relationship of complexity, be cloud meter
The credible offer of information system is effectively supported under the emerging computation schemas such as calculation.
Brief description of the drawings
The credible delivery system construction drawing of Fig. 1 present invention;
The credible delivery protocol layer schematic diagram of Fig. 2 present invention;
Credible delivery Protocol layer data figure on the node of Fig. 3 one embodiment of the invention.
Embodiment
In order that those skilled in the art can be better understood by and using the present invention, below in conjunction with accompanying drawing and specific implementation
Technical scheme is described further case.Case study on implementation described by this example is only that the part of the present invention is real
Case is applied, line translation and modification easily can be entered to following case study on implementation for those skilled in the art, do not departed from
On the basis of the principle of the invention, the present invention is set to be applied in other trust data transmitting procedures.Therefore, the case study on implementation is only to use
To illustrate the principle of the present invention, and not as the restriction of the principle of the invention.
In the present invention, credible delivery system and credible delivery agreement are defined by present invention applicant oneself, credible
The trusted functions such as hash algorithm, signature and certification, encryption and the decryption that service module provides are real by existing reliable computing technology
Existing, it is not emphasis of the invention, is just not described in detail here.
Fig. 1 illustrates the credible delivery system construction drawing for meeting one embodiment of the invention.Credible delivery system is divided into three layers:With
Family layer, trusted processes layer and trusted service layer.Client layer includes User Exploitation storehouse, is interacted for realizing with user;Credible place
Managing layer includes credible policy library, trusted module, for realizing the encapsulation of credible delivery Protocol layer data, deblocking and checking;It is credible
Service layer includes trusted service module, there is provided hash algorithm, signature and certification, encryption and decryption needed for credible delivery agreement etc.
Trusted function.The construction method of credible delivery system is as follows:
User Exploitation storehouse is to adopt the function library shown a C language, provides a user and exists including credible attribute and transmission data
The coffret of interior trust data.User can input data waiting for transmission or from exploitation by coffret to User Exploitation storehouse
The trust data that other nodes transmit is read in storehouse, User Exploitation built-in function is tentatively encapsulated to data, addition sending node,
Receiving node and data credible attribute information, and it is sent to trusted processes layer;
Credible policy library is used for storing default credible strategy, including specifies the trust data encapsulation format of credible type,
Credible strategy is provided for trusted module.
Trusted module includes trusted processes process, and what trusted processes process received the preliminary encapsulation that User Exploitation storehouse is sent can
Letter data, the credible attribute in trust data, default credible strategy is inquired about into credible policy library, determines trust data
Encapsulation format, and the trusted identity mark of trusted service module generation transmission data is called, realize to the credible delivery agreement number of plies
According to encapsulation.
Trusted service module includes credible software stack TSS, is carried for providing the calling interface of trusted function for trusted module
For credible support, trusted function includes hash algorithm, key, signature and identifying algorithm, algorithms for encryption and decryption etc..
The credible attribute of one embodiment of the invention includes four parts:Level flag, user identity mark, authorization mark and can
Believe type mark, can be represented with table one:
Table one:
| Level flag | User identity marks | Authorization mark | Credible type mark |
| 2 bytes | 20 bytes | 2 bytes | 4 bytes |
Wherein level flag is used to mark user to represent the trusting degree of data with signless integer;User identity mark
Remember the identity for marking user, the unique identifier of user represents;Authorization mark is used to mark whether user allows other
Trust of user's forwarding to user to transmission data, represented to allow other users to forward letter of the active user to transmission data with 0
Appoint, represented not allow trust of the other users forwarding active user to transmission data with 1;Credible type mark is used to mark user
Trust type to transmitting data.
The credible delivery protocol architecture of an embodiment includes three parts in the present invention:Header information, transmission data, extension letter
Breath, can be represented with table two:
Table two:
| Header information | Transmit data | Extend information |
| 106 bytes | Variable-length | 1208 bytes |
Wherein header information mainly stores the information of credible delivery Protocol layer data, and the data of transmission are used for depositing network section
One or more data transmitted between point, extension information are used for the trusted identity mark for depositing credible delivery Protocol layer data.
Wherein, the definition format of header information can be represented with table three:
Table three:
| Credible delivery protocol type identifies | 4 bytes |
| Sender's identity | 36 bytes |
| Recipient's identity | 36 bytes |
| Wire data type identifies | 4 bytes |
| Transmit total length of data | 2 bytes |
| Extension number | 2 bytes |
| Extend information total length | 2 bytes |
| Digest value | 20 bytes |
Wherein, credible delivery protocol type mark is to make a distinction credible delivery agreement and other agreements;Sender's body
Part mark is represented for the identity of unique mark sending node with the machine serial number of sending node;Recipient's identity
For the identity of unique mark receiving node, represented with the machine serial number of receiving node;Wire data type mark is used for
The type of data structure of description transmission data;Transmission total length of data is used for describing the total length of all data to be transmitted;Extension
Item number is used for describing the number of extension;Extension information total length is used for describing the overall length for extending all extensions in information
Degree;Digest value is used for describing the integrity measurement value for transmitting data, calculates the digest value of transmission data using hash algorithm here,
It is stored in summary value field.
Wherein, the machine serial number of node is embedded in machine hardware, the unique attribute intrinsic for machine.
The definition format of extension information can be found in table four:
Table four:
| Position description | Extension 1 | Extension 2 | …… |
| Bit length (byte) | 604 bytes | 604 bytes | …… |
Wherein extend and one or more extension is included in information, every extension is used for describing one on transmitting data
Trusted identity mark.Extension 1 is used for describing the trusted identity mark of header information, and extension 2 is used for describing to transmit data
Trusted identity mark.Extension 1 and extension 2 can be represented with the mode of table five:
Table five:
| Extension length | Credible type | Trusted identity identifies |
| 2 bytes | 4 bytes | 598 bytes |
Wherein extension length user describes the length of current extensions item;Credible attribute is used to describe trusted identity mark
Credible policing type, it is consistent with the credible type mark in credible attribute;Trusted identity identify for describe transmission data according to
The credible relevant information of credible strategy generating.
The credible tactful content format of signature authentication can be realized with the mode of table six:
Table six:
| Level flag | 2 bytes |
| Random number | 2 bytes |
| Node identities identify | 36 bytes |
| User identity marks | 20 bytes |
| Authorization mark | 2 bytes |
| Signature type | 2 bytes |
| Public key identifies | 20 bytes |
| Signature value length | 2 bytes |
| Signature value | 512 bytes |
Wherein level flag is used for the trusting degree for marking the user of present node to transmitting data, and in credible attribute
Level flag is consistent;The integer that random number is randomly generated, for preventing Replay Attack;Node identities mark is used for identification signature
Node belonging to key;User identity mark is used for identifying the identity of user, consistent with the user identity mark in credible attribute;
Authorization mark allows to forward for marking current trusted identity to mark whether, consistent with the authorization mark in credible attribute;Signature
Type is used for describing the type of signature;Public key mark is used for identifying the identity of public key, and the digest value of public key is calculated with hash algorithm
To represent;Signature value length is used for describing the length of signature Value Data item;Signature of the signature value for data storage.
Fig. 2 illustrates to meet the encapsulation that data are transmitted in one embodiment of the invention and deblocking process, is from top to bottom transmission number
According to encapsulation process, be from bottom to top the deblocking process of data.
In data encapsulation process, using the data of credible delivery protocol encapsulation transmission, credible delivery Protocol layer data is generated.
During data deblocking, transmission data are taken out from trust data Protocol layer data.Described credible delivery Protocol layer data bag
Include header information, the data of transmission, extension information.Digest value data item in described header information is used for storing using Hash
The digest value for the transmission data that algorithm calculates, it can be used in the integrality of the data of checking transmission;Wrapped in described extension information
The extension for the credible delivery Protocol layer data that the credible attribute provided according to sending node generates is included, for verifying credible delivery
The credibility of Protocol layer data.Described credibility includes the integrality, secret, non repudiation of data.
Fig. 3 explanations meet credible delivery Protocol layer data in one embodiment of the invention.Here in conjunction with table one to table six and
Fig. 1, Fig. 2 illustrate the generation of credible delivery Protocol layer data, verification process in Fig. 3, described in detail below.
Definition realizes that the credible type of signature authentication is identified with character " IDEE ".The sequence number of machine is stored in machine
Among hardware, it is capable of the identity of unique mark machine.
Realize the encapsulation and transmission of credible delivery Protocol layer data on sending node, detailed process is as follows:
Step 1:User inputs data, level flag, authorization mark and credible type waiting for transmission to User Exploitation storehouse, its
Middle rank is labeled as 0, and authorization mark 1, credible type is " IDEE ";
Step 2:User Exploitation built-in function obtains the sending node, receiving node, the identity mark for reading user of transmission data
Know, level flag, user identity mark, authorization mark and credible type are formed into credible attribute according to form shown in table one, and
Transmission data, sending node, receiving node and credible attribute are packaged;
Step 3:The data of encapsulation are sent to trusted module by User Exploitation storehouse;
Step 4:Trusted module reads transmission data, level flag, user identity mark, mandate mark from the data of encapsulation
Note, credible type, sending node, receiving node;
Step 5:Header information form generation credible delivery of the trusted module according to credible delivery agreement according to table three
The header information data of Protocol layer data;
Step 6:Credible strategy of the trusted module according to credible type " IDEE " to credible tactful library lookup authentication, body
The credible tactful form of part certification is as shown in Table 6;
Step 7:The trusted identity of credible tactful content format generation transmission data of the trusted module according to table six
Identification information;
Step 8:Extension form of the trusted module according to table five by trusted identity identify and its credible type package
Into extension;
Step 9:Extension information format of the trusted module according to table four splices the extension generated in step 8 successively
Into extension information;
Step 10:Trusted module calculates the number of extension and the length of extension information, and according to the number of extension and
The length of extension information resets the extension number and extension information total length of header information;
Step 11:Trusted module is according to the credible delivery protocol architecture shown in table two by header information, transmission data and expansion
Exhibition information is packaged as credible delivery Protocol layer data;
Step 12:Trusted module is according to the receiving node in the header information of credible delivery Protocol layer data, by credible biography
Defeated Protocol layer data is sent to the trusted module of receiving node.
Receiving node realizes the deblocking and checking of credible delivery Protocol layer data, and detailed process is as follows:
Step 1:Trusted module takes out credible delivery Protocol layer data from network, is assisted according to the credible delivery shown in table two
Header information form shown in view structure and table three unlocks header information, transmission data and extension information;
Step 2:Trusted module takes out the digest value in header information according to the definition format of the header information shown in table three;
Step 3:Trusted module calculates the cryptographic Hash of transmission data using hash algorithm, enters with the digest value in header information
Row relatively verifies the integrality of transmission data;
Step 4:With reference to shown in table four and table five, extension length of the User Exploitation built-in function in extension will extend
Information is separated into single extension;
Step 5:For each extension, perform step 6 and arrive step 8;
Step 6:Trusted module unlocks the credible of sending node according to the extension form shown in table five from extension
Identity and the credible type of sending node;
Step 7:Trusted module is searched credible according to the credible type of sending node into the credible policy library of receiving node
Strategy, credible tactful form is with reference to shown in table six;
Step 8:Trusted module transmits the credible of data according to the credible tactful format verification of the signature authentication shown in table six
Identity;
Step 8.1:The credible tactful form of signature authentication of the trusted module according to table six takes out trusted identity mark
In node identities mark, public key mark, signature value;
Step 8.2:Trusted module identifies the public affairs of the query signature into credible policy library according to node identities mark and public key
Key;
Step 8.3:Credible decision-making module calls the signature authentication function of trusted module, is signed with the public key verifications of signature
Value;
Step 9:If the checking of all extensions is all by prompting to be proved to be successful, otherwise prompting authentication failed.
Forward node is both receiving node and sending node, then testing for credible delivery Protocol layer data is realized on the node
Card and forwarding, detailed process are as follows:
Step 1:Trusted module takes out credible delivery Protocol layer data from network, is assisted according to the credible delivery shown in table two
Header information form shown in view structure and table three unlocks header information, transmission data and extension information;
Step 2:Trusted module takes out the digest value in header information according to the header information form shown in table three;
Step 3:Trusted module calculates the cryptographic Hash of transmission data using hash algorithm, enters with the digest value in header information
Row relatively verifies the integrality of transmission data;
Step 4:With reference to shown in table four and table five, extension length of the User Exploitation built-in function in extension will extend
Information is separated into single extension;
Step 5:For each extension, perform step 6 and arrive step 8;
Step 6:Trusted module unlocks according to the extension form shown in table five according to extension form from extension
The trusted identity mark of sending node and the credible type of sending node;
Step 7:Trusted module is searched according to the credible type attribute of sending node into the credible policy library of receiving node
Credible strategy, credible tactful form is with reference to shown in table six;
Step 8:Trusted module calls TSS key, according to the signature authentication shown in table six according to credible tactful form
The trusted identity mark of checking transmission data;
Step 8.1:The credible tactful form of signature authentication of the trusted module according to table six takes out trusted identity mark
In node identities mark, public key mark, signature value;
Step 8.2:Trusted module identifies the public affairs of the query signature into credible policy library according to node identities mark and public key
Key;
Step 8.3:Credible decision-making module calls the signature authentication function of trusted module, is signed with the public key verifications of signature
Value;
Step 9:If the checking of all trusted identity marks is all by prompting to be proved to be successful, performing step 10;Otherwise
Authentication failed is prompted, credible delivery process terminates;
Step 10:Each extension of the trusted module in credible delivery Protocol layer data performs step 11 and arrives step
21;
Step 11:Trusted module unlocks the credible of sending node according to the extension form shown in table five from extension
Identity and the credible type of sending node;
Step 12:Trusted module is searched credible according to the credible type of sending node into the credible policy library of receiving node
Strategy, credible tactful form is with reference to shown in table six;
Step 13:The credible tactful form of signature authentication of the trusted module with reference to shown in table six, reads level flag, user
Identity marks, authorization mark;
Step 14:Trusted module presses the credible type in level flag, user identity mark, authorization mark and step 11
Credible attribute is packaged into according to the credible attribute form shown in table one;
Step 15:Trusted module will transmit data and its credible attribute is sent to User Exploitation storehouse;
Step 16:User inputs level flag, authorization mark and credible type into User Exploitation storehouse, and wherein user makes by oneself
The credible type that adopted level flag is 0, User Defined authorization mark is 1, user selects to transmit data is " IDEE ";
Step 17:User Exploitation built-in function judges the credible attribute of receiving node user according to the credible attribute of sending node
Legitimacy;
Step 17.1:Because the level flag 0 of receiving node is equal to the level flag 0 of sending node, User Exploitation
Built-in function obtains the sending node, receiving node, the identity for reading user of transmission data, according to level flag, Yong Hushen
Part mark, authorization mark, the credible type of receiving node composition credible attribute, and will transmission data, sending node, receiving node
Tentatively encapsulated with credible attribute, be sent to trusted module;
Step 17.2:Because the authorization mark of sending node is 0, then User Exploitation built-in function sends to trusted module and disappeared
Breath, it is desirable to the trusted identity mark of trusted module forwarding sending node;
Step 18:Trusted module unlocks transmission data and credible attribute from the data tentatively encapsulated;
Step 19:Credible attribute structure of the trusted module with reference to shown in table one reads credible type from credible attribute, according to
Credible type inquires about default credible strategy from the credible policy library of receiving node;
Step 20:Trusted module generates receiving node for passing according to the credible tactful form of the signature authentication shown in table six
The trusted identity mark of transmission of data;
Step 21:By receiving node, for transmitting, the trusted identity of data identifies trusted module and its credible type is according to table
Extension form shown in five generates new extension, and splices new extension according to the extension information format shown in table four
Into extension information;
Step 22:Header information form of the trusted module according to credible delivery agreement according to table three regenerates credible
The header information data of host-host protocol layer data;
Step 23:Trusted module according to the credible delivery protocol architecture shown in table two by the header information regenerated, pass
Transmission of data and extension Information encapsulation are credible delivery Protocol layer data, and are sent to the trusted module of receiving node;
The signature operation provided in present example in each trusted service uses RSA signature algorithm, therefore the length of signature value
Spend for 512 bytes.
Claims (5)
- A kind of 1. data transmission method suitable for credible connection, using between the credible delivery protocol realization network with credible attribute The credible delivery of data, including credible attribute and credible delivery agreement two parts, it is characterised in that:Credible attribute uses contingency table The rule of note describes the credible dependence between heterogeneous networks node, and transmission data generate trusted identity mark according to credible attribute Know, credible delivery agreement carries trusted identity mark, realizes the binding of transmission data and trusted identity mark, described credible body Part mark is described with reliable information, reliable information include the credible measurement that identity and state bind, different role signature and Multi-enciphering, wherein, the credible attribute is using { level flag, user identity mark, authorization mark, credible type mark } four The mode of tuple marks, and its specific building process is:Step 2.1:Level flag, i.e. user are to the degree of belief rank of data, and the trusting degree according to user to transmission data is complete The level flag of transmission data in pairs, degree of belief is higher, and level flag is higher, it is ensured that only high to transmitting the degree of belief of data User could access the reliable information of the user low to the trust of transmission data;Step 2.2:User identity marks, i.e., the mark of user identity is completed using the unique identifier of user, according to user's body The identity of part mark description user;Step 2.3:Whether authorization mark, i.e. user allow other users to forward the user to transmitting the degree of beliefs of data, with awarding Token note forwards relation to describe different user to the degree of belief for transmitting data;Step 2.4:Credible type mark, i.e., according to the data type of the reliable information of transmission data, realize the number of signature authentication According to type identification and realize that the data type of encryption certification identifies.
- A kind of 2. data transmission method suitable for credible connection as claimed in claim 1, it is characterised in thatDescribed credible delivery agreement is encapsulated into credible delivery protocol layer according to the credible attribute of transmission data by data are transmitted Data;Described credible delivery Protocol layer data integrally sends the trusted module of destination node to as transmission data by network; The trusted module of destination node completes the authentic authentication for the data transmitted in credible delivery layer protocol data.
- A kind of 3. data transmission method suitable for credible connection as claimed in claim 2, it is characterised in that the credible biography Defeated agreement includes header information, transmission data and extension information;Trusted module is believed according to the head of credible delivery Protocol layer data Breath and extension information, authentic authentication is carried out to the data of transmission, specifically included:The trusted identity that the trusted module of step 4.1 sending node generates transmission data according to credible attribute identifies, according to transmission The header information and extension information of data and trusted identity mark filling credible delivery Protocol layer data, generate credible delivery agreement Layer data;The trusted module of step 4.2 sending node sends credible delivery Protocol layer data to the trusted module of receiving node;Step 4.3 receiving node receives credible delivery Protocol layer data;The trusted module of step 4.4 receiving node can according to the header information and extension Information Authentication of credible delivery Protocol layer data Believe the transmission data in host-host protocol layer data;The trusted module of step 4.5 receiving node generates receiving node for transmission data according to the credible attribute of receiving node Extension, splice newly-generated extension in the extension information of credible delivery Protocol layer data, realize the credible of different attribute Checking;The trusted module of step 4.6 receiving node by new credible delivery Protocol layer data encapsulation be sent to next node can Believe module.
- A kind of 4. data transmission method suitable for credible connection as claimed in claim 1 or 2, it is characterised in that credible delivery Protocol layer includes header information, transmission data, extension information;Described header information is used to deposit this credible delivery agreement number of plies According to information, extension information is used to extend the reliable information of credible delivery Protocol layer data;Deposited in described header information The information of credible delivery Protocol layer data includes the digest value of transmission data, for describing the integrality of transmission data;Described One or more extensions can be deposited in extension information, an extension includes a credible biography generated according to credible attribute The trusted identity mark of defeated Protocol layer data, trusted identity mark are used for describing the trusted identity of data to be transmitted.
- 5. method as claimed in claim 2, it is characterised in that trusted module provides the branch of trusted function for credible delivery agreement Hold, including for calculating the hash algorithm of digest value, signature and its certification, encryption and decryption;Described trusted module is used for real Encapsulation, deblocking and the checking of existing credible delivery Protocol layer data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410149430.XA CN103888477B (en) | 2014-04-13 | 2014-04-13 | A kind of data transmission method suitable for credible connection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410149430.XA CN103888477B (en) | 2014-04-13 | 2014-04-13 | A kind of data transmission method suitable for credible connection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103888477A CN103888477A (en) | 2014-06-25 |
| CN103888477B true CN103888477B (en) | 2017-12-29 |
Family
ID=50957195
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410149430.XA Active CN103888477B (en) | 2014-04-13 | 2014-04-13 | A kind of data transmission method suitable for credible connection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103888477B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107277805B (en) * | 2016-04-06 | 2020-03-13 | 中国联合网络通信集团有限公司 | Data transmission method and terminal based on man-machine interaction |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1299544A (en) * | 1998-07-15 | 2001-06-13 | 国际商业机器公司 | Method of establishing the trustorthiness level of a participant in a communication connection |
| CN101355495A (en) * | 2008-09-11 | 2009-01-28 | 电子科技大学 | Method for implementing IP credible route based on fault-tolerance and invade-tolerance |
| CN102088459A (en) * | 2010-12-29 | 2011-06-08 | 广东楚天龙智能卡有限公司 | Large-centralized data exchanging and integration platform based on trusted exchange |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8161541B2 (en) * | 2007-12-13 | 2012-04-17 | Alcatel Lucent | Ethernet connectivity fault management with user verification option |
-
2014
- 2014-04-13 CN CN201410149430.XA patent/CN103888477B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1299544A (en) * | 1998-07-15 | 2001-06-13 | 国际商业机器公司 | Method of establishing the trustorthiness level of a participant in a communication connection |
| CN101355495A (en) * | 2008-09-11 | 2009-01-28 | 电子科技大学 | Method for implementing IP credible route based on fault-tolerance and invade-tolerance |
| CN102088459A (en) * | 2010-12-29 | 2011-06-08 | 广东楚天龙智能卡有限公司 | Large-centralized data exchanging and integration platform based on trusted exchange |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103888477A (en) | 2014-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110166411B (en) | Data transmission method, device and network node | |
| CN105122749B (en) | Update the method and system of the dialogue distribution in link aggregation | |
| CN105847034B (en) | Source verifying and path authentication method and device | |
| CN110690928B (en) | Quantum relay link virtualization method and device | |
| CN106534317A (en) | Disaster recovery cloud storage system construction method based on block chain technology | |
| CN110690961B (en) | Quantum network function virtualization method and device | |
| CN110677241B (en) | Quantum network virtualization architecture method and device | |
| CN110690962B (en) | Application method and device of service node | |
| CN110690960B (en) | Routing service method and device of relay node | |
| CN106027456A (en) | Apparatus and method for authenticating network devices | |
| WO2019081816A1 (en) | Anonymity system for goods delivery | |
| CN108604984A (en) | For the encrypted method and system of interest in content center network | |
| JP2016012912A (en) | Transmission node, reception node, communication network system, message creation method, and computer program | |
| CN112395353A (en) | Intelligent electric energy meter quality data sharing method and system based on alliance chain | |
| CN112367163A (en) | Quantum network virtualization method and device | |
| CN108337092A (en) | Method and system for executing collective's certification in a communication network | |
| CN114142995B (en) | Key security distribution method and device for block chain relay communication network | |
| CN104601572B (en) | A kind of security message transmission method based on trusted infrastructure | |
| CN113661683A (en) | Method for storing transaction representing asset transfer in distributed network and program thereof | |
| CN102209066B (en) | Network authentication method and equipment | |
| CN103888477B (en) | A kind of data transmission method suitable for credible connection | |
| CN101272395B (en) | Hierarchical access control method of communication network | |
| CN113159766A (en) | Data protection method, device, system, electronic device and storage medium | |
| CN112367124B (en) | Quantum relay node virtualization method and device | |
| CN114143038A (en) | Key secure distribution method and device for block chain relay communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |