CN105939353A - Security management and information feedback system based on GDOI protocol - Google Patents

Abstract

The invention provides a large-scale network security management system based on a GDOI protocol. The security management system is used for managing and controlling information acquisition, classification and management of properties and encryption equipment and key management equipment associated with the properties, managing configuration information of the key management equipment and the encryption equipment, configuring group policies of the key management equipment and the encryption equipment, and checking state information of the key management equipment and the encryption equipment. According to the large-scale network security management system disclosed by the invention, security protection of the properties and the encryption equipment and the key management equipment associated with the properties is carried out through a property management module and a configuration management module; therefore, the properties and the encryption equipment thereof can be maintained, monitored and checked at any time; if there is a problem, a remedial measure can be taken at first time; a group encryption and deployment model of a key management server and a group member (GM) and a whole network consultation mechanism (Group SA) are provided; the flow among nodes is encrypted and decrypted by using the Group SA; and security communication is provided for the IP of any node.

Description

A kind of based on safety management and information feedback system under GDOI agreement

Technical field

The invention belongs to field of information security technology, particularly relate to plant and pacify based under GDOI agreement Full management and information feedback system.

Background technology

Global Internet is indispensable in the Working Life of people, but the information of network Security threat is but aggravating year by year." prism door " thing that network safety filed in 2013 is famous In part, the existing network architecture with switch, router as core is highly susceptible to monitored. Bulk information is leaked by switch and router, has beaten a police for all-network user Clock.

For large-scale corporation or the internet of government department of global range, it often uses Network topology structure as shown in Figure 1.Whole network is divided into three layers, wherein group's looped network platform It is made up of several data centers, between data center, is become looped network by multiple 10G group of networks, for The services such as complete or collected works group provides applied business to access, data summarization；Regional center platform, by some Individual regional center forms, and regional center collects the data of each department company according to region, and provides Lead to the data channel of group's looped network；Regional corporation's platform, by various places regional corporation LAN or Metropolitan Area Network (MAN) forms, the network insertion of the base application of carrying various places company.On realizing State mutually addressing and data exchange, the ICP/IP protocol of existing standard between each object in network Taking the mode of plaintext transmission on channel, substantial amounts of data are not having the feelings of any safeguard protection It is transmitted under condition；The routing mechanism of network makes between different geographical, country at network virtual Space does not has at " gateway of a country ", and transmission data can by arbitrary intercepting, restructuring, and restore former The data message begun causes data message to leak.More it is a risk that present domestic use big Most switches and router are all foreign brand names, even if home brands also more uses external core Chip has designed, and causes domestic transmission network data may be monitored by foreign organization.Therefore, For the safety transmission of guarantee network internal information, in system interconnects, need to use the most certainly The network switching equipment of main research and development, data encryption equipment, key management apparatus, safety management set Standby etc..Wherein, equipment safety control (security management center) is concentrated from the overall situation and is set encryption Standby and key management apparatus carries out management and control, the configuration letter of management key management apparatus and encryption device Breath, configuring cipher key management equipment and the group policy of encryption device, check key management apparatus and add The status information of close equipment, and to the assets gone wrong or encryption device and key management apparatus Find in time, and report to the police and revise, to ensure additionally, various distributed in internet The service needed such as calculating, voice, video are run anywhere or anytime between each branch, tradition Hub-Spoke, point-to-point ipsec tunnel solution in meaning can not meet user's Demand.GDOI (Group Domain of Interpretat ion) agreement proposes key pipe Reason server and the group encryption deployment model of group membership (GM), whole net negotiation mechanism (Group SA), the Group internodal flow of SA encryption and decryption is used, for arbitrary node IP secure communication Provide possibility.To this end, the large-scale network security administrative center tool under exploitation GDOI agreement There are important theory and practical significance.

Summary of the invention

In order to solve the problems referred to above, the present invention provide kind based on safety management under GDOI agreement and Information feedback system, described system includes being encrypted asset equipment information by encryption device Process, described encryption device is controlled management and to encrypted equipment encryption Asset equipment passes through safety management and feedback regulation；

Further, described system includes high-speed encryption module, KMC, key pipe Reason controls terminal, security management center and information feedback management center, wherein；

High-speed encryption module, described high-speed encryption module is for setting asset equipment information, encryption Standby offer dual pathways encryption method；

KMC, described KMC is for carrying out this identity to encryption device Certification, the encipherment protection of data storage and the identity key management of the whole network encryption device；

Key management controls terminal；Described key management control terminal for key information input and The distribution of the identity public key of the KMC under off-line state；

Security management center, asset equipment is described, defines by described security management center, Classification and registration, and encryption device that asset equipment is associated and the function of KMC Configuration and function information are set；

Information feedback management center, described information feedback management center is used for asset equipment and adds The real-time status of close equipment is monitored, and carries out safety management and feedback tune according to monitoring situation Joint；

Further, described encryption module includes the first treatment channel, the second treatment channel and is total to By module, described first treatment channel and the second treatment channel be equipped with independent user profile Input interface, management information input interface and authentication interface, described shared module is by using Family information input interface receives key information and checking information, the described shared module of user's input Received the operation information of management personnel by management information input interface, described shared module passes through The checking information of authentication interface management personnel；

Further, described shared module includes control centre's unit, editor integrated unit, sudden strain of a muscle Memory cell and configuration interface, described first treatment channel and the second treatment channel the most also include data Processing unit, data buffer storage unit, authentication unit, micro-control unit and expanding element, wherein；

Control centre's unit, described control centre unit is connect by the input of management information for processing The management personnel that mouth receives configure operational order；

Editor's integrated unit, described editor's integrated unit is for by institute in described control centre unit Operational order is had to transfer digital information to by logical edit and digital integration；

Flash cell, described flash cell is for cache key information and checking information；

Data processing unit, described data processing unit includes being grouped symmetric cryptography computing and hash Crypto-operation, described block cipher computing is by SM4 algorithm to data encryption, and described hash is close The data encrypted through HASH computing are hashed by code computing by SM3 algorithm；

Authentication unit, described authentication unit is used for providing the checking of digital signature and digital signature, Described micro-control unit is connect respectively by management information input interface and user profile input interface Receive user and management personnel operation information, and be sent in control by data processing unit Heart unit；

Further, described KMC include device management module, algorithm processing module, Key management module, Communications Processor Module, local monitoring module and Integrated Management Module, Described device management module include remote status inquiry and monitoring unit, group policy processing unit and Identity key management unit, described key management module includes noise code processing unit, local pass Key data memory protection unit, session encryption key (SEK) administrative unit, group policy key Encryption key (KEK) administrative unit and group policy transmission cryptographic work key (TEK) management are single Unit, described Communications Processor Module includes safety management communications interface unit, GDOI protocol processes Unit and cast communication processing unit, described management module includes KMC's administrative unit With daily record maintenance unit；

Further, described monitoring module includes flow information collecting unit, traffic statistics Analytic unit, flow information display unit and abnormal flow alarm unit；

Further, described device management module for the whole network encryption device management, state Monitoring the management with identity key and the maintenance of group Password Policy, described algorithm processing module is led to Cross SM2, SM3 and SM4 algorithm and encryption device is carried out key information calculating, described key pipe Reason module join algorithm processing module, is calculated by SM2, SM3 and SM4 in algorithm processing module Method is to the storage protection of local critical data and to the whole network session encryption key, group policy key Encryption key and group policy transmission cryptographic work key carry out maintenance and management, described communication process Module controls terminal, described equipment control in order to realize described key management module with key management Module and key management control terminal and key management module and described device management module Communication connection, described Communications Processor Module is externally unified provides GDOI protocol interface, key Distribution uses GDOI actualizing, described local monitoring module to manage for collecting device Module, algorithm processing module, key management module, Integrated Management Module and Communications Processor Module Running status, check critical data integrity, abnormality trigger report to the police, described integrated Manage module based on WEB mode to device management module, algorithm processing module, key management mould Block, Communications Processor Module and local monitoring module are managed and safeguard, and to operation letter Breath, status information and maintenance information record form daily record, and the inquiry of described remote status and monitoring are single Unit is for collecting and monitor the running status of encryption device, and described group policy processing unit is for real The maintenance of existing group policy information, increases including to the encryption device member of group policy and deletes Operation, described identity key management unit includes noting key spoon and certification key, described note key Spoon for key parameter first realizing encryption device be filled with into, described certification key is used for realizing Local identity authentication function when encryption device starts, described noise code processing unit is in order to obtain With the noise data in random detection physical noise source, described local critical data memory protection unit Realizing local identity authentication function by the certification key of identity key management unit, acquisition is deposited Storage protection key, carries out storage protection, described session encryption key (SEK) to local sensitive information Administrative unit is by carrying out IKE exchange with encryption device, close to SEK between the whole network encryption device Key carries out maintenance and management, described group policy key-encrypting key (KEK) administrative unit according to The whole network KEK key is updated and manages by the group policy state of device management module, described group Strategy transmission cryptographic work key (TEK) administrative unit is according to group policy state and key updating In the cycle, to TEK key data maintenance and management, described safety management communications interface unit is used for The communication protocol of key management module Yu device management module is resolved and processes, to group plan Slightly information is collected and device management module carries out command analysis and information reporting, institute State GDOI protocol processing unit and control between terminal and key management for realizing key management Communication connection, and according to GDOI agreement to the foundation of IKE SA, KEK SA and TEK SA and Safeguarding, described cast communication processing unit controls in order to realize device management module and key management The communication connection of terminal, carries out multicast distribution to TEK key, and described KMC manages Unit carries out parameter configuration based on WEB mode unit all kinds of to KMC and runs pipe Reason, described daily record maintenance unit for collect all kinds of unit of KMC operation information, Status information, maintenance information, and form log recording, for retrieval and inquiry；

Further, described key management control terminal includes credit card information input module and public affairs Key distribution module, it is key management control station that described key management controls terminal；

Further, described security management center includes assets management module and Configuration Manager, institute State assets management module and include assets information collecting unit, assets information administrative unit, person liable Information management unit and assets Topology Management unit, described Configuration Manager includes organizing message tube Reason unit, group membership's information management unit, Group policy management unit and encryption device condition monitoring Unit, wherein；

Assets information collecting unit, described assets information collecting unit completes for matching management person The collection typing of asset data, and the foundation of asset model, the collection record of described asset data Enter to include automatically to gather and manual entry；

Assets information administrative unit, described assets information administrative unit is used for assisting manager to complete Assets information shows, realize asset search according to different attribute, assets information amendment and assets are deleted Remove；

Owner information administrative unit, described owner information administrative unit is for the responsibility of assets The foundation of people's information, safeguarding, manage work, described responsibility artificially needs the pipe being responsible for assets Reason personnel；

Assets Topology Management unit, described assets Topology Management unit sets up assets net for collection Network topological diagram and periodic maintenance assets network topological diagram information, and assets topological diagram is carried out in real time Show and assets topology interactive maintenance；

Group information management unit, described group of information management unit is used for assisting manager's acquisition group to add The parameter of the key management apparatus of assets in close network；

Group membership's information management unit, described group membership's information management unit is used for assisting manager With the angle of group membership, the information of the encryption device of assets is obtained；

Group policy management unit, described Group policy management unit is in key management system Group policy instruction is assigned by KMC, by group while KMC's execution group policy Policy instructions is handed down to the group membership specified, so that cryptographic system is according to network manager's Having instructed cryptographic system organizational structure or the task of cryptographic parameter renewal, described group membership is i.e. Encryption device；

Encryption device condition monitoring unit, described encryption device condition monitoring unit is used for monitoring close Key administrative center and the running status of group membership；

Further, described information feedback management center includes monitoring module, statistical analysis Module and system management module, described monitoring module includes flow information collecting unit, stream Amount statistical analysis unit, flow information display unit and abnormal flow alarm unit, described statistics Analysis management module includes performance alarm management unit, fault alarm administrative unit, comprehensively associates Analytic unit and security risk alarm unit, wherein；

Monitoring module, described monitoring module helps network manager by flow analysis Controlling the various communication flows in backbone network and scale thereof in real time, note abnormalities stream in time Measure and position；

Statistical analysis module, described statistical analysis module connects described monitoring module, and root The data message returned according to monitoring module, carries out safety statistics analysis；

System management module, described system management module is for manager and administrator role Information is monitored, and the operation to login system carries out daily record retention；

Further, described flow information collecting unit is by the flow standard of main flows various with industry Docking, obtains related streams information data from the network equipment, and carries out certain formatting process, Use for further statistical analysis；Described traffic statistics analysis unit utilizes DFI statistical analysis Method, carries out the categorical data collected analysing in depth detection；The display of described flow information is single The result of traffic statistics analysis unit is presented to network management according to rational display mode by unit Member, assisted network manager carries out daily traffic monitoring work, including showing various cycle, each The chart of type；Suspicious by during traffic statistics analysis of described abnormal flow alarm unit Abnormal flow, reports and submits network manager, in order to network manager understands in time and takes process to arrange Executing, described performance alarm management unit is used for gathering in network device unit and performance of network equipments Relevant anomalous event, and be supplied to security risk alarm unit and report to the police, described fault report Alert administrative unit is for gathering the network equipment failure event in network device unit, and is supplied to Security risk alarm unit is reported to the police, described integrated relational analysis unit utilize SYSLOG, SNMP mode obtains suspicious risk case, utilizes aggregation engine merger to process suspicious risk case, Utilize association analysis engine comprehensively to analyze suspicious risk case, and analysis result is notified to the most at last Security risk alarm unit, described security risk alarm unit is mainly for performance alarming and managing list The prompting of security risk that unit, fault alarm administrative unit, integrated relational analysis unit are generated and Analysis report and alarm also notify network of relation manager and person liable, in order to investigate wind in time Danger；

Beneficial effects of the present invention is as follows:

1) by the encryption module framework of a kind of innovation, high-speed encryption module achieves high-performance and adds Close module can support the encryption and decryption of 40Gbps business datum, and function divides clear, Business Processing Superior performance also can provide the user the customization function of extension；

2) by Key Management server and the group encryption deployment model of group membership (GM), whole net Negotiation mechanism (Group SA), uses the Group internodal flow of SA encryption and decryption, for appointing Meaning node IP provides can secure communication；

3) assets and encryption device thereof can be safeguarded and monitoring is checked at any time, support NETSTREAM, SPAN, SNMP various ways is from router, switch Real-time Collection backbone network Network link flow, real-time exhibition and monitoring full-mesh network traffic conditions, going wrong can first Time adopts remedial measures.

Accompanying drawing explanation

Fig. 1 is encryption module hardware structure diagram of the present invention；

Fig. 2 is encryption module entirety firmware flow diagram of the present invention；

Fig. 3 is encryption module manager's authentication flow chart of the present invention；

Fig. 4 is encryption module operator's authentication flow chart of the present invention；

Fig. 5 is that encryption module KP1 of the present invention generates and Stored Procedure figure with equipment identities key；

Fig. 6 is the total software flow pattern of encryption module ARM firmware of the present invention；

Fig. 7 is KMC of the present invention and key management control terminal hardware composition Structure chart；

Fig. 8 is the opening up of large-scale internetwork in global range described in background of invention Flutter schematic diagram.

Detailed description of the invention

In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with Drawings and Examples, are explained in further detail the present invention.Should be appreciated that this place is retouched The specific embodiment stated is used only for explaining the present invention, is not intended to limit the present invention.On the contrary, The present invention contain any be defined by the claims do in the spirit and scope of the present invention replace Generation, amendment, equivalent method and scheme.Further, in order to make the public that the present invention to be had more preferably Understanding, in below the details of the present invention being described, detailed describe some specific details Part.The description not having these detail sections for a person skilled in the art can also be managed completely Solve the present invention.

The invention will be further described with specific embodiment below in conjunction with the accompanying drawings, but not as right The restriction of the present invention.Below for the most preferred embodiment of enumerating of the present invention:

As it can be seen, the present invention provides a kind of anti-based on safety management and information under GDOI agreement Feedback system management system, described system includes assets management module, Configuration Manager, state Monitoring module, statistical analysis module and system management module.

Described encryption module includes the first treatment channel, the second treatment channel and shared module, institute State the first treatment channel and the second treatment channel independently processes encryption business, described shared mould Block is simultaneously connected with the first treatment channel and the second treatment channel, and described shared module is for first Treatment channel and the input of the second treatment channel information and control process.

Described first treatment channel and the second treatment channel are equipped with independent user profile input Interface, management information input interface and authentication interface, data processing unit, data buffer storage Unit, authentication unit, micro-control unit and expanding element.

Described shared module includes control centre's unit, editor's integrated unit, flash cell and joins Putting interface, described control centre unit, editor's integrated unit, flash cell and configuration interface depend on Secondary connection, described control centre unit, editor integrated unit, flash cell are all with described first Treatment channel, the second treatment channel connect.

Described control centre unit is for processing the pipe received by management information input interface Reason personnel depaly operational order, described editor's integrated unit is for by described control centre unit All operations order transfers digital information to by logical edit and digital integration, and is collected by editor Becoming unit to be sent to data processing unit, described data processing unit can process 20Gbps's Business datum, described flash cell for caching by control centre's unit receive from testing The key information of card unit and authentication interface and checking information.

Described control centre unit connects user profile input interface, institute by data processing unit State user profile input interface and the key information of user is sent to control centre's Single Component Management letter Breath input interface, described authentication interface connects control centre's unit, by management personnel and use The authentication information at family is sent to control centre's unit and verifies, described management information inputs Interface, micro-control unit, data processing unit and control centre's unit are sequentially connected with, described pipe Operational order and the checking information of management personnel are sent to control centre by reason information input interface Unit, if after being proved to be successful, described micro-control unit can directly input manager works life Order, described data buffer storage unit connects control centre's unit, stores part key information and checking Information, described expanding element is used for connecting external equipment, and described data processing unit includes packet Symmetric cryptography computing and hashed password computing, SM4 algorithm logarithm is passed through in described block cipher computing According to encryption, the SM3 algorithm number to encrypting is passed through in described hashed password computing through HASH computing According to hashing.Described authentication unit is for providing the checking of digital signature and digital signature.Institute Stating control centre's unit is microcontroller ARM, and described editor's integrated unit is CPLD, described sudden strain of a muscle Memory cell is FLASH 128Mb memorizer, and described data processing unit is DPU, described data Buffer unit is 1MBSRAM data buffer storage, described authentication unit be safety chip SSX1408, Described micro-control unit is ethernet PHY, and described expanding element is used for connecting User Defined and adds Close equipment.

Described KMC is the server apparatus of 2U height, and described server apparatus includes X86-based mainboard, special PCI-E cipher card, storage assembly, network interface card, ID card driver, ID card read write line and power supply, described KMC is arranged on X86-based mainboard, and This mainboard is configured with Usb-KEY, the machine authentication when system boot, data The encipherment protection of storage and the identity key management of the whole network encryption device, described key management Middle center connects key management and controls terminal, and described key management controls terminal for used by the whole network The identity public key distribution of the KMC under the registration of cipher machine ID card and off-line state.

Described KMC includes device management module, algorithm processing module, key management Module, Communications Processor Module, local monitoring module and management module.

Described device management module be used for the whole network encryption device management, condition monitoring, The maintenance work of group Password Policy, it is achieved the management of the whole network identity key, described equipment control mould Block includes remote status inquiry and monitoring unit, group policy processing unit, identity key management list Unit.

The inquiry of described remote status and monitoring unit are for collecting and monitor the operation of encryption device State, reports to device management module in time if any abnormal, and described device management module is to exception The encryption device of state carries out maintenance and management.Described group policy processing unit is used for realizing organizing plan The slightly maintenance of information, supports to increase the encryption device member of group policy and deletion action, Most group policy entries that the whole network is supported are less than 10000, the member that each group policy is supported Less than 1000.Described identity key management unit includes noting key spoon and certification key, Described note key spoon is filled with into, described certification key for key parameter first realizing encryption device Spoon is for realizing local identity authentication function when encryption device starts.

Described algorithm processing module passes through SM2, SM3 and SM4 algorithm process, at described algorithm Reason module carries out key information calculating by SM2, SM3 and SM4 algorithm to encryption device, supports The authentication registration of the most most 200 encryption devices.

Described key management module includes noise code processing unit, local critical data storage protection Unit, session encryption key (SEK) administrative unit, group policy key-encrypting key (KEK) Administrative unit and group policy transmission cryptographic work key (TEK) administrative unit, described noise code Processing unit in order to obtain the noise data in physical noise source, to obtain noise data carry out with Machine detects, it is ensured that the randomness of key the most processed.Described local critical data memory protection unit Realizing local identity authentication function by the certification key of identity key management unit, acquisition is deposited Storage protection key, it is achieved the storage protection of local sensitive information.Described session encryption key (SEK) Administrative unit is by carrying out IKE exchange with encryption device, it is achieved and between the whole network encryption device The maintenance and management of SEK key, completes the protection of the transmission to KEK data.Described group policy is close Key encryption key (KEK) administrative unit is according to group policy state-maintenance the whole network KEK key more New and management, it is achieved the transmission to TEK data is protected.Described group policy transmission encrypted work is close Key (TEK) administrative unit is according to group policy state and key updating periodic maintenance TEK cipher key number According to management, it is achieved the transmission of group policy data is protected.

Described algorithm processing module connects key management module, is calculated by SM2, SM3 and SM4 Method, it is achieved the storage protection of local critical data, the whole network session encryption key, group policy key Encryption key and the maintenance and management of group policy transmission cryptographic work key.

Described Communications Processor Module includes safety management communications interface unit, GDOI protocol processes Unit and cast communication processing unit, described Communications Processor Module is in order to realize described key management Module controls the communication connection of terminal, described device management module and key management with key management Control the communication of the communication connection of terminal and key management module and described device management module Connecting, described Communications Processor Module is externally unified provides GDOI protocol interface, the distribution of key Use GDOI actualizing.Described safety management communications interface unit is used for realizing key management The communication protocol of module and device management module resolve with process, the collection of group policy information, set Standby management module command resolves and information reporting.Described GDOI protocol processing unit is for real Existing key management controls the communication connection between terminal and key management, and according to GDOI agreement Complete IKE SA, KEK SA and the foundation of TEK SA and maintenance.Described cast communication processes Unit is in order to realize device management module and the communication connection of key management control terminal, to TEK Key carries out multicast distribution.

Described local monitoring module, for collecting the running status of each unit, checks and closes bond number According to integrity, abnormality trigger report to the police.

Described management module includes KMC's administrative unit and daily record maintenance unit, described KMC's administrative unit management based on WEB mode maintenance function, in key management The heart carries out parameter configuration, operational management, and described daily record maintenance unit is used for collecting in key management Each generic operation information of running in the heart, status information, maintenance information, and form log recording, It is easy to retrieval and inquiry.

Described key management controls terminal and includes credit card information input module and PKI distribution mould Block, it is key management control station that described key management controls terminal.

Described security management center includes assets management module and Configuration Manager, system administration Module, described assets management module mainly realizes the description to information assets and definition, and combines The basic condition of tissue carries out classification and the registration of assets, asset management be system core it One, it is the basis carrying out other all safe operation managements work, described assets management module bag Include assets information collecting unit, assets information administrative unit, owner information administrative unit, money Producing Topology Management unit, described assets information collecting unit completes assets number for matching management person According to collection typing, and the foundation of asset model, including automatic acquisition mode and personnel's typing Mode, described assets information administrative unit be used for assisting manager complete assets information show, root Asset search, assets information amendment, assets deletion management work is realized according to different attribute, described Owner information administrative unit in order to assets owner information is set up, maintenance and management work Making, person liable refers mainly to the management personnel needing to be responsible for assets, described assets Topology Management list Unit has been used for the collection foundation of assets network topological diagram information, periodic maintenance, assets topological diagram Real-time exhibition, assets topology interactive maintenance work, described Configuration Manager is for assets Functional configuration and function information be set, described Configuration Manager assisted network manager Complete the key information keywords monitoring of coded communication network, the management of refined net key equipment, The maintenance of crucial cryptographic parameter (AES and parameter), the formulation of group Password Policy, issue, Cancelling management work, described Configuration Manager includes organizing information management unit, group membership's information Administrative unit, Group policy management unit and encryption device condition monitoring unit, described group of message tube Reason unit is used for assisting manager to obtain all in group encryption network or Partial encryption group parameter Details.Described group membership's information management unit mainly assists manager with the angle of group membership Acquisition and the understanding of corresponding key message are spent.Described Group policy management unit assisted network pipe Reason person utilizes the interface that bursting tube center provides, and assigns group plan to group key server (KMC) Slightly instructing, group policy instruction is handed down to the group membership specified while performing group policy by KMC, So that cryptographic system according to the instruction of network manager complete cryptographic system organizational structure or Person's cryptographic parameter more new task.Described encryption device condition monitoring unit is used for monitoring key management Center KMC and the running status of group membership, above-mentioned KMC KMC is key management Equipment, above-mentioned group membership is encryption device, and described encryption device is high-speed encryption module, described Encryption module can be directly embedded in existing core switch, router network equipment, holds Carrying on a shoulder pole all safety services relevant to password and function, described encryption module divides left and right two independences Passage, each passage can process the business datum of 20Gbps.Each passage provides independent Business interface, management interface and authentication interface；Two passages share a configuration interface simultaneously. The entirely autonomous research and development of encryption module.40G encryption module internal hardware is divided into three parts: passage 0 data processing section, passage 1 data processing section, two passage common functions parts.Passage 0/1 data processing section is by data processing unit, ethernet PHY, data buffer storage SRAM, peace Full chip and expansion module composition；Common sparing is by CPLD, microcontroller ARM and FLASH Memorizer forms.Described key management apparatus is KMC, and this center is by 4 cores Module forms, be respectively as follows: equipment control management module, algorithm process and key management module, Communications Processor Module and local condition monitoring and management module.By the Linux system of security customization System kernel, specific drivers, cryptographic service and management module, it is achieved the identity to cipher machine Checking and network and control management, and the management of all kinds of key of the whole network and dynamically distribute merit online Energy.

Information feedback management center includes described monitoring module, statistical analysis module and system Management module, described monitoring module, by the most efficient flow analysis function, helps net Network manager controls the various communication flows in backbone network and scale thereof in real time, sends out in time Existing abnormal flow also positions, described monitoring module include flow information collecting unit, Traffic statistics analysis unit, flow information display unit and abnormal flow alarm unit, described stream Amount information acquisition unit is docked by the flow standard of main flows various with industry, it is achieved from the network equipment Middle acquisition related streams information data, and carry out certain formatting process, for statistics further Analyze and use.Described traffic statistics analysis unit utilizes DFI statistical analysis technique, to collecting Categorical data carry out analyse in depth detection.Traffic statistics are divided by described flow information display unit The result of analysis unit presents to network manager according to rational display mode, and assisted network manages Member carries out daily traffic monitoring work.Including various cycles, various types of chart.Described different Normal flow alarm unit, by the suspicious abnormal flow during traffic statistics analysis, utilizes reasonably Mode, reports and submits network manager, in order to network manager understands in time and takes treatment measures.

Described statistical analysis module connects described monitoring module, and according to monitoring module The data message returned, carries out safety statistics analysis, and described statistical analysis module gathers network and sets Security incident relevant with operation risk in Bei, comprehensive analysis in network there may be safe operation Risk, and report to the police, assisted network manager completes location and the investigation of equipment operation risk, Guarantee whole network even running.Described statistical analysis module include performance alarm management unit, Fault alarm administrative unit, integrated relational analysis unit and security risk alarm unit.Described property Can alarm management unit relevant with performance of network equipments different for gathering in network device unit Ordinary affair part, and be supplied to security risk alarm unit and report to the police.The management of described fault alarm is single Unit is for gathering the network equipment failure event in network device unit, and is supplied to security risk Alarm unit is reported to the police.Described integrated relational analysis unit utilizes SYSLOG, SNMP mode Obtain suspicious risk case, utilize aggregation engine merger to process suspicious risk case, utilize association Analysis engine comprehensively analyzes suspicious risk case, and analysis result is notified to security risk the most at last Alarm unit.Described security risk alarm unit is mainly for performance alarm management unit, fault The security risk that alarm management unit, integrated relational analysis unit are generated is pointed out and analysis report And alarm notify network of relation manager and person liable, in order to investigate risk in time, described System management module is used for being monitored the information of manager and administrator role, and to login The operation of system carries out daily record retention.

Embodiment described above, the simply one of the present invention more preferably detailed description of the invention, The usual variations and alternatives that those skilled in the art is carried out in the range of technical solution of the present invention All should comprise within the scope of the present invention.

Claims (10)

1., based on safety management and an information feedback system under GDOI agreement, its feature exists In, described system includes being encrypted asset equipment information by encryption device, to institute State encryption device and be controlled management and the asset equipment to encrypted equipment encryption By safety management and feedback regulation.

System the most according to claim 1, it is characterised in that described system includes height Speed encryption module, KMC, key management control terminal, security management center and letter Breath feedback management center, wherein:

High-speed encryption module, described high-speed encryption module is for setting asset equipment information, encryption Standby offer dual pathways encryption method；

KMC, described KMC is for carrying out this identity to encryption device Certification, the encipherment protection of data storage and the identity key management of the whole network encryption device；

Key management controls terminal；Described key management control terminal for key information input and The distribution of the identity public key of the KMC under off-line state；

Security management center, asset equipment is described, defines by described security management center, Classification and registration, and encryption device that asset equipment is associated and the function of KMC Configuration and function information are set；

Information feedback management center, described information feedback management center is used for asset equipment and adds The real-time status of close equipment is monitored, and carries out safety management and feedback tune according to monitoring situation Joint.

System the most according to claim 2, it is characterised in that described encryption module bag Include the first treatment channel, the second treatment channel and shared module, described first treatment channel of institute and Second treatment channel be equipped with independent user profile input interface, management information input interface and Authentication interface, described shared module receives user's input by user profile input interface Key information and checking information, described shared module receives management by management information input interface The operation information of personnel, described shared module is tested by authentication interface management personnel's Card information.

System the most according to claim 3, it is characterised in that described shared module bag Include control centre's unit, editor's integrated unit, flash cell and configuration interface, at described first Reason passage and the second treatment channel the most also include data processing unit, data buffer storage unit, checking Unit, micro-control unit and expanding element, wherein；

Control centre's unit, described control centre unit is connect by the input of management information for processing The management personnel that mouth receives configure operational order；

Editor's integrated unit, described editor's integrated unit is for by institute in described control centre unit Operational order is had to transfer digital information to by logical edit and digital integration；

Flash cell, described flash cell is for cache key information and checking information；

Data processing unit, described data processing unit includes being grouped symmetric cryptography computing and hash Crypto-operation, described block cipher computing is by SM4 algorithm to data encryption, and described hash is close The data encrypted through HASH computing are hashed by code computing by SM3 algorithm；

Authentication unit, described authentication unit is used for providing the checking of digital signature and digital signature, Described micro-control unit is connect respectively by management information input interface and user profile input interface Receive user and management personnel operation information, and be sent in control by data processing unit Heart unit.

System the most according to claim 4, it is characterised in that in described key management Pericardium include device management module, algorithm processing module, key management module, Communications Processor Module, Local monitoring module and Integrated Management Module, described device management module includes remote status Inquiry and monitoring unit, group policy processing unit and identity key management unit, described key pipe Reason module includes noise code processing unit, local critical data memory protection unit, session encryption Key (SEK) administrative unit, group policy key-encrypting key (KEK) administrative unit and group plan Brief biography defeated cryptographic work key (TEK) administrative unit, described Communications Processor Module includes safety Management communications interface unit, GDOI protocol processing unit and cast communication processing unit, described Management module includes KMC's administrative unit and daily record maintenance unit.

System the most according to claim 5, it is characterised in that described equipment control mould Block for the whole network encryption device management, condition monitoring and the management of identity key and organize close The maintenance of code strategy, described algorithm processing module passes through SM2, SM3 and SM4 algorithm to encryption Equipment carries out key information calculating, described key management module join algorithm processing module, passes through In algorithm processing module SM2, SM3 and SM4 algorithm to the storage protection of local critical data with And the whole network session encryption key, group policy key-encrypting key and group policy are transmitted encrypted work Key carries out maintenance and management, and described Communications Processor Module is in order to realize described key management module Terminal, described device management module and key management control terminal and close is controlled with key management Key management module and the communication connection of described device management module, described Communications Processor Module is external Unified offer GDOI protocol interface, the distribution of key uses GDOI actualizing, described this locality Monitoring module for collecting device management module, algorithm processing module, key management module, Integrated Management Module and the running status of Communications Processor Module, check the integrity of critical data, Abnormality trigger report to the police, described Integrated Management Module based on WEB mode to equipment control mould Block, algorithm processing module, key management module, Communications Processor Module and local condition monitoring mould Block is managed and safeguards, and operation information, status information and maintenance information record are formed day Will, the inquiry of described remote status and monitoring unit are for collecting and monitor the operation shape of encryption device State, described group policy processing unit is for realizing the maintenance of group policy information, including to group policy Encryption device member carry out increasing and deletion action, described identity key management unit include note Key spoon and certification key, described note key spoon is for realizing at the beginning of the key parameter of encryption device It is filled with into, described certification key for realizing local authentication merit when encryption device starts Can, described noise code processing unit is in order to obtain and the noise number in random detection physical noise source According to, the described local critical data memory protection unit certification key by identity key management unit Spoon realizes local identity authentication function, obtains storage protection key, enters local sensitive information Row storage protection, described session encryption key (SEK) administrative unit is by entering with encryption device Row IKE exchanges, and SEK key between the whole network encryption device carries out maintenance and management, described group Strategy key-encrypting key (KEK) administrative unit is according to the group policy state of device management module The whole network KEK key is updated and manages, described group policy transmission cryptographic work key (TEK) administrative unit is according to group policy state and key updating cycle, to TEK key data Maintenance and management, described safety management communications interface unit is for key management module and equipment The communication protocol of management module carry out resolving and process, group policy information is collected and Device management module is carried out command analysis and information reporting, described GDOI protocol processing unit The communication connection between terminal and key management is controlled for realizing key management, and according to GDOI IKE SA, KEK SA and the foundation of TEK SA and maintenance, described cast communication are processed by agreement Unit is in order to realize device management module and the communication connection of key management control terminal, to TEK Key carries out multicast distribution, described KMC administrative unit based on WEB mode to key All kinds of unit of administrative center carries out parameter configuration and operational management, and described daily record maintenance unit is used for Collect the operation information of all kinds of unit of KMC, status information, maintenance information, and shape Become log recording, for retrieval and inquiry.

Management system the most according to claim 6, it is characterised in that described key pipe Reason controls terminal and includes credit card information input module and PKI distribution module, described key management Controlling terminal is key management control station.

System the most according to claim 7, it is characterised in that in described safety management Pericardium includes assets management module and Configuration Manager, and described assets management module includes that assets are believed Breath collecting unit, assets information administrative unit, owner information administrative unit and assets topology pipe Reason unit, described Configuration Manager includes organizing information management unit, group membership's information management list Unit, Group policy management unit and encryption device condition monitoring unit, wherein；

Assets information collecting unit, described assets information collecting unit completes for matching management person The collection typing of asset data, and the foundation of asset model, the collection record of described asset data Enter to include automatically to gather and manual entry；

Assets information administrative unit, described assets information administrative unit is used for assisting manager to complete Assets information shows, realize asset search according to different attribute, assets information amendment and assets are deleted Remove；

Owner information administrative unit, described owner information administrative unit is for the responsibility of assets The foundation of people's information, safeguarding, manage work, described responsibility artificially needs the pipe being responsible for assets Reason personnel；

Assets Topology Management unit, described assets Topology Management unit sets up assets net for collection Network topological diagram and periodic maintenance assets network topological diagram information, and assets topological diagram is carried out in real time Show and assets topology interactive maintenance；

Group information management unit, described group of information management unit is used for assisting manager's acquisition group to add The parameter of the key management apparatus of assets in close network；

Group membership's information management unit, described group membership's information management unit is used for assisting manager With the angle of group membership, the information of the encryption device of assets is obtained；

Group policy management unit, described Group policy management unit is in key management system Group policy instruction is assigned by KMC, by group while KMC's execution group policy Policy instructions is handed down to the group membership specified, so that cryptographic system is according to network manager's Having instructed cryptographic system organizational structure or the task of cryptographic parameter renewal, described group membership is i.e. Encryption device；

Encryption device condition monitoring unit, described encryption device condition monitoring unit is used for monitoring close Key administrative center and the running status of group membership.

9. want the system described in 8 according to right, it is characterised in that described information feedback management Center includes monitoring module, statistical analysis module and system management module, and described state is supervised Control module includes that the display of flow information collecting unit, traffic statistics analysis unit, flow information is single Unit and abnormal flow alarm unit, described statistical analysis management module includes performance alarming and managing list Unit, fault alarm administrative unit, integrated relational analysis unit and security risk alarm unit, its In；

Monitoring module, described monitoring module helps network manager by flow analysis Controlling the various communication flows in backbone network and scale thereof in real time, note abnormalities stream in time Measure and position；

Statistical analysis module, described statistical analysis module connects described monitoring module, and root The data message returned according to monitoring module, carries out safety statistics analysis；

System management module, described system management module is for manager and administrator role Information is monitored, and the operation to login system carries out daily record retention.

System the most according to claim 9, it is characterised in that described flow information is adopted Collection unit is docked by the flow standard of main flows various with industry, obtains related streams from the network equipment Information data, and carry out certain formatting process, use for further statistical analysis；Institute State traffic statistics analysis unit and utilize DFI statistical analysis technique, the categorical data collected is entered Row analyses in depth detection；Described flow information display unit is by the result of traffic statistics analysis unit Presenting to network manager according to rational display mode, assisted network manager carries out a day permanent current Amount monitoring work, including showing various cycle, various types of chart；Described abnormal flow report Alert unit, by the suspicious abnormal flow during traffic statistics analysis, reports and submits network manager, with Just network manager understands and takes treatment measures, described performance alarm management unit to be used in time Gather anomalous event relevant with performance of network equipments in network device unit, and be supplied to safety Risk alarm unit is reported to the police, and described fault alarm administrative unit is used for gathering network equipment list Network equipment failure event in unit, and be supplied to security risk alarm unit and report to the police, institute Stating integrated relational analysis unit utilizes SYSLOG, SNMP mode to obtain suspicious risk case, profit Process suspicious risk case with aggregation engine merger, utilize association analysis engine comprehensively to analyze suspicious Risk case, and analysis result is notified to security risk alarm unit, described safety wind the most at last Danger alarm unit is mainly for performance alarm management unit, fault alarm administrative unit, comprehensively close Security risk prompting that connection analytic unit is generated and analysis report and alarm notice are relevant Network manager and person liable, in order to investigate risk in time.