CN1889576A - Safety strategy setting method - Google Patents
Safety strategy setting method Download PDFInfo
- Publication number
- CN1889576A CN1889576A CN 200610103402 CN200610103402A CN1889576A CN 1889576 A CN1889576 A CN 1889576A CN 200610103402 CN200610103402 CN 200610103402 CN 200610103402 A CN200610103402 A CN 200610103402A CN 1889576 A CN1889576 A CN 1889576A
- Authority
- CN
- China
- Prior art keywords
- security
- security strategy
- safe class
- scene
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
A method for setting safety policy includes setting up a sheet of safety policy table for each safety element and setting up head table for a sheet of safety policy, positioning them into algorithm protocol by confirming safety grade and scene of them, applying algorithm protocol in safety service for finalizing set of safety policy. In the method, abstracting multiple services to be on scene, using said safety grade and scene as system input and using result selected by relevant protocol and algorithm as system output.
Description
Technical field
The present invention relates to mobile communication and information security field, be specifically related to a kind of security strategy method to set up.
Background technology
Along with the increase of mobile network's transmittability, be based upon the business variation day by day on the multimedia transmission basis.Different business is for different occasions, and different user has different demands for security, adopts single security mechanism can't adapt to multiple services demand.Therefore, analyze, mechanism need be provided technically, allow concrete business can select the safety guarantee of suitable grade from the angle of business demand.On the other hand, among the mobile network, the mobile security strategy has shielded the ins and outs of bottom and complicated safety management operation to the user, makes the user can enjoy the security service that is simple and easy to usefulness.By mobile security policy control server, operator can provide as a business secure communication to the user, thereby opens up new value-added service field.The user is high-grade security service defrayment, uses or the payment small charge low-grade security service is free.So, operator can either be converted into the investment of foundation for security and facility the business of profit, has satisfied the differentiated demand of user to safety again.The appearance of customizable, personalized mobile security service helps the popularization of secure communication, also might therefore expedite the emergence of out a huge industry.
The mobile subscriber's is universal day by day, and portable terminal becomes popular product.Yet most of user security knowledge is limited, also is difficult at portable terminal security strategy be carried out the configuration of specialty.In this sense, need implement simply, intuitively the level of security choice mechanism according to the different safety requirements of different information.The user selects suitable level of security to communicate according to communicating requirement flexibly.This just requires network can support the security service of different brackets technically.
Aspect safe class was provided with, former work mainly contained:
Patent WO03081932 has proposed to select according to user's geographical position the method for safe class based on mobile communication environment.Being divided into high and low two-stage safe class with safe class is example:
High safety grade safeguard protection degree is higher, needs the user to import identity or secure data more frequently.
Lower security hierarchically secure degree of protection is lower, and the user only need import identity or secure data once in a while, perhaps need not import any authentication information.
Patent US6363150 has proposed in the IP phone service in conversation beginning and conversation the method to safe class control.Calling party can be selected a kind of privacy of conversing guaranteed from a plurality of safe classes, also can in conversation, change the safe class of current talking according to actual conditions, charge system can be charged accordingly according to the safe class that the user selects, and rate increases along with the lifting of safe class.The user can the real time altering safe class.When the user in conversation, can import suitable DTMF (Dual Tone Multi Frequency) sequence, change to needed safe class, and chargeed accordingly.
Patent EP1183818 has then proposed need provide corresponding authentication mechanism when safe class changes from high to low.System's user mode indicating device indicates the level of security that is performed.Level of security can be upgraded to allow more senior easier being performed of safety.Yet,, adopt the fail safe that confirms this change based on the authentication method of authentication codes in order to change to the safety of even lower level from more senior safety.
The proposition content corresponding in a certain respect that above-mentioned patent just is provided with from safe class.As: based on the geographical position, based on encryption technology, based on the dynamic change of safe class.Yet,, need to propose comprehensive safe class method to set up along with mobile network's development.
Summary of the invention
The technical problem that the present invention solves has provided a kind of security strategy method to set up, has realized determining the security algorithm agreement according to safe class and use scene; And the security algorithm agreement under static and dynamic customization safe class is definite.
The scheme that realizes security strategy method to set up of the present invention is:
Step 1, each security element are set up a security strategy table, and the input layer of this table comprises: safe class and scene, output layer are algorithm protocol; And before the security strategy table of all security elements, set up a security strategy head table, the input layer of this table comprises: safe class and scene, output layer are the inlet of algorithm protocol; The inlet of described security strategy head table is provided to the link of the algorithm protocol table element in the security strategy table, can output to the link of the form in the security strategy table uniquely;
Step 2 is determined safe class and current scene, and it is inquired about and obtain the inlet of algorithm protocol in security strategy head table as initial conditions;
Step 3 finds the algorithm protocol of needs in the security strategy table of each security element according to the inlet of algorithm protocol;
Step 4 is applied to the algorithm protocol that finds in the security service, finishes the security strategy setting.
Under the situation of static security grade, the safe class in the described step 2 is determined according to the compulsory safe class of using of type of service.
Under the situation of dynamic security grade, the safe class in the described step 2 can be selected to determine before the user communicates.
Described scene is determined according to each service security demand.
The present invention uses mobile network's actual conditions according to the user, in advance with multiple business abstract according to demand for security be a scene, with the input as system of the safe class selected and scene, the selection result of related protocol and algorithm is as the output of system.The present invention is directed to the general safety framework of communication network, be applicable to multiple algorithm and agreement, have good versatility.Can utilize the present invention, configure actual application system safely, efficiently.
Description of drawings
Fig. 1 is the security strategy list structure figure that the present invention uses;
Fig. 2 is the security strategy list structure figure that the present invention uses;
Fig. 3 is a collection algorithm protocol procedures schematic diagram of the present invention;
Fig. 4 is when safe class changes under the Same Scene of the present invention, collection algorithm agreement schematic diagram;
Fig. 5 is when scene changes under the same safe class of the present invention, collection algorithm agreement schematic diagram.
Embodiment
The division methods of security strategy of the present invention is finished by the security strategy table.The X.805 standard to describe of ITU-T the eight kinds of safety measures that can resist all main security threats, be called security element.Comprise access control, checking, data confidentiality, communications security, data integrity, resisting denying, utilizability, privacy.According to the number of security element, each security element is set up a security strategy table.And before the security strategy table of all security elements, set up a security strategy head table.
Security strategy head table of the present invention and security strategy table are made up of two-layer: (1) input layer comprises safe class and scene.(2) output layer.The output of security strategy head table is the inlet of algorithm protocol, and the security strategy table is output as algorithm protocol.Relation between the two-layer element can be expressed as: and f (x, y)=z.Wherein, independent variable x, y are safe class and scene, and dependent variable z is output, and function f is x, the y mapping relations to z.
Security strategy head table among the present invention consists of the following components: (1) safe class, and as row (OK) of security strategy table.(2) scene has defined multiple business abstract at secure context, as delegation's (row) of security strategy table.(3) inlet is stored in the units corresponding lattice of security strategy table.The inlet of collecting the security algorithm agreement is provided.Its input is chosen safe class and scene, and output is the inlet of algorithm protocol.
The safe class of security strategy head table has defined the degree of protection for different demands for security.
The scene of security strategy head table is professional abstract at secure context, has identical pattern and feature at these service security services.
The inlet of security strategy head table is provided to the link of the algorithm protocol table element in the security strategy table, is stored in the cell, by chosen safe class and current scene, can output to the link of the form in the security strategy table uniquely.
The security strategy table corresponding to each security element described in the present invention consists of the following components: (1) safe class, and as row (OK) of security strategy table.(2) scene is as delegation's (row) of security strategy table.(3) algorithm protocol is stored in the units corresponding lattice of security strategy table.
The safe class of security strategy table has defined the degree of protection for different demands for security.
The scene of security strategy table is professional abstract at secure context, has identical pattern and feature at these service security services.
The algorithm protocol of security strategy table is concrete algorithm protocol, is stored in the cell, and it has directly determined the fail safe of communication.By chosen safe class and current scene, need the security algorithm agreement that adopts uniquely in the output communication.Simultaneously, cell also provides the link corresponding to the next security strategy table of same security element.
(1) the present invention is under concrete communication environment, the flow process of selection algorithm agreement:
The first step: safe class and current scene are chosen.
Second step: the row (OK) of safe class correspondence are selected according to chosen safe class by system in security strategy head table.
The 3rd step: the row (row) of current scene correspondence is selected according to chosen current scene by system in security strategy head table.
The 4th step: the cell of determining the inlet place of algorithm protocol collection by row and column.
The 5th step:, in the security strategy table of first security element that signal post needs, find corresponding cell, the algorithm protocol in the collector unit lattice according to the link in the inlet place cell of in security strategy head table, determining.
The 6th step:, in the security strategy table of the next security element that signal post needs, find the cell of identical ranks, the algorithm protocol in the collector unit lattice according to the link in the cell of the security strategy table that finds.
The 7th step: repeated for the 6th step, collect the algorithm protocol that all need.
The 8th step: use algorithm protocol in security service.
The present invention collects the security algorithm agreement under the situation of static security grade method is: the user need not select safe class before communication, system is searched for the security element table according to current scene and this professional compulsory safe class of type of service correspondence, the Matching Algorithm agreement is issued to security network element, and security network element is used algorithm protocol in specific security service.
The present invention collects the security algorithm agreement under the situation of dynamic security grade method is: the user selects a safe class to serve before communication, system is searched for the security element table according to current scene and this user-selected safe class of type of service correspondence, the Matching Algorithm agreement is issued to security network element, and security network element is used algorithm protocol in specific security service.
Below in conjunction with accompanying drawing the enforcement of technical scheme is done and to be described in further detail:
For each security element is set up a security strategy table, as shown in Figure 1.One row of form are safe classes, and the delegation of form is a scene.Each cell (Grid) is deposited under the particular safety grade, and the algorithm protocol in the special scenes, this algorithm protocol are used to satisfy the security service that this security element provides.Each security element is set up a security strategy table provide convenience for management.Upgrade or when revising algorithm protocol, need not make amendment, only need make amendment the security strategy table of the security element that relates to the algorithm of all security elements.
Increase security strategy head table outside the security strategy table, as shown in Figure 2.Security strategy head table is for providing a unified entrance when the system search algorithm agreement, and it has identical row and column with the security strategy table, and the algorithm protocol that all safe classes comprised under any scene all is to begin search from security strategy head table.Safe class and scene have determined the entry position of respective algorithms agreement in security strategy head table, and it is in the single linked list of a node that the security algorithm protocol package that needs in the communication is contained in a certain cell in the security strategy head table.
In the security strategy table, different safe classes provides in various degree security service for the user.According to the difference of safe coefficient, the keeper can have multiple dividing mode to safe class, as shown in Figure 3.A kind of division methods is divided into safe class: High, Medium, four safe classes of Low, Extending.Wherein, the Extending layer is self-defining according to local communication environment by service provider.Defining from high to low corresponding to High, Medium, Low safe class, all is identical for all users in the mobile network.In addition, in order to satisfy the user, also can carry out finer division to each grade to the more accurate control of safe class, as High being divided into two sublayers of Very High and High or more sublayer, yet it is meticulous to divide level, will increase the complexity that the user selects.
When the user selected safe class and communicates, system was according to the safe class and the professional corresponding corresponding security algorithm agreement of scene search of input.Step 31 explicit user has been selected the high safety grade service.Step 32 display system identifies type of service and belongs to scene 1.System finds corresponding entry position according to these two inputs in security strategy head table, promptly Entrance 1.1.Step 33 shows with Entrance 1.1 for the pointer of a node directly points to Gridi.1.1, promptly need to use algorithm i.1.1 with agreement i.1.1.Step 34 shows that the pointer that Gridi.1.1 comprised directly points to Gridj.1.1 again, promptly need to use algorithm j.1.1 with agreement j.1.1.Algorithm protocol among the Gridj.1.1 is the algorithm protocol of last security element, so the pointed sky among the Girdj.1.1.
When the user dynamically changed safe class, system needed again algorithm protocol to be collected, as shown in Figure 4.Step 41 explicit user selects the High safe class to serve before communication.When the user dynamically changed to Low with safe class by High according to security needs in communication process, system was searched for the security algorithm agreement again.Step 42 display system identifies business and belongs to scene 1.The scene 1 that step 43 is presented in the security strategy head table changes to the Low safe class from High, according to the algorithm protocol of needs use under the inlet search Low safe class of security algorithm agreement.
When the user security grade does not change and scene when changing, system needs collect algorithm protocol again, as shown in Figure 5.Step 51 explicit user has been selected safe class High before communication be communication service, and the business that the user uses belongs to scene 1.When the user's communications scene changed to scene n by scene 1, system was searched for the security algorithm agreement again.Step 52 is presented under the High safe class, changes to scene n from scene 1, according to the algorithm and the agreement of needs use under the inlet search scene n of security algorithm agreement.
Claims (4)
1. a security strategy method to set up is characterized in that, described method comprises following processing procedure:
Step 1, each security element are set up a security strategy table, and the input layer of this table comprises: safe class and scene, output layer are algorithm protocol; And before the security strategy table of all security elements, set up a security strategy head table, the input layer of this table comprises: safe class and scene, output layer are the inlet of algorithm protocol; The inlet of described security strategy head table is provided to the link of the algorithm protocol table element in the security strategy table, can output to the link of the form in the security strategy table uniquely;
Step 2 is determined safe class and current scene, and it is inquired about and obtain the inlet of algorithm protocol in security strategy head table as initial conditions;
Step 3 finds the algorithm protocol of needs in the security strategy table of each security element according to the inlet of algorithm protocol;
Step 4 is applied to the algorithm protocol that finds in the security service, finishes the security strategy setting.
2. the method for claim 1 is characterized in that, under the situation of static security grade, the safe class in the described step 2 is determined according to the compulsory safe class of using of type of service.
3. the method for claim 1 is characterized in that, under the situation of dynamic security grade, the safe class in the described step 2 can be selected to determine before the user communicates.
4. as the arbitrary described method of claim 1-3, it is characterized in that described scene is determined according to each service security demand.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610103402XA CN100568879C (en) | 2006-07-18 | 2006-07-18 | A kind of security strategy method to set up |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610103402XA CN100568879C (en) | 2006-07-18 | 2006-07-18 | A kind of security strategy method to set up |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889576A true CN1889576A (en) | 2007-01-03 |
| CN100568879C CN100568879C (en) | 2009-12-09 |
Family
ID=37578833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200610103402XA Active CN100568879C (en) | 2006-07-18 | 2006-07-18 | A kind of security strategy method to set up |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100568879C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488417A (en) * | 2014-12-25 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for realizing system security level division |
-
2006
- 2006-07-18 CN CNB200610103402XA patent/CN100568879C/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488417A (en) * | 2014-12-25 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for realizing system security level division |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100568879C (en) | 2009-12-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101146305B (en) | Configuration method of secure policy | |
| CN1538730A (en) | Broadband public telephone system and its realizing method | |
| CN1653431A (en) | System and method of secure garbage collection on a mobile device | |
| CN1404288A (en) | Cellphone number and instant communication number bundling and cellphone state display method | |
| CN1855923A (en) | Communication based on interactive network | |
| CN1859356A (en) | Service processing device and service processing method | |
| CN101068428A (en) | Apparatus for attacking illegal telephone traffic | |
| CN101729929B (en) | System for accessing mass data with intelligent network business libraries, device and method | |
| CN1889576A (en) | Safety strategy setting method | |
| CN1932786A (en) | System and method for realizing mobile phone access and controlling computer | |
| CN1217521C (en) | Mobile communication electronic equipment capable of automatically simplifying function selection and its method | |
| CN1921656A (en) | Mobile phone universal function spreading apparatus and its using method | |
| CN1427639A (en) | Device and method of intelligent type filtering incoming telegram interference | |
| CN1791005A (en) | Wireless network ability controlled centralized management system and method | |
| KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment | |
| CN1592337A (en) | Method and system for realizing short message group transmitting service | |
| CN1187691C (en) | New method for veriying citizenship | |
| CN1419360A (en) | Method for supporting business fee counting | |
| CN100344195C (en) | Mobile terminal used for protecting user input information and its method | |
| CN1677998A (en) | Apparatus and method for intensifying mobile-phone communication function using client-side software | |
| CN1645954A (en) | Device and method for selecting and binding telephone number by mobile communication intelligent card | |
| CN100433649C (en) | Method for multi-objective configuration in telecommunication network system | |
| CN1211990C (en) | Method fr accessing classified telephone directory, in mobile telephone, through interface for external cntrol (remote-control interface), using one or several letters as search key | |
| CN1808993A (en) | Communication network management and processing system and method | |
| CN1493995A (en) | Method of control system safety management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |