WO2017101447A1 - Security access method, apparatus and system - Google Patents

Security access method, apparatus and system Download PDF

Info

Publication number
WO2017101447A1
WO2017101447A1 PCT/CN2016/091615 CN2016091615W WO2017101447A1 WO 2017101447 A1 WO2017101447 A1 WO 2017101447A1 CN 2016091615 W CN2016091615 W CN 2016091615W WO 2017101447 A1 WO2017101447 A1 WO 2017101447A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication device
certificate
whitelist
vendor
itself
Prior art date
Application number
PCT/CN2016/091615
Other languages
French (fr)
Chinese (zh)
Inventor
梁琳
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017101447A1 publication Critical patent/WO2017101447A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • This document relates to, but is not limited to, the field of mobile communication technologies, and in particular, to a secure access method, device and system.
  • PKI public key infrastructure
  • the PKI system supports identity authentication, information transmission, storage integrity, message transmission, storage confidentiality, and non-repudiation of operations.
  • many servers and functional requirements need to be deployed, such as a CA (Certificate Authority) server, an RA (Registration Authority) server, and an LDAP (Lightweight Directory Access Protocol).
  • CA Certificate Authority
  • RA Registration Authority
  • LDAP Lightweight Directory Access Protocol
  • the embodiment of the invention provides a secure access method, device and system. Based on the PKI system architecture, the process of the PKI system can be simplified to the utmost extent on the basis of ensuring security.
  • An embodiment of the present invention provides a secure access method, which is applied to a first communications device, where the method includes:
  • the second communication device If the certificate of the second communication device is in the white list stored by itself, establishing a secure channel with the second communication device; if the certificate of the second communication device is not in the white list stored by itself, The second communication device establishes a secure channel.
  • the first communication device is a base station, and the second communication device is a security gateway; or
  • the first communication device is a base station
  • the second communication device is a base station
  • it also includes:
  • the verifying the validity of the certificate of the second communications device by using the PKI system of the user includes:
  • the method further includes:
  • the embodiment of the invention further provides a security access device, which is applied to the first communication device, and the device includes:
  • the first certificate authentication module is configured to negotiate with the second communication device for identity authentication, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system;
  • a first whitelist check module configured to perform a whitelist check on the certificate of the second communication device after the certificate validity check of the second communication device is passed; if the second communication device is The certificate is in a white list stored by itself, and a secure channel is established with the second communication device; If the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device.
  • the device further includes:
  • the first certificate management module is configured to obtain a device vendor certificate issued by the wireless transmission equipment vendor.
  • the device further includes:
  • the first whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
  • the embodiment of the invention further provides a secure access method, which is applied to a second communication device, and the method includes:
  • the device vendor certificate of the first communication device is in the whitelist stored by itself, establishing a secure channel with the first communication device; if the device vendor certificate of the first communication device is not in the whitelist stored by itself, Then, a secure channel is not established with the first communication device.
  • the first communications device is a base station
  • the second communications device is a security gateway
  • it also includes:
  • the certificate sent by the wireless transmission equipment vendor is obtained before the identity authentication is performed in the negotiation with the first communication device.
  • the method further includes:
  • Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.
  • the embodiment of the present invention further provides a security access device, which is applied to a second communication device, where the device includes:
  • the second certificate authentication module is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
  • a second whitelist check module configured to perform a whitelist check on the device vendor certificate of the first communication device after the device vendor certificate validity check of the first communication device is passed; If the device vendor certificate of a communication device is in the white list stored by itself, establishing a secure channel with the first communication device; if the device vendor certificate of the first communication device is not in the whitelist stored by itself, The first communication device establishes a secure channel.
  • the device further includes:
  • the second certificate management module is configured to obtain a certificate issued by the wireless transmission equipment vendor.
  • the device further includes:
  • the second whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
  • the embodiment of the invention further provides a security access system, including:
  • the first communication device is configured to negotiate identity authentication with the second communication device, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system thereof, where the second communication device is After the certificate validity check is passed, the certificate of the second communication device is whitelisted, and if the certificate of the second communication device is in the white list stored by itself, the second communication device is established. a secure channel; if the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device;
  • the second communication device is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the PKI system of the first communication device, where the device provider of the first communication device is After the certificate validity check is passed, the device vendor certificate of the first communication device is whitelisted; if the device vendor certificate of the first communication device is in the whitelist stored by itself, the first The communication device establishes a secure channel; if the device vendor certificate of the first communication device is not in the white list stored by itself, the secure channel is not established with the first communication device.
  • the first communication device only interacts with the second communication device, and is no longer associated with the PKI system.
  • One or more network elements in the system interact, and fewer devices need to be managed and operated. From the perspective of resource conservation, asset cost and operation cost are saved; from the perspective of risk, unnecessary access security risks are reduced;
  • the process of the PKI system is simplified to the utmost extent on the basis of ensuring security.
  • FIG. 1 is a flowchart of a secure access method according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of a security access device according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of another method for secure access according to an embodiment of the present invention.
  • FIG. 4 is a structural block diagram of another secure access device according to an embodiment of the present invention.
  • FIG. 5 is a structural block diagram of a security access system according to an embodiment of the present invention.
  • FIG. 6 is a system framework diagram for transitioning from a related art to a technical solution of an embodiment of the present invention
  • FIG. 7 is a schematic flowchart of establishing a secure tunnel in a basic PKI system according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of signaling interaction of establishing a secure tunnel in a basic PKI system according to an embodiment of the present invention.
  • FIG. 9 is a schematic flowchart of a security access method according to another embodiment of the present invention.
  • the embodiments of the present invention are directed to the related art in which the deployment of the PKI system is very complicated, and the installation, normal or post-maintenance also requires a very high cost, and provides a secure access method, device and system based on the PKI system architecture. On the basis of ensuring security, the flow of the PKI system can be simplified to the utmost.
  • This embodiment provides a secure access method, which is applied to a first communications device. As shown in FIG. 1 , the method includes:
  • Step 100 Negotiate with the second communication device for identity authentication, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system;
  • how to perform identity authentication with the second communication device may be implemented by using a well-known technology of the present invention, and is not intended to limit the scope of protection of the embodiments of the present invention, and details are not described herein again.
  • Step 101 After the certificate validity verification of the second communication device is passed, perform whitelist verification on the certificate of the second communication device.
  • Step 102 If the certificate of the second communication device is in the white list stored by itself, establish a secure channel with the second communication device; if the certificate of the second communication device is not in the whitelist stored by itself, A secure channel is not established with the second communication device.
  • how to establish a secure channel with the second communication device can be implemented by using a well-known technology (such as a secure channel establishment protocol, such as IKE), which is not limited to the scope of protection of the embodiment of the present invention.
  • a well-known technology such as a secure channel establishment protocol, such as IKE
  • the first communication device only interacts with the second communication device, and the second communication device does not interact with one or more network elements in the PKI system of the first communication device, and the devices that need to be managed and operated are reduced. From the perspective of resource conservation, it saves asset costs and operating costs; reduces unnecessary access security risks from a risk perspective; based on the PKI system architecture, it simplifies PKI to the utmost extent on the basis of ensuring security. The process of the system.
  • the first communications device is a base station, and the second communications device is a security gateway; or
  • the first communication device is a base station
  • the second communication device is a base station
  • it also includes:
  • the verifying the validity of the certificate of the second communications device by using the PKI system of the user includes:
  • how to determine whether the second communication device is the same as the certificate chain of the same trust anchor can be implemented by the well-known technology of the present invention, and is not used to limit the protection scope of the embodiment of the present invention, and details are not described herein again.
  • the method further includes:
  • the embodiment also provides a security access device, which is applied to the first communication device.
  • the device includes:
  • the first certificate authentication module is configured to negotiate with the second communication device for identity authentication, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system;
  • a first whitelist check module configured to perform a whitelist check on the certificate of the second communication device after the certificate validity check of the second communication device is passed; if the second communication device is The certificate is in the white list of the self-storage, and establishes a secure channel with the second communication device; if the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device.
  • the device further includes:
  • the first certificate management module is configured to obtain a device vendor certificate issued by the wireless transmission equipment vendor.
  • the device further includes:
  • the first whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
  • the first communication device only interacts with the second communication device, and no longer interacts with one or more network elements in the PKI system, and fewer devices need to be managed and operated, saving resources from the perspective of saving resources.
  • Asset cost and operating cost reduce unnecessary access security risks from the perspective of risk; based on PKI system architecture, on the basis of ensuring security, it is simplified to the utmost.
  • the embodiment further provides a secure access method, which is applied to the second communication device. As shown in FIG. 3, the method includes:
  • Step 300 Negotiate with the first communication device for identity authentication, and perform validity verification on the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
  • how to perform the identity authentication with the first communication device may be implemented by using the well-known techniques of the present invention, and is not intended to limit the scope of protection of the embodiments of the present invention, and details are not described herein again.
  • the method for verifying the validity of the device vendor certificate of the first communication device by using the PKI system disclosed by itself may be implemented by using the well-known technology of the present invention, and is not intended to limit the scope of protection of the embodiments of the present invention.
  • Step 301 Perform whitelist verification on the device vendor certificate of the first communication device after the device vendor certificate validity check is performed on the first communication device.
  • Step 302 If the device vendor certificate of the first communication device is in the whitelist stored by itself, establish a secure channel with the first communication device; if the device vendor certificate of the first communication device is not stored in the white Within the list, a secure channel is not established with the first communication device.
  • the first communication device only interacts with the second communication device, and the first communication device does not interact with one or more network elements in the PKI system of the second communication device, and the devices that need to be managed and operated are reduced. From the perspective of resource conservation, it saves asset costs and operating costs; reduces unnecessary access security risks from a risk perspective; based on the PKI system architecture, it simplifies PKI to the utmost extent on the basis of ensuring security. The process of the system.
  • the PKI system of the first communication device and the PKI system of the second communication device may be two mutually independent PKI systems, or may be a unified PKI system.
  • the first communications device is a base station
  • the second communications device is a security gateway
  • it also includes:
  • the certificate sent by the wireless transmission equipment vendor is obtained before the identity authentication is performed in the negotiation with the first communication device.
  • the method further includes:
  • Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.
  • the embodiment further provides a security access device, which is applied to the second communication device.
  • the device includes:
  • the second certificate authentication module is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
  • a second whitelist check module configured to perform a whitelist check on the device vendor certificate of the first communication device after the device vendor certificate validity check of the first communication device is passed; If the device vendor certificate of a communication device is in the white list stored by itself, establishing a secure channel with the first communication device; if the device vendor certificate of the first communication device is not in the whitelist stored by itself, The first communication device establishes a secure channel.
  • the first communication device only interacts with the second communication device, and no longer interacts with one or more network elements in the PKI system, and fewer devices need to be managed and operated, saving resources from the perspective of saving resources.
  • the device further includes:
  • the second certificate management module is configured to obtain a certificate issued by the wireless transmission equipment vendor.
  • the device further includes:
  • the second whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
  • This embodiment provides a security access system, as shown in FIG. 5, including:
  • the first communication device is configured to negotiate identity authentication with the second communication device, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system thereof, where the second communication device is After the certificate validity check is passed, the certificate of the second communication device is whitelisted, and if the certificate of the second communication device is in the white list stored by itself, the second communication device is established. a secure channel; if the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device;
  • the second communication device is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the PKI system of the first communication device, where the device provider of the first communication device is After the certificate validity check is passed, the device vendor certificate of the first communication device is whitelisted; if the device vendor certificate of the first communication device is in the whitelist stored by itself, the first The communication device establishes a secure channel; if the device vendor certificate of the first communication device is not in the white list stored by itself, the secure channel is not established with the first communication device.
  • the first communication device only interacts with the second communication device, and no longer interacts with one or more network elements in the PKI system, and fewer devices need to be managed and operated, saving resources from the perspective of saving resources.
  • FIG. 6 is a system framework diagram for transitioning from the related art to the technical solution of the embodiment of the present invention. It can be seen that the complexity of the PKI system is simplified in this embodiment.
  • the wireless transmission equipment equipment vendor presets a custom service life (which may exceed the lifetime of the base station itself) to the base station when the wireless transmission equipment leaves the factory, and the management of the wireless transmission equipment equipment vendor certificate is performed by the equipment vendor.
  • the PKI system is managed and maintained, and the status of the certificate can be updated periodically, or the certificate revocation list (CRL) can be used to maintain the status of the certificate.
  • CTL certificate revocation list
  • the security gateway (IPsecGW) and the base station perform IKE (Internet Key Exchange) negotiation for identity authentication
  • the device vendor certificate of the base station is verified for validity. It can be done by the PKI system of IPsecGW.
  • the device vendor certificate of the base station is whitelisted. If the device vendor certificate information of the base station is in the whitelist of the IPsecGW, the base station is allowed to access, if the base station The device vendor certificate information is not in the IPsecGW white list, and the base station access is denied.
  • the base station and the IPsecGW perform IKE negotiation for identity authentication, verify the validity of the IPsecGW certificate, and the verification function is completed by the PKI system of the base station. After the base station checks the IPsecGW certificate, the IPsecGW certificate is whitelisted. If the IPsecGW certificate information is in the whitelist of the base station, the IPsec tunnel is allowed to be established with the IPsecGW. If the IPsecGW certificate information is not in the base station. Within the whitelist, the IPsec tunnel is refused to be established.
  • the whitelist information is the CN (common name) content of the certificate file.
  • the whitelist is not limited to the CN value, but may be the device identifier (ID, Identity), and the certificate alias (SAN) can be used.
  • ID device identifier
  • SAN certificate alias
  • the whitelist of the base station can be added, deleted, or modified in a single or batch manner on the network element management system (NEMS).
  • the whitelist on the NEMS is synchronized with the whitelist on the base station according to a preset time period.
  • the base station may also modify, delete, or add the whitelist stored by itself through the command line; if there is a change in the whitelist on the NEMS, the NEMS shall automatically update the whitelist to all connected base stations.
  • the technical solution of the embodiment saves the asset cost and the operation cost from the viewpoint of resource conservation; the network element that needs to be managed and operated is reduced, such as the CA server, the RA server, the LDAP server, and the like required in the PKI system; The device no longer needs to interact with the PKI system. For example, a device such as a base station does not need to implement the CMP protocol. Reduce unnecessary access security risks from a risk perspective.
  • Figure 7 and Figure 8 show the process of establishing a secure tunnel in a basic PKI system, including the following steps:
  • the equipment vendor PKI system issues (pre-set) the equipment vendor certificate to the base station;
  • the base station uses the equipment vendor certificate to apply for an operator certificate to the operator PKI system
  • the security gateway applies for a certificate from the carrier PKI system
  • the base station uses the carrier certificate and the security gateway to perform IKE negotiation. How to use the carrier certificate and the security gateway for IKE negotiation can be implemented by using the well-known techniques of the person skilled in the art, and is not used to limit the protection scope of the embodiment of the present invention. Narration.
  • the security gateway verifies the validity of the equipment vendor certificate of the base station
  • the security gateway verifies that the access base station is in the white list
  • the IKE negotiation between the two parties is successful, and the base station performs secure data communication through the security gateway and the core network.
  • the embodiment of the present invention does not need to deploy an operator PKI system, and only the device vendor deploys the PKI system.
  • the secure access method in this embodiment includes the following steps:
  • the equipment vendor PKI system issues a (pre-set) equipment vendor certificate to the base station, which is maintained by the certificate management module of the base station;
  • the device vendor PKI system issues a certificate to the security gateway
  • the base station uses the carrier certificate and the security gateway to perform IKE negotiation;
  • the security gateway verifies the validity of the equipment vendor certificate of the base station
  • the security gateway verifies that the access base station is in the white list
  • the base station verifies the validity of the certificate of the security gateway
  • the IKE negotiation between the two parties is successful, and the base station performs secure data communication through the security gateway and the core network.
  • the equipment provider sends the base station identifier (CN or SAN or ID, including but not limited to these values) to the security gateway of the operator's operation and maintenance, so that the IPsecGW can establish a whitelist.
  • the base station After the base station is deployed to the carrier network, it is operated by NEMS.
  • the whitelist that needs to establish communication with the base station in the commerce network is advertised to the base station, and is managed by the whitelist management module of the base station.
  • the whitelist management module of the base station adds, deletes, and modifies the whitelist of the base station according to requirements; the base station verifies by itself. After the module and the certificate authentication module and the IPsecGW are successfully authenticated, the two parties establish a secure channel for secure data interaction.
  • the equipment vendor PKI system issues a (pre-set) equipment vendor certificate to the base station, which is maintained by the certificate management module of the base station;
  • the NEMS After the base station is deployed to the carrier network, the NEMS advertises the whitelist of the carrier network that needs to establish communication with the base station to the base station, and is managed by the whitelist management module of the base station.
  • the whitelist content of the base station is the base station identifier (CN or SAN or ID, Including but not limited to these values);
  • the whitelist management module of the base station adds, deletes, and modifies the whitelist of the base station according to requirements
  • the two parties After the base station successfully authenticates between the whitelist check module and the certificate authentication module and the base station, the two parties establish a secure channel for secure data interaction.
  • the two devices can install the trust anchors of different device vendors' PKI systems, and the base station automatically selects certificates for authentication; or the two devices install cross-certificates for different device vendors' PKI systems.
  • the base station uses the certificate management module to deploy and install a cross-certificate in the P7 format
  • the base station utilizes the cross-certificate of the P7 format adopted by the certificate management module to include the cross-certificate until the certificate chain of the trust anchor;
  • the base station configures a certificate used by IKE negotiation
  • the base station and the peer negotiation device use the certificate authentication mode to negotiate.
  • the base station checks by the certificate authentication module that if the peer device and the base station use the same trust chain certificate chain, the certificate chain is directly authenticated;
  • the base station checks, by the certificate authentication module, that if the peer device and the base station do not use the same trust chain of the trust anchor, perform an adaptation in the already deployed cross-certificate chain to find a suitable cross-certificate P7 list;
  • the base station After the certificate is verified, the base station enables the whitelist check module to check whether the whitelist is allowed to pass to the peer device.
  • the modules may be implemented in software for execution by one or more types of processors.
  • an identified executable code module can comprise one or more physical or logical blocks of computer instructions, which can be constructed, for example, as an object, procedure, or function. Nevertheless, the executable code of the identified modules need not be physically located together, but may include different instructions stored in different physicalities. When these instructions are logically combined, they constitute a module and achieve the specified purpose of the module. .
  • the executable code module can be a single instruction or a plurality of instructions, and can even be distributed across multiple different code segments, distributed among different programs, and distributed across multiple memory devices.
  • operational data may be identified within the modules and may be implemented in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed at different locations (including on different storage devices), and may at least partially exist as an electronic signal on a system or network.
  • the module can be implemented by software, considering the level of the existing hardware process, the module can be implemented in software, and the technician can construct a corresponding hardware circuit to implement the corresponding function without considering the cost.
  • the hardware circuitry includes conventional Very Large Scale Integration (VLSI) circuits or gate arrays as well as existing semiconductors such as logic chips, transistors, or other discrete components.
  • VLSI Very Large Scale Integration
  • the modules can also be implemented with programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, and the like.
  • sequence numbers of the steps are not used to limit the sequence of the steps.
  • the steps of the steps are changed without any creative work. It is also within the scope of the invention.
  • each module/unit in the foregoing embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program in a storage and a memory by a processor. / instruction to achieve its corresponding function.
  • the invention is not limited to any specific form of combination of hardware and software.
  • the above technical solution is based on the PKI system architecture, and on the basis of ensuring security, the flow of the PKI system is simplified to the utmost.

Abstract

Disclosed are a security access method, apparatus and system, which relate to the technical field of communications. The security access method comprises: negotiating with a second communication device to perform identity authentication, and using its own PKI system to perform legitimacy verification on a certificate of the second communication device; after the legitimacy verification on the certificate of the second communication device is passed, performing white list verification on the certificate of the second communication device; if the certificate of the second communication device is in a white list stored thereby, establishing a security channel with the second communication device; and if the certificate of the second communication device is not in the white list stored thereby, not establishing a security channel with the second communication device.

Description

安全接入方法、装置及系统Safety access method, device and system 技术领域Technical field
本文涉及但不限于移动通信技术领域,尤指一种安全接入方法、装置及系统。This document relates to, but is not limited to, the field of mobile communication technologies, and in particular, to a secure access method, device and system.
背景技术Background technique
随着网络、数据业务的日益发展,安全问题日益复杂化,它已不仅仅局限于防火墙和路由器上,还涉及需要保护并且希望能够允许别人访问的信息和服务这类数据的安全性如何保障。众所周知,单个系统的安全非常难管理和控制,但是受控边界是一个可管理的概念,即某人或系统建立了从内部系统到因特网的私有链接。With the increasing development of network and data services, security issues are becoming more and more complicated. It is not only limited to firewalls and routers, but also to the security of data and services that need protection and want to be accessible to others. It is well known that the security of a single system is very difficult to manage and control, but the controlled boundary is a manageable concept that a person or system establishes a private link from the internal system to the Internet.
PKI(public key infrastructure,公开秘钥基础设施)是国际上解决开放式互联网络信息安全需求的一套体系。PKI体系支持身份认证,信息传输、存储的完整性,消息传输、存储的机密性,以及操作的不可否认性。目前,在业界比较通用的PKI系统中,需要部署很多服务器及功能需要,如CA(Certificate Authority,认证)服务器、RA(Registration Authority,注册)服务器、LDAP(Lightweight Directory Access Protocol,轻量目录访问协议)服务器等,并且出于安全部署考虑,一般服务器都会部署为双机模式,由此可知目前PKI系统的部署非常复杂,安装、平常/后期维护等也需要支出非常高的成本。PKI (public key infrastructure) is a set of systems that address the information security requirements of open Internet. The PKI system supports identity authentication, information transmission, storage integrity, message transmission, storage confidentiality, and non-repudiation of operations. At present, in the common PKI system of the industry, many servers and functional requirements need to be deployed, such as a CA (Certificate Authority) server, an RA (Registration Authority) server, and an LDAP (Lightweight Directory Access Protocol). Servers, etc., and for security deployment considerations, the general server will be deployed in dual-machine mode. It can be seen that the deployment of PKI systems is very complicated at present, and installation, normal/post-maintenance, etc. also require very high costs.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例提供一种安全接入方法、装置及系统,基于PKI系统架构,在保证安全性的基础上,能够最大限度的简化PKI系统的流程。The embodiment of the invention provides a secure access method, device and system. Based on the PKI system architecture, the process of the PKI system can be simplified to the utmost extent on the basis of ensuring security.
本发明实施例提供一种安全接入方法,应用于第一通信设备,所述方法包括:An embodiment of the present invention provides a secure access method, which is applied to a first communications device, where the method includes:
与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI 系统对所述第二通信设备的证书进行合法性校验;Negotiate with the second communication device for identity authentication, using its own public key infrastructure PKI The system performs legality verification on the certificate of the second communication device;
在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验;After the certificate validity check of the second communication device is passed, performing whitelist verification on the certificate of the second communication device;
如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道。If the certificate of the second communication device is in the white list stored by itself, establishing a secure channel with the second communication device; if the certificate of the second communication device is not in the white list stored by itself, The second communication device establishes a secure channel.
可选地,所述第一通信设备为基站,所述第二通信设备为安全网关;或Optionally, the first communication device is a base station, and the second communication device is a security gateway; or
所述第一通信设备为基站,所述第二通信设备为基站。The first communication device is a base station, and the second communication device is a base station.
可选地,还包括:Optionally, it also includes:
所述与第二通信设备协商进行身份认证之前,获取无线传输设备商下发的设备商证书。Obtaining a device vendor certificate issued by the wireless transmission equipment vendor before the identity verification is performed in the second communication device.
可选地,所述利用自身的PKI系统对所述第二通信设备的证书进行合法性校验包括:Optionally, the verifying the validity of the certificate of the second communications device by using the PKI system of the user includes:
判断所述第二通信设备是否与自身使用的是相同信任锚的证书链,如果是,则直接进行证书链的认证;如果不是,则在已部署的交叉证书链中进行适配查找交叉证书P7链表进行认证。Determining whether the second communication device uses a certificate chain of the same trust anchor as itself, and if so, directly performing certificate chain authentication; if not, performing an adaptation search cross certificate in the deployed cross certificate chain P7 The linked list is certified.
可选地,所述方法还包括:Optionally, the method further includes:
与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。Synchronizing with the network element management system, and updating the white list stored by the network management system according to the whitelist information delivered by the network element management system.
本发明实施例还提供了一种安全接入装置,应用于第一通信设备,所述装置包括:The embodiment of the invention further provides a security access device, which is applied to the first communication device, and the device includes:
第一证书认证模块,设置为与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第二通信设备的证书进行合法性校验;The first certificate authentication module is configured to negotiate with the second communication device for identity authentication, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system;
第一白名单校验模块,设置为在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验;如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如 果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道。a first whitelist check module, configured to perform a whitelist check on the certificate of the second communication device after the certificate validity check of the second communication device is passed; if the second communication device is The certificate is in a white list stored by itself, and a secure channel is established with the second communication device; If the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device.
可选地,所述装置还包括:Optionally, the device further includes:
第一证书管理模块,设置为获取无线传输设备商下发的设备商证书。The first certificate management module is configured to obtain a device vendor certificate issued by the wireless transmission equipment vendor.
可选地,所述装置还包括:Optionally, the device further includes:
第一白名单管理模块,设置为与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。The first whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
本发明实施例还提供了一种安全接入方法,应用于第二通信设备,所述方法包括:The embodiment of the invention further provides a secure access method, which is applied to a second communication device, and the method includes:
与第一通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第一通信设备的设备商证书进行合法性校验;Performing identity authentication with the first communication device, and verifying the legality of the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;Performing a whitelist check on the device vendor certificate of the first communication device after the device vendor certificate validity check is performed on the first communication device;
如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。If the device vendor certificate of the first communication device is in the whitelist stored by itself, establishing a secure channel with the first communication device; if the device vendor certificate of the first communication device is not in the whitelist stored by itself, Then, a secure channel is not established with the first communication device.
可选地,所述第一通信设备为基站,所述第二通信设备为安全网关。Optionally, the first communications device is a base station, and the second communications device is a security gateway.
可选地,还包括:Optionally, it also includes:
所述与第一通信设备协商进行身份认证之前,获取无线传输设备商下发的证书。The certificate sent by the wireless transmission equipment vendor is obtained before the identity authentication is performed in the negotiation with the first communication device.
可选地,所述方法还包括:Optionally, the method further includes:
与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。Synchronizing with the network element management system, and updating the white list stored by the network management system according to the whitelist information delivered by the network element management system.
本发明实施例还提出了一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行上述描述的任意一个方法。Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.
本发明实施例还提供了一种安全接入装置,应用于第二通信设备,所述装置包括: The embodiment of the present invention further provides a security access device, which is applied to a second communication device, where the device includes:
第二证书认证模块,设置为与第一通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第一通信设备的设备商证书进行合法性校验;The second certificate authentication module is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
第二白名单校验模块,设置为在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。a second whitelist check module, configured to perform a whitelist check on the device vendor certificate of the first communication device after the device vendor certificate validity check of the first communication device is passed; If the device vendor certificate of a communication device is in the white list stored by itself, establishing a secure channel with the first communication device; if the device vendor certificate of the first communication device is not in the whitelist stored by itself, The first communication device establishes a secure channel.
可选地,所述装置还包括:Optionally, the device further includes:
第二证书管理模块,设置为获取无线传输设备商下发的证书。The second certificate management module is configured to obtain a certificate issued by the wireless transmission equipment vendor.
可选地,所述装置还包括:Optionally, the device further includes:
第二白名单管理模块,设置为与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。The second whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
本发明实施例还提供了一种安全接入系统,包括:The embodiment of the invention further provides a security access system, including:
第一通信设备,设置为与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第二通信设备的证书进行合法性校验,在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验,如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道;The first communication device is configured to negotiate identity authentication with the second communication device, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system thereof, where the second communication device is After the certificate validity check is passed, the certificate of the second communication device is whitelisted, and if the certificate of the second communication device is in the white list stored by itself, the second communication device is established. a secure channel; if the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device;
第二通信设备,设置为与第一通信设备协商进行身份认证,利用自身的PKI系统对所述第一通信设备的设备商证书进行合法性校验,在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。The second communication device is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the PKI system of the first communication device, where the device provider of the first communication device is After the certificate validity check is passed, the device vendor certificate of the first communication device is whitelisted; if the device vendor certificate of the first communication device is in the whitelist stored by itself, the first The communication device establishes a secure channel; if the device vendor certificate of the first communication device is not in the white list stored by itself, the secure channel is not established with the first communication device.
本发明的实施例具有以下有益效果:Embodiments of the present invention have the following beneficial effects:
上述方案中,第一通信设备只与第二通信设备进行交互,不再与PKI系 统中一个或多个网元进行交互,需要管理和运营的设备变少,从节约资源角度来说,节约了资产成本和运营成本;从风险角度来说减少了不必要的接入安全风险;基于PKI系统架构,在保证安全性的基础上,最大限度的简化了PKI系统的流程。In the above solution, the first communication device only interacts with the second communication device, and is no longer associated with the PKI system. One or more network elements in the system interact, and fewer devices need to be managed and operated. From the perspective of resource conservation, asset cost and operation cost are saved; from the perspective of risk, unnecessary access security risks are reduced; Based on the PKI system architecture, the process of the PKI system is simplified to the utmost extent on the basis of ensuring security.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1为本发明实施例安全接入方法的流程图;1 is a flowchart of a secure access method according to an embodiment of the present invention;
图2为本发明实施例安全接入装置的结构框图;2 is a structural block diagram of a security access device according to an embodiment of the present invention;
图3为本发明实施例另一种安全接入方法的流程图;FIG. 3 is a flowchart of another method for secure access according to an embodiment of the present invention;
图4为本发明实施例另一种安全接入装置的结构框图;4 is a structural block diagram of another secure access device according to an embodiment of the present invention;
图5为本发明实施例安全接入系统的结构框图;FIG. 5 is a structural block diagram of a security access system according to an embodiment of the present invention; FIG.
图6为从相关技术向本发明实施例技术方案转变的系统框架图;6 is a system framework diagram for transitioning from a related art to a technical solution of an embodiment of the present invention;
图7为本发明实施例基本PKI系统下的安全隧道建立的流程示意图;7 is a schematic flowchart of establishing a secure tunnel in a basic PKI system according to an embodiment of the present invention;
图8为本发明实施例基本PKI系统下的安全隧道建立的信令交互示意图;FIG. 8 is a schematic diagram of signaling interaction of establishing a secure tunnel in a basic PKI system according to an embodiment of the present invention;
图9为本发明另一实施例安全接入方法的流程示意图。FIG. 9 is a schematic flowchart of a security access method according to another embodiment of the present invention.
本发明的实施方式Embodiments of the invention
下面将结合附图及具体实施例进行详细描述。The detailed description will be made below in conjunction with the accompanying drawings and specific embodiments.
本发明的实施例针对相关技术中PKI系统的部署非常复杂,安装、平常或后期维护等也需要支出非常高的成本的问题,提供一种安全接入方法、装置及系统,基于PKI系统架构,在保证安全性的基础上,能够最大限度的简化PKI系统的流程。The embodiments of the present invention are directed to the related art in which the deployment of the PKI system is very complicated, and the installation, normal or post-maintenance also requires a very high cost, and provides a secure access method, device and system based on the PKI system architecture. On the basis of ensuring security, the flow of the PKI system can be simplified to the utmost.
实施例一 Embodiment 1
本实施例提供一种安全接入方法,应用于第一通信设备,如图1所示,所述方法包括:This embodiment provides a secure access method, which is applied to a first communications device. As shown in FIG. 1 , the method includes:
步骤100、与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第二通信设备的证书进行合法性校验; Step 100: Negotiate with the second communication device for identity authentication, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system;
具体如何与第二通信设备协商进行身份认证可以采用本领域技术人员的熟知技术实现,并不用于限定本发明实施例的保护范围,这里不再赘述。Specifically, how to perform identity authentication with the second communication device may be implemented by using a well-known technology of the present invention, and is not intended to limit the scope of protection of the embodiments of the present invention, and details are not described herein again.
步骤101、在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验;Step 101: After the certificate validity verification of the second communication device is passed, perform whitelist verification on the certificate of the second communication device.
步骤102、如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道。Step 102: If the certificate of the second communication device is in the white list stored by itself, establish a secure channel with the second communication device; if the certificate of the second communication device is not in the whitelist stored by itself, A secure channel is not established with the second communication device.
具体如何与第二通信设备建立安全通道可以采用本领域技术人员的熟知技术(如IKE等安全通道建立协议等)实现,并不用于限定本发明实施例的保护范围,这里不再赘述。Specifically, how to establish a secure channel with the second communication device can be implemented by using a well-known technology (such as a secure channel establishment protocol, such as IKE), which is not limited to the scope of protection of the embodiment of the present invention.
本实施例中,第一通信设备只与第二通信设备进行交互,第二通信设备不再与第一通信设备的PKI系统中一个或多个网元进行交互,需要管理和运营的设备变少,从节约资源角度来说,节约了资产成本和运营成本;从风险角度来说减少了不必要的接入安全风险;基于PKI系统架构,在保证安全性的基础上,最大限度的简化了PKI系统的流程。In this embodiment, the first communication device only interacts with the second communication device, and the second communication device does not interact with one or more network elements in the PKI system of the first communication device, and the devices that need to be managed and operated are reduced. From the perspective of resource conservation, it saves asset costs and operating costs; reduces unnecessary access security risks from a risk perspective; based on the PKI system architecture, it simplifies PKI to the utmost extent on the basis of ensuring security. The process of the system.
可选地,所述第一通信设备为基站,所述第二通信设备为安全网关;或,Optionally, the first communications device is a base station, and the second communications device is a security gateway; or
所述第一通信设备为基站,所述第二通信设备为基站。The first communication device is a base station, and the second communication device is a base station.
可选地,还包括:Optionally, it also includes:
所述与第二通信设备协商进行身份认证之前,获取无线传输设备商下发的设备商证书。Obtaining a device vendor certificate issued by the wireless transmission equipment vendor before the identity verification is performed in the second communication device.
可选地,所述利用自身的PKI系统对所述第二通信设备的证书进行合法性校验包括:Optionally, the verifying the validity of the certificate of the second communications device by using the PKI system of the user includes:
判断所述第二通信设备是否与自身使用的是相同信任锚的证书链,如果是,则直接进行证书链的认证;如果不是,则在已部署的交叉证书链中进行适配查找交叉证书P7链表进行认证。Determining whether the second communication device uses a certificate chain of the same trust anchor as itself, and if so, directly performing certificate chain authentication; if not, performing an adaptation search cross certificate in the deployed cross certificate chain P7 The linked list is certified.
具体如何判断第二通信设备是否与自身使用的是相同信任锚的证书链可以采用本领域技术人员的熟知技术实现,并不用于限定本发明实施例的保护范围,这里不再赘述。 Specifically, how to determine whether the second communication device is the same as the certificate chain of the same trust anchor can be implemented by the well-known technology of the present invention, and is not used to limit the protection scope of the embodiment of the present invention, and details are not described herein again.
具体如何直接进行证书链的认证可以采用本领域技术人员的熟知技术实现,并不用于限定本发明实施例的保护范围,这里不再赘述。Specifically, how to directly perform the certificate chain authentication may be implemented by using a well-known technology of the present invention, and is not intended to limit the scope of protection of the embodiments of the present invention, and details are not described herein again.
具体如何在已部署的交叉证书链中进行适配查找交叉证书P7链表进行认证可以采用本领域技术人员的熟知技术实现,并不用于限定本发明实施例的保护范围,这里不再赘述。Specifically, how to perform the adaptation search in the deployed cross-certificate chain to search for the cross-certificate P7-linked list for the authentication can be implemented by using the well-known technology of the present invention, and is not intended to limit the scope of protection of the embodiments of the present invention, and details are not described herein again.
可选地,所述方法还包括:Optionally, the method further includes:
与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。Synchronizing with the network element management system, and updating the white list stored by the network management system according to the whitelist information delivered by the network element management system.
实施例二 Embodiment 2
本实施例还供了一种安全接入装置,应用于第一通信设备,如图2所示,所述装置包括:The embodiment also provides a security access device, which is applied to the first communication device. As shown in FIG. 2, the device includes:
第一证书认证模块,设置为与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第二通信设备的证书进行合法性校验;The first certificate authentication module is configured to negotiate with the second communication device for identity authentication, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system;
第一白名单校验模块,设置为在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验;如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道。a first whitelist check module, configured to perform a whitelist check on the certificate of the second communication device after the certificate validity check of the second communication device is passed; if the second communication device is The certificate is in the white list of the self-storage, and establishes a secure channel with the second communication device; if the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device. .
可选地,所述装置还包括:Optionally, the device further includes:
第一证书管理模块,设置为获取无线传输设备商下发的设备商证书。The first certificate management module is configured to obtain a device vendor certificate issued by the wireless transmission equipment vendor.
可选地,所述装置还包括:Optionally, the device further includes:
第一白名单管理模块,设置为与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。The first whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
本实施例中,第一通信设备只与第二通信设备进行交互,不再与PKI系统中一个或多个网元进行交互,需要管理和运营的设备变少,从节约资源角度来说,节约了资产成本和运营成本;从风险角度来说减少了不必要的接入安全风险;基于PKI系统架构,在保证安全性的基础上,最大限度的简化了 PKI系统的流程。In this embodiment, the first communication device only interacts with the second communication device, and no longer interacts with one or more network elements in the PKI system, and fewer devices need to be managed and operated, saving resources from the perspective of saving resources. Asset cost and operating cost; reduce unnecessary access security risks from the perspective of risk; based on PKI system architecture, on the basis of ensuring security, it is simplified to the utmost. The flow of the PKI system.
实施例三Embodiment 3
本实施例还提供了一种安全接入方法,应用于第二通信设备,如图3所示,所述方法包括:The embodiment further provides a secure access method, which is applied to the second communication device. As shown in FIG. 3, the method includes:
步骤300、与第一通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第一通信设备的设备商证书进行合法性校验;Step 300: Negotiate with the first communication device for identity authentication, and perform validity verification on the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
具体如何与第一通信设备协商进行身份认证可以采用本领域技术人员的熟知技术实现,并不用于限定本发明实施例的保护范围,这里不再赘述。Specifically, how to perform the identity authentication with the first communication device may be implemented by using the well-known techniques of the present invention, and is not intended to limit the scope of protection of the embodiments of the present invention, and details are not described herein again.
具体如何利用自身公开的PKI系统对第一通信设备的设备商证书进行合法性校验可以采用本领域技术人员的熟知技术实现,并不用于限定本发明实施例的保护范围,这里不再赘述。The method for verifying the validity of the device vendor certificate of the first communication device by using the PKI system disclosed by itself may be implemented by using the well-known technology of the present invention, and is not intended to limit the scope of protection of the embodiments of the present invention.
步骤301、在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;Step 301: Perform whitelist verification on the device vendor certificate of the first communication device after the device vendor certificate validity check is performed on the first communication device.
步骤302、如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。Step 302: If the device vendor certificate of the first communication device is in the whitelist stored by itself, establish a secure channel with the first communication device; if the device vendor certificate of the first communication device is not stored in the white Within the list, a secure channel is not established with the first communication device.
本实施例中,第一通信设备只与第二通信设备进行交互,第一通信设备不再与第二通信设备的PKI系统中一个或多个网元进行交互,需要管理和运营的设备变少,从节约资源角度来说,节约了资产成本和运营成本;从风险角度来说减少了不必要的接入安全风险;基于PKI系统架构,在保证安全性的基础上,最大限度的简化了PKI系统的流程。In this embodiment, the first communication device only interacts with the second communication device, and the first communication device does not interact with one or more network elements in the PKI system of the second communication device, and the devices that need to be managed and operated are reduced. From the perspective of resource conservation, it saves asset costs and operating costs; reduces unnecessary access security risks from a risk perspective; based on the PKI system architecture, it simplifies PKI to the utmost extent on the basis of ensuring security. The process of the system.
第一通信设备的PKI系统和第二通信设备的PKI系统可以是两个相互独立的PKI系统,也可以是一个统一的PKI系统。The PKI system of the first communication device and the PKI system of the second communication device may be two mutually independent PKI systems, or may be a unified PKI system.
可选地,所述第一通信设备为基站,所述第二通信设备为安全网关。Optionally, the first communications device is a base station, and the second communications device is a security gateway.
可选地,还包括:Optionally, it also includes:
所述与第一通信设备协商进行身份认证之前,获取无线传输设备商下发的证书。 The certificate sent by the wireless transmission equipment vendor is obtained before the identity authentication is performed in the negotiation with the first communication device.
可选地,所述方法还包括:Optionally, the method further includes:
与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。Synchronizing with the network element management system, and updating the white list stored by the network management system according to the whitelist information delivered by the network element management system.
本发明实施例还提出了一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行上述描述的任意一个方法。Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.
实施例四Embodiment 4
本实施例还提供了一种安全接入装置,应用于第二通信设备,如图4所示,所述装置包括:The embodiment further provides a security access device, which is applied to the second communication device. As shown in FIG. 4, the device includes:
第二证书认证模块,设置为与第一通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第一通信设备的设备商证书进行合法性校验;The second certificate authentication module is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
第二白名单校验模块,设置为在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。a second whitelist check module, configured to perform a whitelist check on the device vendor certificate of the first communication device after the device vendor certificate validity check of the first communication device is passed; If the device vendor certificate of a communication device is in the white list stored by itself, establishing a secure channel with the first communication device; if the device vendor certificate of the first communication device is not in the whitelist stored by itself, The first communication device establishes a secure channel.
本实施例中,第一通信设备只与第二通信设备进行交互,不再与PKI系统中一个或多个网元进行交互,需要管理和运营的设备变少,从节约资源角度来说,节约了资产成本和运营成本;从风险角度来说减少了不必要的接入安全风险;基于PKI系统架构,在保证安全性的基础上,最大限度的简化了PKI系统的流程。In this embodiment, the first communication device only interacts with the second communication device, and no longer interacts with one or more network elements in the PKI system, and fewer devices need to be managed and operated, saving resources from the perspective of saving resources. Asset cost and operating cost; reduce unnecessary access security risk from the perspective of risk; based on PKI system architecture, the process of PKI system is simplified to the utmost extent on the basis of ensuring security.
可选地,所述装置还包括:Optionally, the device further includes:
第二证书管理模块,设置为获取无线传输设备商下发的证书。The second certificate management module is configured to obtain a certificate issued by the wireless transmission equipment vendor.
可选地,所述装置还包括:Optionally, the device further includes:
第二白名单管理模块,设置为与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。The second whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
实施例五 Embodiment 5
本实施例提供了一种安全接入系统,如图5所示,包括:This embodiment provides a security access system, as shown in FIG. 5, including:
第一通信设备,设置为与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第二通信设备的证书进行合法性校验,在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验,如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道;The first communication device is configured to negotiate identity authentication with the second communication device, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system thereof, where the second communication device is After the certificate validity check is passed, the certificate of the second communication device is whitelisted, and if the certificate of the second communication device is in the white list stored by itself, the second communication device is established. a secure channel; if the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device;
第二通信设备,设置为与第一通信设备协商进行身份认证,利用自身的PKI系统对所述第一通信设备的设备商证书进行合法性校验,在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。The second communication device is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the PKI system of the first communication device, where the device provider of the first communication device is After the certificate validity check is passed, the device vendor certificate of the first communication device is whitelisted; if the device vendor certificate of the first communication device is in the whitelist stored by itself, the first The communication device establishes a secure channel; if the device vendor certificate of the first communication device is not in the white list stored by itself, the secure channel is not established with the first communication device.
本实施例中,第一通信设备只与第二通信设备进行交互,不再与PKI系统中一个或多个网元进行交互,需要管理和运营的设备变少,从节约资源角度来说,节约了资产成本和运营成本;从风险角度来说减少了不必要的接入安全风险;基于PKI系统架构,在保证安全性的基础上,最大限度的简化了PKI系统的流程。In this embodiment, the first communication device only interacts with the second communication device, and no longer interacts with one or more network elements in the PKI system, and fewer devices need to be managed and operated, saving resources from the perspective of saving resources. Asset cost and operating cost; reduce unnecessary access security risk from the perspective of risk; based on PKI system architecture, the process of PKI system is simplified to the utmost extent on the basis of ensuring security.
实施例六Embodiment 6
图6为从相关技术向本发明实施例技术方案转变的系统框架图,可以看出,本实施例对PKI系统的复杂性进行了简化。FIG. 6 is a system framework diagram for transitioning from the related art to the technical solution of the embodiment of the present invention. It can be seen that the complexity of the PKI system is simplified in this embodiment.
本实施例中,无线传输设备设备商在无线传输设备出厂时候给基站预置一个自定义寿命(可以是超过了基站本身寿命)的设备商证书,无线传输设备设备商证书的管理,由设备商的PKI系统进行管理维护,可以定期对证书状态进行更新,也可以利用证书吊销列表(Certificate Revocation List,CRL)维护该证书状态。In this embodiment, the wireless transmission equipment equipment vendor presets a custom service life (which may exceed the lifetime of the base station itself) to the base station when the wireless transmission equipment leaves the factory, and the management of the wireless transmission equipment equipment vendor certificate is performed by the equipment vendor. The PKI system is managed and maintained, and the status of the certificate can be updated periodically, or the certificate revocation list (CRL) can be used to maintain the status of the certificate.
在安全网关(IPsecGW)与基站进行IKE(Internet Key Exchange,因特网密钥交换)协商进行身份认证时,对基站的设备商证书进行合法性校验,校验功 能由IPsecGW的PKI系统进行完成。IPsecGW对基站的设备商证书身份校验通过后,对基站的设备商证书进行白名单校验,如果基站的设备商证书信息在IPsecGW的白名单(whitelist)内,则允许基站接入,如果基站的设备商证书信息不在IPsecGW的白名单内,则拒绝基站接入。When the security gateway (IPsecGW) and the base station perform IKE (Internet Key Exchange) negotiation for identity authentication, the device vendor certificate of the base station is verified for validity. It can be done by the PKI system of IPsecGW. After the IPsecGW passes the device vendor certificate verification of the base station, the device vendor certificate of the base station is whitelisted. If the device vendor certificate information of the base station is in the whitelist of the IPsecGW, the base station is allowed to access, if the base station The device vendor certificate information is not in the IPsecGW white list, and the base station access is denied.
基站和IPsecGW进行IKE协商进行身份认证,对IPsecGW的证书进行合法性校验,校验功能由基站的PKI系统完成。基站对IPsecGW的证书身份校验通过后,对IPsecGW的证书进行白名单(whitelist)校验,如果IPsecGW的证书信息在基站的whitelist内,则允许和IPsecGW建立IPsec隧道,如果IPsecGW的证书信息不在基站的whitelist内,则拒绝建立该IPsec隧道。The base station and the IPsecGW perform IKE negotiation for identity authentication, verify the validity of the IPsecGW certificate, and the verification function is completed by the PKI system of the base station. After the base station checks the IPsecGW certificate, the IPsecGW certificate is whitelisted. If the IPsecGW certificate information is in the whitelist of the base station, the IPsec tunnel is allowed to be established with the IPsecGW. If the IPsecGW certificate information is not in the base station. Within the whitelist, the IPsec tunnel is refused to be established.
上述whitelist信息为证书文件的CN(common name,公用名)内容,这里的whitelist不局限于CN值,也可以是设备标识(ID,Identity),证书别名(subject alt name,SAN)等可以用来标识基站身份的内容。The whitelist information is the CN (common name) content of the certificate file. The whitelist is not limited to the CN value, but may be the device identifier (ID, Identity), and the certificate alias (SAN) can be used. The content that identifies the identity of the base station.
在网元管理系统(network element management system,NEMS)上可以对基站的白名单进行单个或批量增加、删除、或修改;按照预设时间周期将NEMS上的白名单与基站上的白名单进行同步;基站还可以通过命令行方式对自身存储的白名单进行修改、删除、或增加;NEMS上的白名单如果有变动,则NEMS要自动把白名单更新给下属所有连接的基站。The whitelist of the base station can be added, deleted, or modified in a single or batch manner on the network element management system (NEMS). The whitelist on the NEMS is synchronized with the whitelist on the base station according to a preset time period. The base station may also modify, delete, or add the whitelist stored by itself through the command line; if there is a change in the whitelist on the NEMS, the NEMS shall automatically update the whitelist to all connected base stations.
本实施例的技术方案从节约资源角度来说,节约了资产成本和运营成本;需要管理和运营的网元变少了,比如PKI系统中需要的CA服务器、RA服务器、LDAP服务器等;基站等设备不再需要和PKI系统进行交互,例如基站等设备不需要实现CMP协议。从风险角度来说减少了不必要的接入安全风险。The technical solution of the embodiment saves the asset cost and the operation cost from the viewpoint of resource conservation; the network element that needs to be managed and operated is reduced, such as the CA server, the RA server, the LDAP server, and the like required in the PKI system; The device no longer needs to interact with the PKI system. For example, a device such as a base station does not need to implement the CMP protocol. Reduce unnecessary access security risks from a risk perspective.
实施例七Example 7
如图7和图8所示为基本PKI系统下的安全隧道建立过程,包括以下步骤:Figure 7 and Figure 8 show the process of establishing a secure tunnel in a basic PKI system, including the following steps:
基站发货前,设备商PKI系统给基站颁发(预置)设备商证书;Before the base station delivers, the equipment vendor PKI system issues (pre-set) the equipment vendor certificate to the base station;
基站使用该设备商证书向运营商PKI系统申请运营商证书;The base station uses the equipment vendor certificate to apply for an operator certificate to the operator PKI system;
安全网关向运营商PKI系统申请证书; The security gateway applies for a certificate from the carrier PKI system;
基站使用运营商证书和安全网关进行IKE协商;具体如何使用运营商证书和安全网关进行IKE协商可以采用本领域技术人员的熟知技术实现,并不用于限定本发明实施例的保护范围,这里不再赘述。The base station uses the carrier certificate and the security gateway to perform IKE negotiation. How to use the carrier certificate and the security gateway for IKE negotiation can be implemented by using the well-known techniques of the person skilled in the art, and is not used to limit the protection scope of the embodiment of the present invention. Narration.
安全网关校验基站的设备商证书的有效性;The security gateway verifies the validity of the equipment vendor certificate of the base station;
如果基站的设备商证书有效,则安全网关校验接入基站在白名单内;If the device vendor certificate of the base station is valid, the security gateway verifies that the access base station is in the white list;
双方IKE协商成功,基站通过安全网关和核心网进行安全的数据通信。The IKE negotiation between the two parties is successful, and the base station performs secure data communication through the security gateway and the core network.
本发明实施例不需要部署运营商PKI系统,仅设备商部署PKI系统即可,如图9所示,本实施例的安全接入方法包括以下步骤:The embodiment of the present invention does not need to deploy an operator PKI system, and only the device vendor deploys the PKI system. As shown in FIG. 9, the secure access method in this embodiment includes the following steps:
基站发货前,设备商PKI系统给基站颁发(预置)设备商证书,由基站的证书管理模块进行维护;Before the base station delivers, the equipment vendor PKI system issues a (pre-set) equipment vendor certificate to the base station, which is maintained by the certificate management module of the base station;
设备商PKI系统给安全网关颁发证书;The device vendor PKI system issues a certificate to the security gateway;
基站使用运营商证书和安全网关进行IKE协商;The base station uses the carrier certificate and the security gateway to perform IKE negotiation;
安全网关校验基站的设备商证书的有效性;The security gateway verifies the validity of the equipment vendor certificate of the base station;
如果基站的设备商证书有效,则安全网关校验接入基站在白名单内;If the device vendor certificate of the base station is valid, the security gateway verifies that the access base station is in the white list;
基站校验安全网关的证书有效性;The base station verifies the validity of the certificate of the security gateway;
校验安全网关在白名单内;Verify that the security gateway is in the whitelist;
双方IKE协商成功,基站通过安全网关和核心网进行安全的数据通信。The IKE negotiation between the two parties is successful, and the base station performs secure data communication through the security gateway and the core network.
设备商给运营商运维的安全网关发布基站标识(CN或SAN或ID,包括但不限于这几种取值),以便让IPsecGW建立白名单;基站部署到运营商网络后,由NEMS把运营商网络中需要和基站建立通信的白名单发布给基站,由基站白名单管理模块进行管理,基站白名单管理模块对基站白名单按照需求进行增加、删除、修改;基站通过自己的白名单校验模块和证书认证模块和IPsecGW成功认证后,双方建立安全通道,进行安全的数据交互。The equipment provider sends the base station identifier (CN or SAN or ID, including but not limited to these values) to the security gateway of the operator's operation and maintenance, so that the IPsecGW can establish a whitelist. After the base station is deployed to the carrier network, it is operated by NEMS. The whitelist that needs to establish communication with the base station in the commerce network is advertised to the base station, and is managed by the whitelist management module of the base station. The whitelist management module of the base station adds, deletes, and modifies the whitelist of the base station according to requirements; the base station verifies by itself. After the module and the certificate authentication module and the IPsecGW are successfully authenticated, the two parties establish a secure channel for secure data interaction.
实施例八Example eight
本实施例的安全接入方法包括以下步骤:The secure access method of this embodiment includes the following steps:
基站发货前,设备商PKI系统给基站颁发(预置)设备商证书,由基站的证书管理模块进行维护; Before the base station delivers, the equipment vendor PKI system issues a (pre-set) equipment vendor certificate to the base station, which is maintained by the certificate management module of the base station;
基站部署到运营商网络后,由NEMS把运营商网络中需要和基站建立通信的白名单发布给基站,由基站白名单管理模块进行管理,基站白名单内容为基站标识(CN或SAN或ID,包括但不限于这几种取值);After the base station is deployed to the carrier network, the NEMS advertises the whitelist of the carrier network that needs to establish communication with the base station to the base station, and is managed by the whitelist management module of the base station. The whitelist content of the base station is the base station identifier (CN or SAN or ID, Including but not limited to these values);
基站白名单管理模块对基站白名单按照需求进行增加、删除、修改;The whitelist management module of the base station adds, deletes, and modifies the whitelist of the base station according to requirements;
基站通过自己的白名单校验模块和证书认证模块和基站间成功认证后,双方建立安全通道,进行安全的数据交互。After the base station successfully authenticates between the whitelist check module and the certificate authentication module and the base station, the two parties establish a secure channel for secure data interaction.
实施例九Example nine
在基站间、基站和安全网关不是一个设备商PKI系统时,双方设备可以安装不同设备商PKI系统的信任锚,基站自动选择证书进行认证;或者双方设备安装不同设备商PKI系统的交叉证书。When the inter-base station, the base station, and the security gateway are not one device PKI system, the two devices can install the trust anchors of different device vendors' PKI systems, and the base station automatically selects certificates for authentication; or the two devices install cross-certificates for different device vendors' PKI systems.
本实施例的安全接入方法包括以下步骤:The secure access method of this embodiment includes the following steps:
基站利用证书管理模块部署安装P7格式的交叉证书;The base station uses the certificate management module to deploy and install a cross-certificate in the P7 format;
基站利用证书管理模块采用的P7格式的交叉证书包含了交叉证书直至信任锚的证书链;The base station utilizes the cross-certificate of the P7 format adopted by the certificate management module to include the cross-certificate until the certificate chain of the trust anchor;
基站配置IKE协商使用的证书;The base station configures a certificate used by IKE negotiation;
基站和对端协商设备使用证书认证方式进行协商;The base station and the peer negotiation device use the certificate authentication mode to negotiate.
基站通过证书认证模块检查到,如果对端设备和基站使用的是相同信任锚的证书链,则直接进行证书链的认证;The base station checks by the certificate authentication module that if the peer device and the base station use the same trust chain certificate chain, the certificate chain is directly authenticated;
基站通过证书认证模块检查到,如果对端设备和基站使用的不是相同信任锚的证书链,在已经部署好的交叉证书链中进行适配查找合适的交叉证书P7链表;The base station checks, by the certificate authentication module, that if the peer device and the base station do not use the same trust chain of the trust anchor, perform an adaptation in the already deployed cross-certificate chain to find a suitable cross-certificate P7 list;
证书校验通过后,基站使白名单校验模块对对端设备检查白名单是否允许通过。After the certificate is verified, the base station enables the whitelist check module to check whether the whitelist is allowed to pass to the peer device.
以上步骤均通过后,完成整个身份认证过程,双方建立安全通道,进行安全的数据交互。After the above steps are passed, the entire identity authentication process is completed, and the two parties establish a secure channel for secure data interaction.
此说明书中所描述的许多功能部件都被称为模块,以便更加特别地强调其实现方式的独立性。 Many of the functional components described in this specification are referred to as modules to more particularly emphasize the independence of their implementation.
本发明实施例中,模块可以用软件实现,以便由一种或多种类型的处理器执行。举例来说,一个标识的可执行代码模块可以包括计算机指令的一个或多个物理或者逻辑块,举例来说,其可以被构建为对象、过程或函数。尽管如此,所标识模块的可执行代码无需物理地位于一起,而是可以包括存储在不同物理上的不同的指令,当这些指令逻辑上结合在一起时,其构成模块并且实现该模块的规定目的。In an embodiment of the invention, the modules may be implemented in software for execution by one or more types of processors. For example, an identified executable code module can comprise one or more physical or logical blocks of computer instructions, which can be constructed, for example, as an object, procedure, or function. Nevertheless, the executable code of the identified modules need not be physically located together, but may include different instructions stored in different physicalities. When these instructions are logically combined, they constitute a module and achieve the specified purpose of the module. .
实际上,可执行代码模块可以是单条指令或者是许多条指令,并且甚至可以分布在多个不同的代码段上,分布在不同程序当中,以及跨越多个存储器设备分布。同样地,操作数据可以在模块内被识别,并且可以依照任何适当的形式实现并且被组织在任何适当类型的数据结构内。所述操作数据可以作为单个数据集被收集,或者可以分布在不同位置上(包括在不同存储设备上),并且至少部分地可以仅作为电子信号存在于系统或网络上。In practice, the executable code module can be a single instruction or a plurality of instructions, and can even be distributed across multiple different code segments, distributed among different programs, and distributed across multiple memory devices. As such, operational data may be identified within the modules and may be implemented in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed at different locations (including on different storage devices), and may at least partially exist as an electronic signal on a system or network.
在模块可以利用软件实现时,考虑到现有硬件工艺的水平,所以可以以软件实现的模块,在不考虑成本的情况下,本领域技术人员都可以搭建对应的硬件电路来实现对应的功能,所述硬件电路包括常规的超大规模集成(VLSI)电路或者门阵列以及诸如逻辑芯片、晶体管之类的现有半导体或者是其它分立的元件。模块还可以用可编程硬件设备,诸如现场可编程门阵列、可编程阵列逻辑、可编程逻辑设备等实现。When the module can be implemented by software, considering the level of the existing hardware process, the module can be implemented in software, and the technician can construct a corresponding hardware circuit to implement the corresponding function without considering the cost. The hardware circuitry includes conventional Very Large Scale Integration (VLSI) circuits or gate arrays as well as existing semiconductors such as logic chips, transistors, or other discrete components. The modules can also be implemented with programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, and the like.
在本发明各方法实施例中,所述各步骤的序号并不能用于限定各步骤的先后顺序,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,对各步骤的先后变化也在本发明的保护范围之内。In the method embodiments of the present invention, the sequence numbers of the steps are not used to limit the sequence of the steps. For those skilled in the art, the steps of the steps are changed without any creative work. It is also within the scope of the invention.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件(例如处理器)完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,例如通过集成电路来实现其相应功能,也可以采用软件功能模块的形式实现,例如通过处理器执行存储与存储器中的程序/指令来实现其相应功能。本发明不限于任何特定形式的硬件和软件的结合。 One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware, such as a processor, which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program in a storage and a memory by a processor. / instruction to achieve its corresponding function. The invention is not limited to any specific form of combination of hardware and software.
以上所述是本发明的可选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明所述原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is an alternative embodiment of the present invention, and it should be noted that those skilled in the art can make several improvements and retouchings without departing from the principles of the present invention. It should also be considered as the scope of protection of the present invention.
工业实用性Industrial applicability
上述技术方案基于PKI系统架构,在保证安全性的基础上,最大限度的简化了PKI系统的流程。 The above technical solution is based on the PKI system architecture, and on the basis of ensuring security, the flow of the PKI system is simplified to the utmost.

Claims (16)

  1. 一种安全接入方法,应用于第一通信设备,所述方法包括:A secure access method is applied to a first communications device, the method comprising:
    与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第二通信设备的证书进行合法性校验;Performing identity authentication with the second communication device, and verifying the validity of the certificate of the second communication device by using the public key infrastructure PKI system;
    在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验;After the certificate validity check of the second communication device is passed, performing whitelist verification on the certificate of the second communication device;
    如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道。If the certificate of the second communication device is in the white list stored by itself, establishing a secure channel with the second communication device; if the certificate of the second communication device is not in the white list stored by itself, The second communication device establishes a secure channel.
  2. 根据权利要求1所述的安全接入方法,其中,The secure access method according to claim 1, wherein
    所述第一通信设备为基站,所述第二通信设备为安全网关;或,The first communication device is a base station, and the second communication device is a security gateway; or
    所述第一通信设备为基站,所述第二通信设备为基站。The first communication device is a base station, and the second communication device is a base station.
  3. 根据权利要求2所述的安全接入方法,还包括:The secure access method of claim 2, further comprising:
    所述与第二通信设备协商进行身份认证之前,获取无线传输设备商下发的设备商证书。Obtaining a device vendor certificate issued by the wireless transmission equipment vendor before the identity verification is performed in the second communication device.
  4. 根据权利要求2所述的安全接入方法,其中,所述利用自身的PKI系统对所述第二通信设备的证书进行合法性校验包括:The secure access method according to claim 2, wherein the verifying the validity of the certificate of the second communication device by using the PKI system of the self includes:
    判断所述第二通信设备是否与自身使用的是相同信任锚的证书链,如果是,则直接进行证书链的认证;如果不是,则在已部署的交叉证书链中进行适配查找交叉证书P7链表进行认证。Determining whether the second communication device uses a certificate chain of the same trust anchor as itself, and if so, directly performing certificate chain authentication; if not, performing an adaptation search cross certificate in the deployed cross certificate chain P7 The linked list is certified.
  5. 根据权利要求2所述的安全接入方法,所述方法还包括:The secure access method of claim 2, the method further comprising:
    与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。Synchronizing with the network element management system, and updating the white list stored by the network management system according to the whitelist information delivered by the network element management system.
  6. 一种安全接入装置,应用于第一通信设备,所述装置包括:A security access device is applied to a first communication device, the device comprising:
    第一证书认证模块,设置为与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第二通信设备的证书进行合法性校 验;The first certificate authentication module is configured to negotiate identity authentication with the second communication device, and perform legality verification on the certificate of the second communication device by using its own public key infrastructure PKI system. Test
    第一白名单校验模块,设置为在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验;如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道。a first whitelist check module, configured to perform a whitelist check on the certificate of the second communication device after the certificate validity check of the second communication device is passed; if the second communication device is The certificate is in the white list of the self-storage, and establishes a secure channel with the second communication device; if the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device. .
  7. 根据权利要求6所述的安全接入装置,所述装置还包括:The secure access device of claim 6, the device further comprising:
    第一证书管理模块,设置为获取无线传输设备商下发的设备商证书。The first certificate management module is configured to obtain a device vendor certificate issued by the wireless transmission equipment vendor.
  8. 根据权利要求6所述的安全接入装置,所述装置还包括:The secure access device of claim 6, the device further comprising:
    第一白名单管理模块,设置为与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。The first whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
  9. 一种安全接入方法,应用于第二通信设备,所述方法包括:A secure access method is applied to a second communication device, and the method includes:
    与第一通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第一通信设备的设备商证书进行合法性校验;Performing identity authentication with the first communication device, and verifying the legality of the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
    在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;Performing a whitelist check on the device vendor certificate of the first communication device after the device vendor certificate validity check is performed on the first communication device;
    如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。If the device vendor certificate of the first communication device is in the whitelist stored by itself, establishing a secure channel with the first communication device; if the device vendor certificate of the first communication device is not in the whitelist stored by itself, Then, a secure channel is not established with the first communication device.
  10. 根据权利要求9所述的安全接入方法,其中,The secure access method according to claim 9, wherein
    所述第一通信设备为基站,所述第二通信设备为安全网关。The first communication device is a base station, and the second communication device is a security gateway.
  11. 根据权利要求10所述的安全接入方法,还包括:The secure access method of claim 10, further comprising:
    所述与第一通信设备协商进行身份认证之前,获取无线传输设备商下发的证书。The certificate sent by the wireless transmission equipment vendor is obtained before the identity authentication is performed in the negotiation with the first communication device.
  12. 根据权利要求10所述的安全接入方法,所述方法还包括:The secure access method of claim 10, the method further comprising:
    与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。 Synchronizing with the network element management system, and updating the white list stored by the network management system according to the whitelist information delivered by the network element management system.
  13. 一种安全接入装置,应用于第二通信设备,所述装置包括:A secure access device is applied to a second communication device, the device comprising:
    第二证书认证模块,设置为与第一通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第一通信设备的设备商证书进行合法性校验;The second certificate authentication module is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the public key infrastructure PKI system;
    第二白名单校验模块,设置为在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。a second whitelist check module, configured to perform a whitelist check on the device vendor certificate of the first communication device after the device vendor certificate validity check of the first communication device is passed; If the device vendor certificate of a communication device is in the white list stored by itself, establishing a secure channel with the first communication device; if the device vendor certificate of the first communication device is not in the whitelist stored by itself, The first communication device establishes a secure channel.
  14. 根据权利要求13所述的安全接入装置,所述装置还包括:The secure access device of claim 13, the device further comprising:
    第二证书管理模块,设置为获取无线传输设备商下发的证书。The second certificate management module is configured to obtain a certificate issued by the wireless transmission equipment vendor.
  15. 根据权利要求13所述的安全接入装置,所述装置还包括:The secure access device of claim 13, the device further comprising:
    第二白名单管理模块,设置为与网元管理系统进行同步,根据所述网元管理系统下发的白名单信息更新自身存储的白名单。The second whitelist management module is configured to synchronize with the network element management system, and update the whitelist stored by the network management system according to the whitelist information delivered by the network element management system.
  16. 一种安全接入系统,包括:A secure access system comprising:
    第一通信设备,设置为与第二通信设备协商进行身份认证,利用自身的公开秘钥基础设施PKI系统对所述第二通信设备的证书进行合法性校验,在对所述第二通信设备的证书合法性校验通过后,对所述第二通信设备的证书进行白名单校验,如果所述第二通信设备的证书在自身存储的白名单内,则与所述第二通信设备建立安全通道;如果所述第二通信设备的证书不在自身存储的白名单内,则不与所述第二通信设备建立安全通道;The first communication device is configured to negotiate identity authentication with the second communication device, and perform validity verification on the certificate of the second communication device by using the public key infrastructure PKI system thereof, where the second communication device is After the certificate validity check is passed, the certificate of the second communication device is whitelisted, and if the certificate of the second communication device is in the white list stored by itself, the second communication device is established. a secure channel; if the certificate of the second communication device is not in the white list stored by itself, the secure channel is not established with the second communication device;
    第二通信设备,设置为与第一通信设备协商进行身份认证,利用自身的PKI系统对所述第一通信设备的设备商证书进行合法性校验,在对所述第一通信设备的设备商证书合法性校验通过后,对所述第一通信设备的设备商证书进行白名单校验;如果所述第一通信设备的设备商证书在自身存储的白名单内,则与所述第一通信设备建立安全通道;如果所述第一通信设备的设备商证书不在自身存储的白名单内,则不与所述第一通信设备建立安全通道。 The second communication device is configured to perform identity verification with the first communication device, and perform validity verification on the device vendor certificate of the first communication device by using the PKI system of the first communication device, where the device provider of the first communication device is After the certificate validity check is passed, the device vendor certificate of the first communication device is whitelisted; if the device vendor certificate of the first communication device is in the whitelist stored by itself, the first The communication device establishes a secure channel; if the device vendor certificate of the first communication device is not in the white list stored by itself, the secure channel is not established with the first communication device.
PCT/CN2016/091615 2015-12-17 2016-07-25 Security access method, apparatus and system WO2017101447A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510952493.3 2015-12-17
CN201510952493.3A CN106899542B (en) 2015-12-17 2015-12-17 Secure access method, device and system

Publications (1)

Publication Number Publication Date
WO2017101447A1 true WO2017101447A1 (en) 2017-06-22

Family

ID=59055646

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/091615 WO2017101447A1 (en) 2015-12-17 2016-07-25 Security access method, apparatus and system

Country Status (2)

Country Link
CN (1) CN106899542B (en)
WO (1) WO2017101447A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3624413A1 (en) * 2018-09-13 2020-03-18 Siemens Aktiengesellschaft Automated certificate management for automation installations
CN110138725B (en) * 2019-03-26 2021-12-03 视联动力信息技术股份有限公司 Data exchange method and security gateway
CN115567261A (en) * 2022-09-20 2023-01-03 浪潮思科网络科技有限公司 Authentication method, device, equipment and medium for access equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141447A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 HTTPS communication tunnel security check and content filtering system and method
CN102811218A (en) * 2012-07-24 2012-12-05 江苏省电子商务服务中心有限责任公司 Precision authentication method and device for digital certificate, and cloud authentication service system
CN103560889A (en) * 2013-11-05 2014-02-05 江苏先安科技有限公司 Precision identity authentication method between X509 digital certificate and certificate application

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674304B (en) * 2009-10-15 2013-07-10 浙江师范大学 Network identity authentication system and method
US8281127B2 (en) * 2010-02-01 2012-10-02 Blackridge Technology Holdings, Inc. Method for digital identity authentication
US9413538B2 (en) * 2011-12-12 2016-08-09 Microsoft Technology Licensing, Llc Cryptographic certification of secure hosted execution environments
CN102571792A (en) * 2012-01-06 2012-07-11 西安润基投资控股有限公司 Identity authentication method allowing intelligent mobile wireless terminal to access cloud server
CN104717192B (en) * 2013-12-16 2018-05-18 腾讯科技(深圳)有限公司 Legality identification method and intermediate server

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141447A (en) * 2006-09-08 2008-03-12 飞塔信息科技(北京)有限公司 HTTPS communication tunnel security check and content filtering system and method
CN102811218A (en) * 2012-07-24 2012-12-05 江苏省电子商务服务中心有限责任公司 Precision authentication method and device for digital certificate, and cloud authentication service system
CN103560889A (en) * 2013-11-05 2014-02-05 江苏先安科技有限公司 Precision identity authentication method between X509 digital certificate and certificate application

Also Published As

Publication number Publication date
CN106899542A (en) 2017-06-27
CN106899542B (en) 2021-04-20

Similar Documents

Publication Publication Date Title
JP7415186B2 (en) Platform for computing at the mobile edge
US11509645B2 (en) Device authentication based upon tunnel client network requests
US11848962B2 (en) Device authentication based upon tunnel client network requests
US9455958B1 (en) Credentials management in large scale virtual private network deployment
EP1966929B1 (en) Methods and system for managing security keys within a wireless network
RU2611020C2 (en) METHOD AND SYSTEM FOR ESTABLISHING IPSec TUNNEL
US10491583B2 (en) Provisioning remote access points
KR101532968B1 (en) A flexible system and method to manage digital certificates in a wireless network
EP2496007B1 (en) Method and apparatus for provisioning of information in a cellular communication network
RU2685975C2 (en) Providing communication security with extended multimedia platforms
CN114500120B (en) Public cloud expansion method, device, system and storage medium
CN106535089B (en) Machine-to-machine virtual private network
WO2017101447A1 (en) Security access method, apparatus and system
US20170346812A1 (en) Device authentication based upon tunnel client network requests
JP6453351B2 (en) Authentication of network elements in communication networks
US11171786B1 (en) Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16874508

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16874508

Country of ref document: EP

Kind code of ref document: A1